Spotify Community

@mychaelconnolly

I totally agree.

Multi-factor authentication adds an additional layer of security to the login process by requiring users to provide two or more forms of identification, such as a password and a fingerprint or a password and a one-time code sent to a phone. This makes it much more difficult for hackers to gain unauthorized access to user accounts, as they would need to have access to multiple forms of identification.

A company with hundreds of millions of users that does not use multi-factor authentication is at a higher risk of security breaches, as hackers may be able to gain access to a large number of user accounts with just a single set of login credentials. This not only puts the company's reputation at risk, but also the personal information and data of its users. Additionally, the company could also be liable for any financial losses or damages suffered by users as a result of the security breach.

There are several laws and regulations that may require companies to use multi-factor authentication, depending on the industry and location.

In the United States, the Payment Card Industry Data Security Standard (PCI DSS) requires multi-factor authentication for remote access to cardholder data by employees, as well as for certain types of transactions, such as those made with a card that is not present.

In the healthcare industry, the Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities and their business associates implement technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). This may include multi-factor authentication for remote access to ePHI.

In the European Union, the General Data Protection Regulation (GDPR) requires companies to implement appropriate technical and organizational measures to protect personal data, including using multi-factor authentication where appropriate.

Additionally, there are other laws and regulations, such as the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation, that requires multi-factor authentication for certain types of transactions, such as those involving banking and financial services.

Spotify, as a streaming service provider, may not be subject to the same laws and regulations as a company in the financial or healthcare industry. However, it still collects and stores personal information of its users, such as their name, email address, and listening history. Therefore, it's important for Spotify to implement appropriate security measures to protect this personal information, including multi-factor authentication, to protect the integrity and confidentiality of their user's data.

Spotify also accepts payment for its premium services, so they could be considered a company who handle payment information and they would be subject to the Payment Card Industry Data Security Standard (PCI DSS) which requires multi-factor authentication for remote access to cardholder data by employees, as well as for certain types of transactions, such as those made with a card that is not present.

While Spotify may not be subject to the same specific laws and regulations as a company in a heavily regulated industry, it is still responsible for protecting the personal information of its users and should consider implementing multi-factor authentication as a best practice for ensuring the security of user accounts.

Ignoring customer demand for a security feature such as multi-factor authentication for an extended period of time could be seen as a lack of concern for the security and privacy of their users. This could be considered bad conduct of service, as it suggests that the company is not taking the necessary steps to protect its users' personal information.

It's important for companies to stay up-to-date with industry best practices for security, and to respond to customer demand for features that can help protect their personal information. In this case, if Spotify has ignored customer demand for multi-factor authentication for an extended period of time, it could be perceived as a disregard for the security and privacy of their users.

Regardless, if Spotify has ignored customer demand for multi-factor authentication for over 8 years, it is highly recommended that they consider implementing this feature as soon as possible to ensure the security and privacy of their users.

Customers who are concerned about the lack of multi-factor authentication on Spotify's platform may have several legal options available to them. However, it is important to note that the specific legal options available will depend on the laws and regulations in the jurisdiction in which the customer resides, as well as the specific circumstances surrounding the case.

It's also worth mentioning that customers can  express their dissatisfaction and demand for this feature through social media, customer support and other communication channels, to put pressure on the company to implement this feature. But since this has been done now for 8 years maybe some would consider the following:

One option available to customers is to file a complaint with the relevant regulatory body or government agency. For example, in the United States, customers may file a complaint with the Federal Trade Commission (FTC) if they believe that Spotify has engaged in unfair or deceptive business practices.

Another option is to take legal action against Spotify. Customers may be able to file a lawsuit against the company for a failure to provide reasonable security measures to protect their personal information. This would require proving that Spotify had a duty to protect their personal information, that Spotify failed to fulfill that duty, and that this failure caused the customer to suffer some sort of harm.

Additionally, customers can also consider taking collective legal action with a class action lawsuit. This is when a large number of people sue a company together, and can be a more efficient way to pursue legal action.

It's important to consult with legal professionals to understand the specific legal options available in your jurisdiction and circumstances.

This reasonable feature request is now eight years old!
🎂🎂🎂🎂🎂🎂🎂🎂

I look forward to MFA being implemented sometime before Spotify reaches the age of majority.
Or before it goes the way of Myspace, whichever happens first.

This request is literally eight years old. How is Spotify still not able to give us this? Why should anyone continue to pay for such a cheap app that can't implement even the most basic features?

For myself I’ll give Spotify 7 months. No MFA, the I cut the service and go with the Fruity Co. I’m time for the holidays. At the very least they care about security. The only thing I’ll miss is the crossfade feature 😞

I decided to contact support directly again this week on this issue. And believe me, I often get right on the support's nerves about it. This time not via Twitter, but by mail. The following constellation has arisen, translated into English by deepl.

Request to Sportify:

Hello Spotify Team,

I'm always trying to find out on the channels you guys offer like this, how it *finally* looks like with two-factor authentication.

It's about the following live idea: https://community.spotify.com/t5/Live-Ideas/Security-2-Factor-Authentication/idi-p/1017889

Once again, I ask you for a very honest answer to the question, is 2FA coming and if so, when? And if no, why not. I ask not to get a 0815 standard copy-and-paste answer. This kind of answer I and the meanwhile more than 7,800 upvoters have heard more than enough and are very tiring.

The ignorance that the Idea team addresses on the subject is beyond words by now.

Response from Spotify:

Hello [name],

Thank you for contacting us. We're glad to hear that the idea of two-factor authentication is of interest to you.

Other listeners seem to like this idea as well. We have made sure that your feedback will be forwarded to the appropriate team and your opinion will be taken into account in future updates. However, we can't tell you exactly when new changes will be made. However, we recommend that you always keep the Spotify app up to date.

If you need any further support, we'll be happy to help.

Best regards

My response:

Hello [supporter name],

and this is exactly the type of response I did not want to receive. This is unfortunately a copy-paste standard mail....

Response from Spotify:

Hello [name],

Thank you for your feedback.

Don't worry, as mentioned earlier, we have forwarded the information to the appropriate team. We are not allowed to share any further information. We ask for your understanding.

If you have any further questions, please let us know.

Best regards

As far as 2FA is concerned, I'm basically drawing my conclusions for good.

This is absolutely needed. Spotify accounts get hacked and stolen every day just like mine was. Spotify needs to offer a better way to make customer accounts more secure. Thank you.

I want Spotify to add a 2-step verification option to secure our accounts. Today someone hacked my account and even though they couldn't steal any personal or sensitive data (like my credit card info or such) I still had my playlists meddled with. Recovering my account was easy due to the Log out of every device option +  a Password change, but still, this shouldn't happen and in 2023 I find it incredible for one, if not the most significant music streaming app not to have a 2-step verification option. Please implement this as soon as possible before something really bad happens to someone (or their account) due to the lack of this simple additional security measure every other service/app has nowadays.