Multi-Factor Authentication (MFA for short) is the best way to add an extra layer of security to your Discord account to make sure that only you have the ability to log in.
What this article covers:
- Types of Multi-Factor Authentication
- The Setup Process on Desktop
- Setting up your Authentication App
- The Setup Process on Mobile
- I forgot to download my codes!
- I forgot to add my phone as backup!
- Server-wide 2FA
Types of Multi-Factor Authentication
There are three options to add MFA to your account: Security Keys, an Authenticator App, and SMS. You can choose any one of these options or any combo, but there are positives and negatives to each. We’ll talk through each option and give you some info on the security of each one.
This is the latest in personal security, and also the most secure! With Security Keys, you’ll be able to use a passkey (ex. FaceId, TouchId, Windows Hello) to gain access to your account. The way this works is when you register a passkey for Discord, you’ll protect it using your biometric (fingerprint or face) and the key itself lives on your device and in your provider’s cloud (e.g. Apple/Microsoft). Whenever you want to use the passkey, you authenticate using your biometric so that your device sends the passkey data to Discord. And to be clear, we’re never given any biometrics data from your device.
This method is the best way to protect your account because it is simple to use, on your own devices, backed up in the cloud, and, most importantly, phishing resistant.
The Authenticator App is an excellent choice that mixes flexibility with security. Plus the name makes us think we’re in a spy novel. With an Authenticator App, you’ll register a QR code or manually enter a key with an app on your phone or a password manager and then generate a new code for you to use every 30 seconds.
As long as you have your phone or access to your password manager, you can make new codes and hackers will have a hard time getting access to your app. But these codes are still phishable, so if you lose your phone, this could lead to a predicament.
This is a common option. If we can be transparent with you, SMS MFA is better than no MFA, but not by a lot. Hackers have been able to intercept text messages or call up phone carriers to do a “SIM Swap” attack and take over phone numbers.
Since you can only use SMS if you already have an Authenticator App enabled, you should really think carefully about whether it’s worth adding a more easily stolen MFA after setting up a better option with your Authenticator App. Either way, there’s always…
What happens when the worst case scenario happens? You’ve registered your security key, but your laptop’s been stolen; or configured your Authenticator, but lost your phone. How can you regain access to your account? With Backup codes!
Backup codes are special, random codes we give you after signing up for MFA. Keep these secret and well-protected. We recommend storing them in a password manager (like 1Password, or KeePas[XC]), but you can also print them out and hide them if you’d prefer.
If you are locked out of your account and need to get past MFA, you can use one of these codes in order to recover and reconfigure your account. Each code can only be used once, so once your account is under your control again with new MFA configured, generate some new codes and hide them away safely again.
The Setup Process on Desktop
Start by selecting the the cog wheel  next to your username.
You'll be redirected to your User Settings and land on the My Account page. While here, you will be able to view the Multi-Factor Authentication options by referring to Password and Authentication.
Registering Security Keys on Desktop
To set up a Security Key, select Register a Security Key and follow the prompts to reauthenticate. You’ll land on this notification so you can go grab your key and plug it in:
Press Let’s go and interact with your key (you might need to tap it, select it, put your finger on it, scan your face, make an incantation over it). Afterwards, be sure to name it something you’ll remember.
Then, remember to download and store your Backup Codes.
And you’re done!
You can now register another Security Key on this device or a different device (you can have up to 16 at the same time). If you’re adding a Security Key on another device and it’s asking for an MFA code, but you’ve only registered Security Keys on other devices, remember you can always use a Backup Code to get the process going, then regenerate them to get a fresh set once you’re all done.
When you log in, you’ll get one additional challenge after entering your username and password to use you security key:
Press Authenticate with security key to interact with your Security Key, and you’re in!
Setting up your Authentication App
Authenticating with Google
If you're using Google Authenticator, you'll be prompted to choose your input method, either scanning a barcode or entering a provided key:
Either one of these will work fine (since Discord provides both input methods) but keep in mind, Google Authenticator on Android will need you to install another barcode scanning app if you want to use that option. They require the ZXing Barcode Scanner app, which is totally fine and dandy:
Or, you can just input the code provided in Discord; no Barcode Scanner required.
Authentication with Authy
Within Authy, you'll first need to enter your phone number and email to authenticate your phone:
You'll see a new pop-up with the option to verify via phone call or text message. Internal testing has yielded results that claim that the most recent smartphones are in fact capable of making and receiving phone calls, despite how rare this phenomenon appears.
Once you've authenticated your device, go ahead and press the "+" button in the center to add a new authentication account. Finally, you'll reach the Authenticator Accounts screen. You'll have the option to scan a QR code, or enter the code manually.
Authenticating with MFA
Use Authy's (or Google Authenticator's) QR scanner on the QR code provided within Discord here:
This'll generate a 6 digit code that is the final piece to enabling 2FA in Discord. Enter it in, and you're good to go.
Once you've enabled MFA successfully, you'll have a fancy little box pop up with a couple suggestions to help make sure you can access your account in case of an emergency:
You did it!
You can now link your phone number to your account to help act as a backup method for obtaining 2FA codes. This is to help should you be worried about losing access to your authenticator app say by dropping your phone in water/lava/a hippo/etc.
Make sure to also download your backup codes.
Now when you log in, you’ll see an additional prompt to enter an authentication code:
Enter a code, select Confirm and you’re in!
The Setup Process on Mobile
Tap your avatar in the bottom left corner to head into your User Settings > Account.
Now you’re looking at the same options as on Desktop.
Registering A Security Key on Mobile
Select Security Keys to start setting up a security key. Next you’ll press Register a Security Key.
Your phone will wait to let you get ready (get your physical token, stretch that finger, fix your hair). When you’re good to go, press Let’s go. Your phone will then let you register and choose a name for this key, then tap Finish.
And you’re done! Make sure to download and store your backup codes.
Authenticating on the Go
Tap the Enable Two-Factor Auth button to get started. To begin the MFA process, you'll either need to download Google Authenticator or Authy on your mobile device.
Once you have either Google Authenticator or Authy installed, you will be prompted to connect your account to the authentication app. (Press here for instructions.)
Once you connected, you've enabled 2FA successfully! 🎉
You can now link your phone number to your account to help act as a backup method for obtaining MFA codes (remember that SMS codes aren’t super secure). This should help you be less worried about losing access to your authenticator app.
Make sure to also download and store your backup codes.
I forgot to download my codes!
It's all good, you can still do this in your account settings! Your settings screen will now look something like this:
Head into your User Settings > My Account.
Select View Backup Codes to see your codes (and which one’s you’ve used) as well as get the option to download them.
These codes have been rotated already, obviously.
I forgot to add my phone as backup!
No worries again! Head back to your account and press the Enable SMS Authentication button.
Verify that number in Discord.
Now, after you login with username + password, you’ll get an additional screen like this:
Just enter the code from your text message and you’re in!
Now when you login, if the feature is enabled, you will have a link to request an SMS with a code to authenticate yourself as a backup option.
Server owners also have an extra security lever they can pull to prevent unwanted perpetrators from causing havoc in their servers.
In your Server Settings menu, you'll see a Moderation tab that allows you to require 2FA server-wide. While this doesn't require everyone that joins the server to have 2FA enabled, it does mean that anyone with admin powers won't get to use them unless they enable it. They'll see this pop up instead:
The specific permissions that are disabled ("Admin privileges") include:
Kick Members, Ban Members, Administrator, Manage Channels, Manage Server, Manage Roles, and Manage Messages.
Selecting the Resolve link in the popup will bring you directly to the security tab in your User Settings menu, where you can follow the above listed steps to get that set up and regain your Admin powers.