Two-factor auth receiving codes on email/sms

Kommentarer

10 kommentarer

  • Draco
    That's basically E-mail verification when you login in a new location
    0
    Kommentarhandlinger Permalink
  • mesub
    It would defeat the purpose of 2FA
    -4
    Kommentarhandlinger Permalink
  • Ness
    I don't think that would be a good idea 🤔
    -4
    Kommentarhandlinger Permalink
  • Kenai

    Discord is the only company I know about that doesn’t have this.

    0
    Kommentarhandlinger Permalink
  • ┻━┻︵╰(°□°)╯︵┻━┻

    Apparently my post about the same subject has been merged with this one so I'm just gonna leave my full opinion here as well.

       With the recent "threat" of the July 27th Discord Attack I believe we could use the option to authenticate via E-mail, even if they aren't serious or it's nothing to be too concerned about. Considering not all members actually have mobile devices to use these apps, yes not everyone has a phone/tablet/etc, to defend their accounts (Authentication apps are not downloadable on PC, at least not the reputable ones that I'd trust (i.e. Google/Microsoft/Authy) ) (Authy actually does have a desktop app but still REQUIRES a mobile phone number). I've got a few friends who are worried but can't put two-factor on their accounts due to a lack of a mobile device that can run an authenticator.

       If we could have an e-mail authentication option that would resolve the need for an authentication app for some users and should still remain very secure as long as the user's e-mail & discord passwords are different, which should be common sense. Additionally even if you can setup an authentication app they can easily result in the loss of an account should you lose/break your mobile device or uninstall without disabling authentication first. Meanwhile, your e-mail would still be available even if your mobile device was broken/lost and you could still access Discord somewhere else.

    Additionally E-mail authentication could be implemented as mandatory part of all Discord accounts, unless another form of 2FA was in use instead, then it should in theory solve many future security risks.

    If you agree with this idea please give it an up-vote, share a link to this page with your friends & Discord servers, and give any feedback so we can convince Discord to implement this feature.

    6
    Kommentarhandlinger Permalink
  • ┻━┻︵╰(°□°)╯︵┻━┻

    @mesub
    No it's another option of 2FA for those who don't want to/cant' use a 2FA app.

    @Ness
    I truly believe we could only benefit from an E-mail 2FA option. Assuming the user has common sense to use different passwords on their Discord & E-mail this is a great option for extra security.

    0
    Kommentarhandlinger Permalink
  • ┻━┻︵╰(°□°)╯︵┻━┻

    @Draco
    A friend actually pointed out last night that there is a requirement to E-mail verify when you log in from a new device/location, but I have NEVER had to do this in any of my log-in attempts from multiple devices since I joined Discord. I still think we need a E-mail 2FA system anytime you log-in, whenever you try to make a major change, or view you most private info on Discord. Not just for new sign-in locations/devices, and seeing as how I've never received a verification E-mail it may not currently be a reliable means to protect accounts at time and I still believe we need a full 2 Factor Authentication E-mail option.

    0
    Kommentarhandlinger Permalink
  • Dany-LF
    I don't think that's good for security reasons
    -3
    Kommentarhandlinger Permalink
  • Echowolf97

    An emailed method shouldn't be an issue if you have personally setup the email to 2FA with. Any further issue is at the hands of the account owner. For example my login is email1@g.com so I setup my 2FA with email2@g.com to protect the account.

    0
    Kommentarhandlinger Permalink
  • Asthetic

    Email/SMS isn't 2FA. Email/SMS is just another knowledge factor, it's basically like having two passwords for one account instead of one. The second factor is possession factor, you need to have something to prove who you are, such as a phone with a 2FA app or a Yubikey, ect. 

    The problem with SMS/Email is that if that account can be compromised, then the Discord account can be as well. Discord has to act as if all email addresses are compromised because they cannot prove that they aren't. By using a 2FA app, Discord controls the auth flow and can prove that you've entered your password and your 2FA code.

    https://searchsecurity.techtarget.com/definition/authentication-factor

    Edit:

    Another reason why this is a bad idea is because it makes users think their accounts are safe when they are not.

    There have been news stories of people "SIM hijacking" people in order to get their SMS authentication text messages. Using this people were able to steal millions of dollars from people's bank accounts. Not to mention that emails and SMS messages can be intercepted unless encrypted.

    0
    Kommentarhandlinger Permalink

Log ind for at efterlade en kommentar.