Discord now requires your personal phone number to use Discord after account is locked [Something's going on here error]

WhisperOfLife

[a feature removal/update request: remove phone verification and replace it with something more user-friendly]

Imagine a scenario where you have a discord account for years and one day were greeted with a large dark screen asking for your phone number. You perhaps used a VPN, used an unaccepted email, didn't accept 3rd party cookies, or simply were unlucky. Now you are forced to add your phone number to your account, permanently, or face being locked out of your account forever. Contacting support will result only in affirmation that the "phone verification requirement" is eternal and cannot be removed. This is what we currently have to deal with.

Why is adding your phone number a problem?

  1.  Unavailability: "Who doesn't have a phone number? I mean everyone around me has one so everyone must have one, right?" No Discord, everyone in the world does not own a phone number. The most glaring demographic representing this would be children lacking parental permission. A minor but no less important demographic would be those who cannot afford a phone number, choose to not have one, or are unable to get one for some reason. By excluding these demographics, Discord is barring access to their services for these accounts permanently, which is quite jarring after months or years of allowed use.
  2. Privacy: "Well, if you have a phone number you obviously would use that phone number to get your account back right?" No Discord, there are reasons that people choose to not give away their phone number willy-nilly to every website they come across. While Discord isn't some shady http website, many are still not comfortable giving away their personal phone number, and for good reason. With the possibility of spam, invasive targeted advertising and unwanted identification, many wish to keep their phone number private.
  3. Security: Requiring SMS-based 2FA (2-factor authentication) can put your account at risk. Man-in-the-middle attacks, social engineering, and other techniques can be used to gain access to your account by resetting your password without your knowledge. While this is often difficult to do, if you have a high threat model or are particularly unlucky this can pose a risk.
  4. Single Point of Failure: Many users are reporting that their phone number is not working with the system; either their phone is not getting a message or their phone number is receiving a false error message. There is also the problem of oblivious users successfully completing the process and then removing their phone number, locking them out of the system again and not permitting them to use the same phone number for an undetermined period of time. What this system does is create a single barrier that must be crossed in order for a person to gain access to their account. This is problematic because if that barrier is faulty, the user can never gain access to their account again.

What are the alternatives?

  1. Email: This is the most obvious and user-requested alternative, which did actually exist in the error screen although cannot be successfully used and disappears after you click it. While not the most secure for bot-detection, integrated with some sort of email design catch or the verification page containing user-checks such as a captcha would improve the process a hundredfold.
  2. TOTP: For the users who have enabled the time-based one time password for their accounts (which I suggest you should—it's great), it would be welcome to have them verify their identity through TOTP. While this is not secure by itself, it can be combined with email verification or the support team in order to supplement an existing strategy.
  3. Support Verification: As of now, support is unable to lift phone verification under any circumstances. This outdated system, controlled entirely by bots, should change. Given multiple context clues, such as the user's account age, the fact that they opened a support ticket, the words in their support ticket, and what flagged the system to lock the account in the first place should be enough to allow a human with common sense to determine if the phone verification lock should be removed. The fact that they don't allow this simple system points to a lack of trust or resources able to be put into support and could point toward a motivation to keep accumulating phone numbers by keeping accounts locked.

What should be done?

  • By Discord: Update this crude and ineffective system. This is causing users to lose their accounts and accumulate stress in the process along with placing a stress on support through the many user requests. With the rise of internet privacy and the subsequent use of VPNs, anonymous email services, and more private browsers, the system is not sustainable. A company must adapt to the user-base in order to stay afloat and grow, so please fix this.
  • By you guys reading: Raise awareness of this issue so it can reach the eyes of Discord. One way you can do this is by upvoting this, found in the top right corner of the post. You can also share this to others, including those not affected by the issue. Also feel free to discuss in the comments below.

I'm now realizing how much time I spent writing this and I hope it was worth it. I know this is a long shot but I really hope discord sees this and changes their broken system. Thanks for reading :)

105

Comments

30 comments

Date Votes
  • Frith

    If you are able, I suggest you get in touch with your acquaintances who are on Discord and invite them to log in here and upvote your post. My post here: https://support.discord.com/hc/en-us/community/posts/1500001115022-Six-Weeks-Later-Still-Can-t-Log-in-need-upvotes received a surge in upvotes after I told one person of my predicament.

    6
  • Sarazil

    I really hope they fix this. It has just happened to me and they won't even explain why my account was flagged. I was literally playing a game when this happened. Discord, you have messed up royally here.

    6
  • clouds

    Just about 15 minutes ago I was logged out because now I need a stupid phone number. I already had an email to get verification emails, and now they want me to add a phone number? This is ridiculous. They are lucky I had a spare phone number to use, I can't get locked out of my account just for not giving a phone number. FIX THIS DISCORD!

    6
  • purepvd

    One of my family member's accounts is now locked out due to this. They don't have a phone number and I don't know what to do now? This is absurd.

    5
  • Frith

    Since Discord is blocking me because my ISP has changed my "location", I just tried to create a new account, same username, same email addy, same password. Discord balked because it already has an account associated with my email address. Ergo, Discord says my email address is good enough to block me from creating two accounts, but not good enough to let me log in. So, I suspect that if I get a free email account off the web and use that, I could create a new account.

    3
  • Lminith

    This just happened to me and the only response I had from support was to put a phone number.
    I don't even know if the hack didn't add one phone number in the 1st place. Sure I can try to add my phone number but why?
    If I had it in the 1st place the information about it would have been stolen already.

    This does nothing to provide proof of ownership! In fact it's just an extra risk. The more personal information you have on platforms the less protected you are from hacks and advertisers.
    Is Discord now on the business of selling client data like emails and phone numbers?

    Must we complain to EU General Data Protection Regulator?
    https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en

    6
  • aabb

    This situation is absolutely absurd. Lminith is right, and I will be complaining to EU GDPR, as I encourage everyone else to do the same.

    7
  • Pterodaxyl

    I seriously doubt that complaining to the GDPR regulator will get you any satisfaction: the GDPR also requires operators to take reasonable steps to ensure the security of your account.

    That said, it's quite problematic that Discord tie 2FA to a shared identifier that's hard/expensive for you to change, and that they don't offer other 2FA options.

    This does nothing to provide proof of ownership! In fact it's just an extra risk

    Claiming that it does literally "nothing" is dubious. Having a second authentication factor is almost always better that not having one, and the additional risk of providing your phone number depends on your threat model.

    Clearly it's a tradeoff, and for some people it will be a net negative, but for many, perhaps most, it will be a net positive.

    I think it would help for each complainant to explain which threat(s) they worry about:

    • social engineering to get you to reveal a one-time code (if you're aware enough to think this is a problem, surely you wouldn't actually fall for it?)
    • phishing spam (ditto)
    • other spam (annoying, but not actually a security threat)
    • forging UMTS cellular registration (unless you're roaming, or turned off, an attacker would have to be in your "home area" to have a chance of pre-empting you).
    • identity linkage because a phone number is a proxy for a global unique personal identifier (but so is your email unless you're really careful about not re-using email addresses)
    • other?

    And also to consider which threats are lessened by having any 2FA:

    • impersonation
    • identity theft
    • theft or expropriation of money or resources

     

    -2
  • Jürgen Nagler-Ihlein
    • Edited

    Pterodaxyl, it may be okay to discuss GDPR and security related things in this thread but actually it's not the main topic which clearly explains the bigger issue behind only allowing mobile phone text messages as 2nd factor. And you may read https://support.discord.com/hc/en-us/community/posts/360059459511-Mobile-phone-required-discord-no-thanks to understand this is not new but it seems right now more and more get affected having accounts for a longer time already. In two years time Discord seem to having ignored the fact a mobile number is not only a 2nd but also a limiting factor for the users and that is a long time. The only reason I can see is they strictly want to collect specifically the mobile numbers for whatever reason. I doubt the security feature was their main focus.

    6
  • Pterodaxyl
    • Edited

    Jürgen that's a fair point; the concerns addressed in the headline article are entirely valid. However I'm concerned that they're being misunderstood by many contributors, and a call for a campaign of mass complaints about supposed GDPR non-compliance on the basis of the headline of this article is really unhelpful. There may be other valid reasons to submit GDPR complaints, such as failure to provide GDPR-mandated responses to PI queries, but just their requiring phone numbers isn't one.

    There are several valid reasons why this choice by Discord is poor, but unqualified claims along the lines of "adding SMS makes my security worse" and "this is a violation of the GDPR" are not helpful. (There may well be cases where those claims are true, but not in the ways that the contributors making those claims seem to think.)

    You have a valid concern that collecting phone numbers amounts to collecting a pre-established "universal ID", which the GDPR would certainly treat as "information about an identifiable individual". More gravely, forbidding sharing of phone numbers between accounts - and thus between people - is extremely problematic.

    On the flip side, the suggestion that Discord is selling PI (and thus flaunting just about every every privacy law on the planet) is insanely wild. Much more likely is that they're simply spending the least money possible to comply with a requirement to apply 2FA to all user accounts. If it happens to create an internal asset that increases their share price, that's a bonus.

    -2
  • nattycat

    Such a great post!!!  It's so ridiculous of Discord to require you provide your phone number.  I have numerous friends who cannot get an account here because they won't share their phone number.  It's so silly.  This site is for social hangouts and gaming.  Don't take it so seriously.  Email verification should be more than enough.  Now we're back to Google Hangouts since not everyone can get on here.  I hope Discord realizes that this new policy of needing a phone number is excluding a lot of otherwise would be users!

    6
  • Lminith

    Pterodaxyl
    "a call for a campaign of mass complaints about GDPR non-compliance is really unhelpful"

    Unhelpful to ask GDPR to investigate a company that acts suspiciously regarding user data? By then there were several suspicions to warrant serious investigations.

    To add some details:
    One month ago I asked privacy@discord.com for details about the demand of adding a phone number which I was concerned about and I also requested Discord to give me the the information they have on my user and account. One month has passed there was no reply whatsoever.
    This is a violation of GDPR and people need to do something about it.

    After all this can you really believe Discord is caring for your security and not into making profit from selling your username along with the email and phone number?

    3
  • HypnoticHydronic

    Yesterday I had the EXACT same problem, I've had my account for 3 whole years and now I am hard locked out of it, I don't even think you can register a phone number when you are locked out, and I lost all my friends on it, and it sucks

    5
  • he1senb3rg

    I just had the same problem after 2 years on this platform. I contacted the support team and was told they won't remove the requirement for my phone number to be added even after I told them that I'm concerned that the account May have been hacked. So I added the phone number and got locked out of the account again within three first minute of signing in

    Contacted support again and was told I'll have too wait for the timeout to expire to use this phone to register "another" account even after I clearly started that this was the only account I ever had. They didn't even bother reading my emails and just replied with canned responses. What a joke

    5
  • DavidDavidson

    This happened to me in the middle of playing second extinction, which is currently in EA and crashes frequently.
    I could still interact in voice chat but had the big "GIVE ME MORE PERSONAL DETAILS" window open.

    This stuff would have never flew back when XFire was the big gaming & chat app. We are being strong armed into giving away more and more personal details (which no doubt will probably be sold onto a third party, I already get about 5-10 calls a week from scammers who know my 'name' and usually try to get more details or me to buy into 'life insurance' 'crypto stocks' and so on.

    I figured discord was a good, reputable and neutral platform. Though when I learned that as Discord a platform has Aimee Knight, a disgraced UK politician who apparently 'never noticed' her father's fritzl dungeon in the attic as a paid mod makes it unsurprising that they want as much data on people as possible.

    Why was my account flagged? Probably because I kept leaving and joining a game that is in early access and is NOTORIOUS for crashing at least once an hour which probably upsets the discord servers.

    There are alternatives to phone numbers discord. Use them.

    5
  • Markmallow

    I guess this is similar to my situation. I have two teenage kids with Discord. One just said he needed to log in to Discord and needed my phone number to do so. I thought I had used my phone for 2FA for all of us, but apparently not. It's now locked to my one son's account, and I can't add it back to my own account.

    It never said why it required phone number though but wouldn't let him log in until I provided it.

    When I entered my phone, it said nothing about how it would remove association with all other accounts, or even asked to verify from the other account that it was taking the phone number from. It just did it. Poof.

    So now if my account or my other son's account randomly requires a phone number we'll be locked out.

    I've paid for Nitro for the last few years for my account, and as a gift for them for the last two years. This is the thanks I get. Gee, wonderful.

    10
  • monkeytroy

    Yea, time to switch to a new chat service.. my kids dont have phones but we game and chat with family over discord till they forced a phone.  If you guys were going to do that you should have considered these situations... like having a family group under my phone or something.   

    Going back to TeamSpeak or looking for next alternative.  

    9
  • Mickey Haller

    Same, this crap happened to me now and I'm perma-locked out of this account except on here apparently. I don't have a personal phone number nor the ability to easily acquire one, and after having my account for more than 5 years, I'm just stuck unable to access it. I reached out to support and they sent me some canned response about how they couldn't remove the requirement on my account, despite the fact I was even emailing them from the email address registered on the Discord account. I think their Support team may just be fast-forwarding through scripts and don't actually care about helping people. I guess I'm moving to TeamSpeak or Teams as well, and recommending to friends to do the same.

    7
  • 𝓑𝓪𝓲𝓴𝓮𝓷 -【梅喧】

    An clear violation of privacy, i'm currently going through an situation where multiple people want now to find/harass me due to past issues in discord, And i don't want to delete this account, I just want to log off and then abandon it, but there comes the phone verification issue, when i tried to verify an account with other numbers (Those two numbers were CLEAN), since i didn't do anything against TOS in the accounts with them, Discord randomly banned these accounts with their non-sense.

    And now i'm just only able to stay stuck to this account, exposed, and i'm not sure how long i'll last changing my name and changing my server's picture, description, name or making an new server each time to avoid those people, Discord, it's about time you fix your garbage, People are getting stressed and having various risks, we should make an change.org petition to tell them to fix this garbage and fix up their verification/robo-hamster system, I'm horribly tired of this garbage, Discord, better fix up your garbage or else, roleplayers will have to find an new platform to RP in, if anyone agrees with me, good, I understand everyone in here.

    6
  • ThatGuyFire

    I recently had my account disabled to a TOS violation which I dont regret the violation honestly but do Disabled accounts eventually delete? Because my only phone number is on my disabled account and I was recently locked out of my NEW account to recover my discord

    3
  • mrhavercamp

    Entering in a phone number is a ridiculous security feature and just increases the surface attack area. This is even more ridiculous for something as innocuous as Discord which is simply providing a bunch of discussion channels.

    There is a pushback going on against big tech for exactly this kind of thing with droves moving to decentralized platforms. If Discord wants to stay relevant I would recommend they remove this "security" requirement.

    4
  • GoldenRobot

    This is completely Unconscionable.
    Regular use of Discord causes "Verification Needed" bot flags & when contacting Support the response I got was "the bot flagged successfully".
    Obviously, as we're discussing it. However, Successfully does not mean Correctly.
    Considering the malfunctioning security protocol that leads to this situation, I don't feel at all comfortable sharing my phone number, or any identifiable information for that matter, with Discord.

    2
  • Joshybou
    • Edited

    I am greatly confused
    As I am just chatting through servers I get locked out but not permanently it says that I need to verify my phone number it already set the country for +1 then I add my phone number to verify and nothing happened it doesn't send me links or saying this is wrong or to try again it just sits their I try my other number I never used for account and it shows the same thing this happened before it doesn't allow me to use my phone number like as if the next button is broken.
    I'm not happy with the fact I just finished building a server for my friends that took 2 days of testing out.

    2
  • Ὀδυσσεὺς, ἦλθεν εἰς τὴν Ἰθάκην

    I must complain about this same issue, I was watching my account setting and I noticed my phone number was in there when I can't remember any time I gave out my number (could have done but definitely doesn't look like something I'd do). My phone, after years of sheer loyalty since 2016, had broke time ago so I decided to eliminate the phone number from the account. Suddenly, Discord logs me out and asks me to verify through a phone that I don't have. Glad I can still talk to some friends through Steam, but I've just lost contact with many others.

    2
  • LordJusticeFace

    I am hear to also state my grievances with the phone verification issue, of which I am at 3 months with no resolution. I find it very frustrating that this issue is still a problem. After looking around online, many other users do not understand why they are forced to deal with phone verification. 

    2
  • Domas Al

    God, more than a year, and still I have this problem. Has nothing come of this? Surely I am dealing with a one-off problem?

    2
  • LordJusticeFace

    It be like that, don't it? Legit accounts get locked out, while bot accounts still spam on every server.

    2
  • bacon456

    This system is terrible

    2
  • glendor

    discord sent me a premium text i have to pay for . F discord

    1
  • Ron

    Discord absolutely DOES NOT need to access your phone number for any reason.  The only reason they are doing it is because, like any other corporation that demands a phone number, they make more money grouping your info with a phone number when they sell it.  This change is ridiculous and people should not stand for it.

    1

Please sign in to leave a comment.