Fixing 2FA
There are people that have used Google Authenticator and have lost their two factor code and now they can't access their discord account (Unfortunately, I lost my other account which was the main one) because of their phone being destroyed and them not being able to take out the data properly.
I think in the next Discord update the Discord Team should completely remove Two Factor Authentication from Discord so people can get their accounts back. Then when the team finds a way for the users to get their lost account back if it ever happens again, they can add it back without it connected to any authentication app so the users that want to use 2FA can continue to use it.
-
Almost 2022, still holding out for a fix for legit account owners to get their Discord accounts back. Email backup codes, which were already generated, should be possible. Many other services allow the email on record to receive account access information. I can't imagine how many thousands of these unrecovered accounts are out there.
8 -
Discord should really fix this issue. Hoping that it would get fixed soon.
7 -
Lost my main account like almost 2 years ago, discord still refuses to just disable 2fa from that account even tho i have full access to the email linked with that account. I dont think theyre gonna fix this issue.
3 -
I think this is the end of my old discord account ,😢
1 -
I have the same problem. I reset my phone fully and lost my Google Authenticator and I also lost my Backup codes. :( R.I.P Account
This is Discord account Name : 'RaNa-Rocxs#8885Pls must help me to recover my account.
1 -
Just got locked out of my own discord cuz I had to reset my phone and lost all data for my 2FA codes, I've been trying to reach out for proper help but they send the same copy pasted reply.
It's a 4year old account and it's owner in a couple of servers, losing it permanently won't just damage my acc but the servers connected to it too :(
Discord really needs to look into this nightmare of an issue, it's a frikin flaw in their system that clearly needs to be fixed really soon.
7 -
I think the root of this problem is that Discord treats accounts as things of minimal value. When we had really new users, it was quite common to see them stand up three or four accounts until they figured out how to correctly claim them. If Discord started out with a strong setup mechanism, then I think they would be in a better place to deal with this. That might mean that you don't get to just jump in and use it - without a confirmed email, and a reasonably strong password, you don't get in. Period. (Sorry.)
That said - when you are looking at the problems above, you need to think like the bad guy. If someone gets access to your phone's SMS messages, or your email, do you want them to be able to take over your Discord account? The point of 2FA is to prevent something like Gmail access from being enough to get to your other accounts. If you want your Discord account to be recoverable using email - then don't use 2FA. If you do have 2FA, and your account can still be recovered using only email -- then it isn't really 2FA, and likely is not worth doing in the first place.
Another detail is that Discord does not appear to have a big revenue stream compared to many of the other services discussed here. There is no advertising, and the pay-for-this options are likely only used by a few people, so they are paying for all that infrastructure . The few ways of recovering an account that is 2FA protected require some serious time and effort on the part of the staff dealing with this. It can't be automatic. Google has such processes - and the money to fund them. And even there, they do not provide any guarantees that you will get back the access. There's no good solution for that.
Although it won't help the people already in this situation, Discord should radically bump up the language around setting up 2FA. That at least is cheap to do. Be blunt. "Have you printed out your backup codes and stored them safely? Do you understand that access to your email will NOT be enough to recover your account access if you lose your 2FA device?" (And you need to actually answer "yes" to the questions.) Ultimately using 2FA properly requires planning ahead, and although the users need to do that, it is up to Discord to make sure they are aware of the consequences of not doing it.
4 -
You know I can log into my account with a lock out here but I can't get into my main account they need to take off the 2FA it does not help you can still be hacked then there after you would lose everything you have I had nitro now I'm locked out of my account I had all my friends on there and so on and now its ALL gone just from me resetting my phone over it being hacked now I lost my account discord please fix this I mite just stop using discord this is just out of hand and needs to be fixed and fast if you are using a email that your account is a part of it should not be hard just to use that and get your account back but they still chose to say take down your account then you need to fix this it is a MUST fix thing you will just lose people and after you lose a lot of people over a 2FA you will then take it down but it could by then be to late
5 -
So just found out GO INTO BACK UP CODES (if your still logged in) and go to your gmail then go to spam and you will see that discord has sent you your BACKUP CODES
-2 -
Omg this wouldn't be a problem if we were still logged in. Ffs
4 -
So apparently discord wont override 2fa cause you could be a hacker... but will totally work with the hacker to delete your entire account ...wtf!!!
5 -
I need this update!
2 -
Bump
2 -
Discord should implement email verification for 2FA lockout recovery methods.
The authentication app linked to my account had an update and it removed all user data - now tell me how that is MY FAULT? None of the backup codes would work and I assume it's cause it doesn't recognise my account at all.
Discord already has their rigid policy and 'solutions' to this so I contacted the Authenticator app's devs and they pretty much said 'We can try investigating it, though it'll be unlikely to retrieve the data back. In such cases, all websites should have alternative ways to access the account such as through email recovery"
!!!
So, now I'm just stuck and hoping Discord will implement email verification for 2FA lockout asap. It's actually so annoying when this could be done in a simple fix.
12 -
Here's a LOGICAL solution mentioned by some users previously.
So first of all, this is what Discord offers if you're in a lockout:
Discord:
❝ Unfortunately, we aren't able to remove two-factor authentication from accounts due to security reasons, and the only way you'll be able to regain access is if you saved the backup codes from inside Discord when you initially set up the two-factor authentication. If you don't have access to these codes, then you'll have to create a new account.
On the other hand, if you're unable to disable the 2FA and you would like to permanently delete the account, could you confirm and explicitly tell me the registered email address that you want removed? I'lI be more than happy to get the process started for you. For example, you could respond by writing, "I confirm that I would like to delete the account associated with random@email.com." depending on your email address.
Note: We need to receive the account deletion request from the email address associated with the Discord account to protect our users' privacy and security. After we receive this confirmation, we can start the process manually which may take up to 15 days to complete. ❞
---
From their current policy, there's a logical inconsistency - how does it make sense that users cannot access their account due to security reasons but they can have the ability to permanently delete their account through a simple email verification request?
2FA LOCKOUT EMAIL VERIFICATION SOLUTION
The same logic should follow with accessing your account back - sending an email verification for an account lost to 2FA. If the account is logged in within 15 days, then users can successfully gain access to their account again. However if it isn't logged in within 15 days of requesting an email recovery, then it would make sense that the account stays in a lockout.
Sounds logical enough I think.
Devs make this happen cause it just makes sense.
14 -
+1
2 -
I need that email verification update!!
5 -
+1
Please, Discord.2 -
New ways to cancel two-factor authentication by email, such as sending a text message with a verification code or 2FA recovery codes in an email
5 -
I have a question for those who have become stranded in this situation. First - the whole point of using the authenticator is that email will not be enough to take control of the account. If email *is* enough, then there is no point to having the authenticator.
So - why did you enable 2FA with the authenticator in the first place if you still wanted email recovery?
Discord has not managed this situation well - but blocking email recovery when 2FA is enabled is the correct way to do this. Changing *that* would be wrong.
-6 -
I did not know what its usefulness was, except when the account was hacked and I made a request to retrieve it on the same e-mail. One of the tips that came to me when I returned the account was to do the 2fa, and I did it, and now I do not know how to recover it
2 -
@CJSmith
You’re not wrong in that sense but there are some instances where users actually can’t help themselves when facing 2FA lockouts.For example, users’ devices break down etc and they genuinely cannot retrieve their accounts even if they HAVE saved their backup codes.
As for my case, I already explained 8 posts above.
I still stand by the logical inconsistency for the email verifications for deletions of accounts but not being able to recover your account.Also it’s kind of silly that Discord rejects many longtime users or those have literal Nitro billing receipts to prove the ownership of their account yet they are denied access but can very well delete their account.
2 -
@Kaylen, @sayazu
What I see here absolutely supports that Discord might be doing 2FA correctly, but they are badly handling almost everything else to do with it.
A suggestion to implement 2FA needs to always be accompanied by a statement of the risks, and the other processes the account holder needs to follow. It needs a big print summary that says "IF YOU LOSE OR DAMAGE YOUR PHONE THEN YOU MAY BE PERMANENTLY LOCKED OUT OF YOUR ACCOUNT", and "EMAIL ACCESS WILL NOT BE SUFFICIENT TO RESTORE ACCOUNT ACCESS". Standard techniques such as printing the enrollment QR code, or enrolling two devices - a backup phone? - need to be described. The account holder needs to positively agree that they understand those conditions.
As for deletion - this is a somewhat separate topic, but you are absolutely correct. They should not accept a lesser authentication method for deletion. Now - they might accept an "account hide" so that other users do not continue to try and interact with you. But if you do eventually get access restored, then the account should be waiting for you as long as Discord exists.
The core of this goes to a common misunderstanding that needs to be addressed more often. Using 2FA means you are saying that you prefer losing your access over an attacker gaining access. Put that way, I think many more Discord users would say "wait - let's think carefully about this".
2 -
@CJSmith
Yeah, I agree with the point you make regarding the user acceptance of conditions in enabling 2FA.
I think a lot of users enable 2FA on a whim because Discord usually suggests it as a pop up so they end up just doing it.
Discord encourages 2FA but doesn’t provide any more information regarding that so a clear bolded link to their info article would be useful on their end.
So in such cases like @Kaylen ‘s I guess, users fail to actually understand what Discord’s 2FA policy is when they find themselves in such situations.
So I do agree, that Discord should provide a bold, clear pop up “Are you sure?” button, similar to the confirmation buttons when you delete a server. This way, it ensures users have fully understood and consent to subsequent situations, a 2FA lockout, which would be in terms with Discord’s policy.The “hide account” feature seems like a helpful suggestion though I’m not entirely sure if this is the same as disabling your account.
Actually I’ll be honest, I don’t know the effects of disabling Discord accounts put in by the users themselves.
But it doesn’t sound like a bad idea either if users can’t currently restore their accounts nor would rather delete it.2 -
I saw a user on Twitter that is currently in a 2FA lockout for like 8!!! years!!!
That’s insane, it makes me realise how long this issue has been persisting for. Discord should consider this really soon.
I mean, right now all the attention is on the username update but all we are asking for is an improvement to the current policy!5 -
Any users passing by, please upvote the thread and share it around to anyone you notice also facing the same issue! It’d be really helpful for a lot of users
3 -
Bump!
There really needs to be more failsafe measures for this.
5 -
Bump
Discord, please stop touching the UI and actually take care of this never-ending 2FA lockout issue5 -
Bump
2FA lockout gots 2 end1 -
100% I am currently going through this predicament and the fact this initial post was 4 years ago and they still don't have a solution is mad
0
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.
Kommentare
130 Kommentare