[a feature removal/update request: remove phone verification and replace it with something more user-friendly]
Imagine a scenario where you have a discord account for years and one day were greeted with a large dark screen asking for your phone number. You perhaps used a VPN, used an unaccepted email, didn't accept 3rd party cookies, or simply were unlucky. Now you are forced to add your phone number to your account, permanently, or face being locked out of your account forever. Contacting support will result only in affirmation that the "phone verification requirement" is eternal and cannot be removed. This is what we currently have to deal with.
Why is adding your phone number a problem?
- Unavailability: "Who doesn't have a phone number? I mean everyone around me has one so everyone must have one, right?" No Discord, everyone in the world does not own a phone number. The most glaring demographic representing this would be children lacking parental permission. A minor but no less important demographic would be those who cannot afford a phone number, choose to not have one, or are unable to get one for some reason. By excluding these demographics, Discord is barring access to their services for these accounts permanently, which is quite jarring after months or years of allowed use.
- Privacy: "Well, if you have a phone number you obviously would use that phone number to get your account back right?" No Discord, there are reasons that people choose to not give away their phone number willy-nilly to every website they come across. While Discord isn't some shady http website, many are still not comfortable giving away their personal phone number, and for good reason. With the possibility of spam, invasive targeted advertising and unwanted identification, many wish to keep their phone number private.
- Security: Requiring SMS-based 2FA (2-factor authentication) can put your account at risk. Man-in-the-middle attacks, social engineering, and other techniques can be used to gain access to your account by resetting your password without your knowledge. While this is often difficult to do, if you have a high threat model or are particularly unlucky this can pose a risk.
- Single Point of Failure: Many users are reporting that their phone number is not working with the system; either their phone is not getting a message or their phone number is receiving a false error message. There is also the problem of oblivious users successfully completing the process and then removing their phone number, locking them out of the system again and not permitting them to use the same phone number for an undetermined period of time. What this system does is create a single barrier that must be crossed in order for a person to gain access to their account. This is problematic because if that barrier is faulty, the user can never gain access to their account again.
What are the alternatives?
- Email: This is the most obvious and user-requested alternative, which did actually exist in the error screen although cannot be successfully used and disappears after you click it. While not the most secure for bot-detection, integrated with some sort of email design catch or the verification page containing user-checks such as a captcha would improve the process a hundredfold.
- TOTP: For the users who have enabled the time-based one time password for their accounts (which I suggest you should—it's great), it would be welcome to have them verify their identity through TOTP. While this is not secure by itself, it can be combined with email verification or the support team in order to supplement an existing strategy.
- Support Verification: As of now, support is unable to lift phone verification under any circumstances. This outdated system, controlled entirely by bots, should change. Given multiple context clues, such as the user's account age, the fact that they opened a support ticket, the words in their support ticket, and what flagged the system to lock the account in the first place should be enough to allow a human with common sense to determine if the phone verification lock should be removed. The fact that they don't allow this simple system points to a lack of trust or resources able to be put into support and could point toward a motivation to keep accumulating phone numbers by keeping accounts locked.
What should be done?
- By Discord: Update this crude and ineffective system. This is causing users to lose their accounts and accumulate stress in the process along with placing a stress on support through the many user requests. With the rise of internet privacy and the subsequent use of VPNs, anonymous email services, and more private browsers, the system is not sustainable. A company must adapt to the user-base in order to stay afloat and grow, so please fix this.
- By you guys reading: Raise awareness of this issue so it can reach the eyes of Discord. One way you can do this is by upvoting this, found in the top right corner of the post. You can also share this to others, including those not affected by the issue. Also feel free to discuss in the comments below.
I'm now realizing how much time I spent writing this and I hope it was worth it. I know this is a long shot but I really hope discord sees this and changes their broken system. Thanks for reading :)
Please sign in to leave a comment.