(2FA LOCKOUT) Discord,ADD EMAIL VERIFICATION METHOD OR NEW METHODS OF VERIFICATION

Comments

14 comments

  • Big P

    If you forget to save your backup codes that's your own problem

    -5
  • Krism

    That's the point,it's my problem,it's everyones problems aswell,you are in the feedback area bruhhhhh

    0
  • Big P

    email 2fa would just make the 2fa useless 

     

    0
  • Big P

    0
  • PepsiPlayzz

    Protip: Don't only get your verification service on mobile, things will go wrong

    Authy, for example, has a desktop app where (assuming you remember the master password) you can access 2FA from your PC, regardless your phone working or not

    2
  • Podfrey

    My PC has not stored the Backup Codes, and now I am completely locked out of my account.  Discord are only giving me the nuclear option of them manually deleting the account so I can create another and (then me manually) re-setting up all of my channels and friends.

     

    This current process is a heap of rubbish!

    2
  • liyasa

    Cases like phones having technical errors or being damaged are extremely common. Why doesn’t Discord just users verify themselves through other means? Also, I agree with @pepsiplayzz, desktop 2FA seems more safe than mobile. At least there’s two ways of authenticating that way but we know that users usually use mobile apps anyway

    2
  • Big P

    You can use a 2FA app that syncs to the cloud like Authy, or download your backup codes like you're supposed to do

    1
  • Underthesea54321

    I still have access to my account thanks to the QR scan, but yeah, unfortunately lost my codes and forgot my password. So I can't change my password, and I can't even remember when I last changed it. But I think it's fair enough that when you're logged in already you can have additional ways to change your password instead of the only current 2FA which I do agree is really secured. I think the 2FA works best when logging into a new device, but changing passwords WHEN logged in already can and should have other methods than just 2FA and remembering the current password to verify it's me. Maybe even the QR Code scan in mobile could do, but maybe there are better ideas.

    1
  • Big P

    But then you could change someone's password just by being logged into their account, meaning that scammers could just take your account immediately without having your password or your 2FA codes

    1
  • Underthesea54321

    Hmmm well true, but wouldn't that only be if they have already logged into my account? Which in theory they shouldn't be able to with the 2FA in place in order to log in the first place? Or that they'd need to steal my phone too in order to bypass the 2FA through QR. Unless hackers can bypass the 2FA anyway, which would then make the 2FA pointless.

    Like I said, I only have my phone as my means of logging in desktop now through QR, and it doesn't even require the 2FA. And losing it would make it impossible for me to log in anywhere else when I need to unless I can somehow change my password through other means

    1
  • Big P

    There are scams that steal your authentication session, such as the QR code scam which as you mentioned bypasses 2fa for login. But it doesn't allow you to change the password

    1
  • Underthesea54321

    Ah I see, that's fair. There's got to be another way to verify it's me though, albeit a more tedious process than just the codes, but less than having to delete and make a new account. But at the moment, can't think of any.
    The SMS one could've worked but I still need to confirm with a password than just texting my phone whether it's me wanting to enable it. I can see why it would need that (scammers could just reassign it to their numbers), but do you think it's still secured having my number connected already before I had the 2FA enabled, could just send the verification that I want to enable my SMS Authentication directly to my phone instead of a password, but changing the phone number with the 2FA in place already would need the password and 2FA codes? idk if I explained that clearly

    *But basically the idea is, SMS shouldn't need my password to verify if it's me or to verify if I want to enable it, but rather should just text me directly on my phone number to confirm, and I think it should be activated by default once you link your phone number.

    Having a 2FA enabled already before the SMS method would mean scammers can't just add their phone number (if the user doesn't have one linked to it yet), or change the current one to theirs because that would be locked behind the current system, which are the Password and the 2FA. Having my number connected beforehand  would mean I can still retrieve my account, and I think it's enough to verify that it's me changing the password, unless of course the phone gets stolen, but that's another situation.

    I think that can be a possible alternative solution for retrieving accounts in case the user forgets their password, didn't save the codes, still logged in but wants to change it. Without sacrificing the 2FA code system cause that one would still protect me from other people in accessing or taking away my account. And I believe it won't let the scammers/hackers completely take my account as they would need my phone, or know my password and codes in case they try to change the phone number to change my password through SMS. And I mean, when the user gets scammed or hacked without the 2FA the account is most likely dead anyway. The only issue I can see with this solution really is literally when I forget my password, have a 2FA and no code, and also didn't link an SMS then my accounts basically just lost at that point.

    This could extend to forgetting the password and not being able to access the account in any way, but I can see how it would take away the purpose of the codes, but I don't think it would entirely. Having the codes would just make the account safer from other people, and a much more secure method. The SMS backup can help serve as an alternative to retrieve the account, granted a little bit less secure compared to the codes but I think it's secure enough. And I think it's definitely more than secure if I'm already logged in and only want to change the password that I forgot, changing or adding phone numbers, and logging in new devices should still be behind password and 2FA though, and they should put 2FA on QR Codes as well if we really want this to be secure.

    1
  • Underthesea54321

    i feel stupid i forgot i had google auth :clown: oh well there's that sorted out T-T

    0

Please sign in to leave a comment.