Fixing 2FA
There are people that have used Google Authenticator and have lost their two factor code and now they can't access their discord account (Unfortunately, I lost my other account which was the main one) because of their phone being destroyed and them not being able to take out the data properly.
I think in the next Discord update the Discord Team should completely remove Two Factor Authentication from Discord so people can get their accounts back. Then when the team finds a way for the users to get their lost account back if it ever happens again, they can add it back without it connected to any authentication app so the users that want to use 2FA can continue to use it.
-
It's crazy to think I posted this 4 years ago and still no solution. Losing my original account has definitely made me take extra steps to make sure I have ways back into my apps but man, knowing I can never get my original back just sucks.
1 -
@Mangermouse - since the point of the 2FA with authenticator is to ensure that your email cannot be used to take over your account - what solution do you suggest?
There is no safe way to "disable 2FA" without *using* 2FA. Any other method to disable 2FA becomes a way for a malicious person to bypass the 2FA.
When you enable 2FA, you are in effect stating that you would prefer that everyone - including you - be permanently locked out of the account, rather than have anyone else other than you take over the account.
If this is not what you wanted, then what reason did you have for enabling 2FA?
I use a number of services that operate this way. One of them is a file backup service. It is secure and protected. I already know that If I lose my authentication capability, I have lost all my files and I should cancel my account at that service - which I can do by stopping payments. This is what 2FA means.
-2 -
@CJSmith I've always had a problem with this logic, because it sounds smart on paper but in reality is very counter-intuitive.
The problem arises in the fact that if your email is being used to take over your Discord account, then it's being used to take over your other accounts as well. Your top priority at that point wouldn't be getting into your Discord account, it would be trying to recover your email itself.
1 -
CJSmith the purpose for 2fa is not to "lock you out if you lose 2fa", I have 2fa on nearly everything I use, with google not backing it up (And unfortunate event), I was locked out of majority of services I use, nearly all of them had ways for me to validate my identity and proof I was the account owner and help me regain access.
2fa its a secondary means of protection (not a final solution), there are many users who have lost their accounts due to "hackers" even with 2fa, it is not fool proof, it just adds an extra layer of protection,, the idea of "If I lose my 2fa, I should lose everything" is backwards thinking.
With experience with multiple companies in the past week, and after I have provided sufficient proof I own the account etc, some have been able to reset the password, some have been able to provide a 2fa code for me to access and some have reset the account parameters entirely, many of these have been able to do this as I have multiple email accounts connect, phone number etc
1 -
@Mangermouse - you are certainly correct that other companies handle this differently. And this puts us into a discussion about the very nature of Discord. It is mostly free, and ad-free. It's an open question as to whether it can ever be profitable as long as it remains this way - and without at least some reasonable level of income, lots of things that are nice to do and done at other companies will remain out of reach.
Try comparing the financials - those other companies, were they profitable? What was their annual revenue? And - what type of company was it, and what were it's policies and culture? Were you seen more as a customer, or more as the product? Microsoft was in discussion to offer $12B for Discord, and I would love to know why Discord rejected it. If you needed a Microsoft Live account for Discord, recovery would almost certainly be possible - but, would you still use Discord?
Even Google will not guarantee that you get your account back. They have a process, but depending on what you have set up in your account, it may not be sufficient. (For Google, I don't trust the authenticator - I have a hardware dongle for 2FA. And - I have *two* hardware dongles, so, a backup.)
Finally - "if I lose 2FA, I should lose everything" - yes, this is draconian. But if more people went into setting it up while thinking this way, this would be a much less busy forum discussion. Given the current situation at Discord, it may be closer to the reality than to backward thinking.
-1 -
CJSmith I get what you're saying about Discord not having the money/resources for proper support (probably why this thread doesn't get any official response), but "Retrain 99.9% of the population to rethink how they use 2FA" doesn't seem like a practical approach to me. If they don't have the resources to offer proper industry-standard support for 2FA, then don't offer it.
1 -
CJSmith Discord have plenty of means income, and have done for a long while. I migrated to Discord when it was in BETA from Slack, so yes I would still use it, as I operate majority of my professional world through Discord.
Again, Discord aren't new to to the game, in fact several of the support agents I have spoken to in a personal regard have noted this isn't the ideal policy and recognise it could be better. The fact that even this thread started 4 years ago, speaks volumes. Improvements can be made, the ideal of "why do majority of people do 2fa", well unfortunately many places encourage it, and people do not do enough research into it, especially when the slogan is "add another layer of protection", again, similar companies, who actually I would argue does not make a regular income like Discord does have put in place better protective measures.They can do better, they can implement better systems. Im not suggesting it should be as simple as "ping my email", I believe there should be rigorous steps to go through in the event of a lockout, but it happens all to often, which is why other online companies have policies in place for these very scenario's. People get hacked, people lose devices, peoples 2fa resets, the list goes on. The policy of "Oh too bad, start a new account", should not be the port of call.
I will give them benefit of the doubt in that currently support are looking into if they can transfer ownership to my backup account & are helping me, but if for whatever reason my phone/pc app logged me out tomorrow, thats it, dark zone.3 -
Mangermouse - Discord may have plenty of *ways* to generate income, but their ARPU is estimated at $1.30. The only service lower than that is Reddit, down around $1.19. Interestingly, reading the Reddit FAQ on 2FA sounds rather familiar ... https://www.reddit.com/r/help/wiki/faq#wiki_two-factor_authentication_help
"Please be advised that if you lose access to your 2FA app and your backup codes, we will not be able to help you get back into your Reddit account"
"Otherwise, you'll need to create a new account to continue using Reddit. Reddit support cannot disable two-factor authentication on your behalf."
-1 -
CJSmith Correct Reddit do not remove 2fa, but they have a way to reset the master password, you have to jump through a lot of hoops to do so, and basically have to speak with a support agent via call (I did mine via zoom), and regained access to my Reddit on Wednesday
1 -
Mangermouse If you don't mind my asking then, how did you sidestep the 2FA point for Reddit?
If you are completely logged out, even knowing the master password should not be enough to get access.
What am I not understanding here?
0 -
CJSmith In my case they reset the master password and had to go through rigorous steps including sms auth, I dont exactly know how they did the work around and wouldnt even pretend to figure out how they do it, I just got 3 separate codes sms, zoom and email, which I the confirmed with the agent at the time, and then was able to remove the 2fa and then re set this up (I changed to a cloud based 2fa service, obviously learning my lesson, its not ideal but eh)
1 -
CJSmith And with other services, they were able to remove 2fa completely (theres a lot of places that say they cant, but actually can, but theres steps to go by), but I did have to spend roughly an hour to prove my identity and ownership (Which I feel was perfect, even though it was a lengthy process, I felt safe and secure doing so to regain access and reset everything up)
2 -
Its also worth noting to, that with Slack for example (which is practically the same family as discord) do have a fail safe protocol : https://slack.com/intl/en-gb/help/articles/204509068-Set-up-two-factor-authentication , obviously a little different in terms to slack being Workspace orientated, but lets not forgot, Discord aren't saying they cannot do it because its not possible, its purely because it does not fall under they security policy, this can and should be amended to include steps to help users, especially those in really unfortunate circumstances
3 -
If any chance you were a victim of mining or investment scheme that required you to send your personal asset, money or cryptocurrency in any form to a third party then you obviously need some light in this dark tunnel. I have been a crypto holder since 2014 and was a victim of the Quadriga scheme in 2016. All the red flag right there but it was too late. Luckily I found an article where I was able to report and reclaim my lost asset, Now take a look at this article where you can Report and reclaim your crypto loss
Bet you'd find all your missing pieces.
Freddictine at consultant dot com he was able to recover my funds-4 -
Lol discord can totally let you back in, found a vid online. In your very first message to support you must lie to them and say that you were hacked and that the hacker enabled 2fa. Tested like 6 months ago on an alt and dis support let me back in within 1 day. But since I DIDNT LIE when I lost my real account they won't lift a finger.. And for those who think 2fa is fort Knox...what would you do if if the ol fort failed and as a result you not only had to reinstall windows but also factory reset your phone and ofc your in a hurry...cause, ya know, a hacker be robbin your fort...so there goes your authenticator and your backup codes...sounds like a bad time yes? But discord just says screw you. Every other account I had also had 2fa and I sorted every single one out, there are ways to prove your ...ummm...you...ya know driver license, birth cert, SS card..if your really you then I'm sure you might have some of that stuff..right? But discord says we don't care if you can prove your you, not letting you in your account...but hey, we sure will delete it for you. And their reasoning for not letting you in is cause you might be the hacker, and I find it VERY strange that discord is more willing to help hackers delete customer accounts than help customers get their accounts back......... ludacris.
1 -
Bump…
0 -
Still no updates on this problem! They should get this prioritised asap, especially because the whole 2FA seems to be an issue regardless; why am I seeing users claim they’ve gotten hacked despite having 2FA enabled?
Discord, you guys really need to develop an recovery method via email for 2FA lockouts3 -
Bump ^^^
0 -
liyasa lol 2fa isn't "unhackable"....I found out firsthand.
1 -
Rogey10x I know, seems to be happening too often though.
1 -
This is so crazy, why hasn’t Discord still addressed this? I just want my account back ffs, never seen such terrible user account support
3 -
Why is no one doing something about this i just want my account back also is it even worth it to contact support or are they going to tell me to just delete my account.
3 -
This is has been a problem for over 4 years and their refusal to do anything is proof that whoever is in charge of security is a stubborn mule. It is easier for me to recover access to my bank account with 2FA than it is for me to recover my Discord account. That's ridiculous.
5 -
I’ve seen a lot more recent 2FA lockout issues on Twitter/X and Support is literally useless in providing support or they don’t reply at all. It’s such a joke, fix the problem already!
3 -
fix this already
1 -
Cmon discord its the beginning of 2024. Please just change the goddamn 2fa policy man.
4 -
Discord stop being lazy and fix this. There are so many solutions that can work for everyone rather than it only being to “delete your account”
4 -
Agreed man. I lost my main account due to this bullshit. And discord it is 2024 and they still haven't fixed it.
3 -
2024…
1 -
Removing 2 factor will aid me in getting my old account. Twice already I've reached out to Discord and twice I've gotten an automated message. I tried getting on the account that stole my email (I got hacked) because Discord won't do anything and what do ya know? I'm hit with a 2 factor wall. So I'm going to have troubles getting in my account because “They won't do the switch unless the original email is available to be switched over” and not something as simple as “Hey. Got another email you can use?”
0
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.
Kommentare
130 Kommentare