[ ‼️ ] How Discord Can Improve 2FA & How to Keep Accounts Secure and Avoid Lockouts.

Comments

10 comments

  • ██████████

    You guys can do everyone a huge favor by sending this post link around to anyone.

    2
  • Niño

    I agree with this Discord needs to become better wich the account security. Read my post if you don't mind the scenario is not the same but we both agree on the points i upvoted aswell.

    1
  • sitrik
    • Users will be shown the consequences of losing access to 2FA by having them click an "I understand" button that appears for 5 seconds. This will ensure that users are aware of the risks and will take extra care to safeguard their accounts.

    Good point, I agree with this.

    2FA pop up always comes up as a recommendation so users usually just do it to get it done with but they don't actually realise the consequence that comes with it until they go onto the Discord website itself to find out. And often, people will not go to do that.

    Discord usually has these caution buttons, for example when you delete a server

    So, this would help regarding 2FA, especially since Discord insists it's a security issue

     

     

     

     

    1
  • Niño : I agree with this Discord needs to become better wich the account security. Read my post if you don't mind the scenario is not the same but we both agree on the points i upvoted aswell

    Its not surprising to me that Discord does not disable 2FA even when user's accounts got hacked. There's no reason for someone to be hacked and unable to regain their account, especially if they have so much evidence; thank you for responding; I'll revise my post and make the changes soon.

     

    1
  • brysonzac

    better

     

    0
  • Big P

     Implement a simpler authentication process, such as sending a code to our email

    Bad idea, hackers can easily access your email. Getting access to your 2FA device is harder.

    Users will be shown the consequences of losing access to 2FA by having them click an "I understand" button that appears for 5 seconds. This will ensure that users are aware of the risks and will take extra care to safeguard their accounts.

    They have a 3 second delay on the QR code login screen that warns you that you are logging into a computer and people still fall for that scam on a regular basis.

    A feature similar to Google's "6 Hour Password Reset." When a user requests to reset their password and 2FA, a warning should appear on the top bar of Discord (which cannot be removed) with an email notification should be sent to the user's registered email address, notifying them of the reset request. This will add an extra layer of security and help prevent unauthorized access to user accounts if it were to occur.

    So you'd have to wait 6 hours to reset your password?

     A tiered security system, allowing users to choose the level of security they want for their account based on their individual needs and preferences.

    This already exists, you don't have to enable 2FA.

    The ability to set up security questions instead.

    Wouldn't really add that much security to your account considering once a hacker knows your security answers then they know them forever, whereas 2FA changes every 30 seconds.

    Provide an option for users to have their backup codes emailed, and make it clear that it's the user's responsibility to secure their email as well.

    I don't actually mind this idea, it does lower security but it's no worse than the current security code system and more convenient for 99% of users.

    1
  • ██████████

    @Big P

    My response is pending approval, but I appreciate the points you've made. It's always important to consider both the Pros and Cons when it comes to different options for account security.

    1
  • ██████████

    My Reply to Big P


    " Bad idea, hackers can easily access your email. Getting access to your 2FA device is harder. "

    It's important to remember that account security is not always foolproof. There are cases where people have been hacked, and the hacker enabled 2FA, or where a device suddenly stops working. In these situations, people who screenshot their codes but never back them up to a cloud service can be left without access to their account. While it's true that emails can also be vulnerable to hackers, it's essential to take steps to secure them, such as using strong passwords and enabling two-factor authentication. Discord could make it clear that it's the user's responsibility to secure their email if they choose to receive backup codes that way. Allowing users to receive backup codes via email could be a more convenient solution for many users without compromising too much on security.


    " So you'd have to wait 6 hours to reset your password? "

    Google has a system in place where you can request a password reset and 2FA removal in case you lose access to both if you're in your account. During the 6-hour delay, Google waits to see if you successfully reset it, and cancels the request if it detects a potential hijacker.

    Discord could implement a similar system where they verify the user's IP address and device history to ensure that it's the actual user requesting the 2FA removal and password reset. And as I mentioned earlier, the system could also show a warning on the top bar of the user's account and send an email to their registered email address for added security.


    "Wouldn't really add that much security to your account considering once a hacker knows your security answers then they know them forever, whereas 2FA changes every 30 seconds."

    While using security questions as an additional security measure can have a potential weaknesses, it's ultimately up to the user to choose a secure custom question and provide an answer that's difficult for others to guess. However, it's also important to acknowledge that there are situations where users may lose access to their devices and backup codes, which can make it difficult to use 2FA. In those cases, having secure security questions as an alternative option can be helpful in regaining access to their accounts.


    "This already exists, you don't have to enable 2FA."

    Enabling 2FA is not always required, there are some cases where it is necessary to have it enabled. For example, some servers require 2FA for added security measures, and as a server owner, you may not want your server to be taken from you if you get token logged. Additionally, as a bot developer, enabling 2FA is necessary to access the developer portal.

    Overall, it's important to consider all sides of the issue and weigh the Pros and Cons of each option when it comes to account security.

    1
  • liyasa

    Valid points made in this post

    0
  • Niño

    I made a video regarding these problems if you could please check it out so we can help bring this problem to light in a respectful way to Discord : https://youtu.be/9Tnv0S9ssr8

    0

Please sign in to leave a comment.