Add support for webauthn authentication, Yubikeys and the like
Webauthn is soon here, and with it comes a passwordless future. The new FIDO2 standard alongside other hardware backed authenticators are replacing the old FIDO U2F that only had bindings in Google Chrome, promising great interoperability.
Please add support for FIDO2 authenticators for use with two factor authentication. The obvious way to implement webauthn in Discord would be by allowing users to add their tokens as a second authentication factor.
Currently there are only a few FIDO2 authenticators on the market, including the Yubico Security Key and the Yubikey 5 Series. It also seems that Touch ID and Face ID can be used with Webauthn on Apple devices. As the market develops, the higher assurance provided by webauthn can be utilised in more depth.
edit on 7.3.2019:
Google with the FIDO alliance recently announced that Android upwards from 7.0 will become 'FIDO Certified' through a Play Services update. This means that many many devices fingerprint sensors can soon be used for Webauthn authentication. The update also brings support for external authenticators, where applicable.
I agree, it's the future of 2FA and even passwords in general. Discord should be ready.17
Yes please. Much more secure than TOTP/Google 2FA/SMS authentication and many people have Yubikeys now4
Yes please! (Just support USB please)5
This! Using a U2F key is so much quicker and in most ways more secure than using texts or an Authenticator app, would love this! Not enough sites have it...10
And have an option for passwordless login if you have security key2
It would be just awsome to see uf2 on discord !!2
Thanks for your comments.
I really hope Discord listens to this.
My Hope is to be rid of 6 digit code entry by the end of 20194
+1 webauthn makes this much simpler than it used to be, and much more secure, yubico has lots of documentation on how it works.6
Yup, adding Fido U2F will increase security as well as increase of speed (Which instead of access phone every time authorizing, you click a button), but downside however does not support mobile device so modify it to email based verification would be better than using phone as people cannot always access their phone which can be frustrated (like me).
* Yes this is a recommended 2 Factor Authentication to be implemented as well as adding the email verification code (mobile can be kept or removed as it doesn't really matter since more users has access to email than mobile phone (as it free ofc and doesn't need to pay for phone bill xD)).1
YES!!! I'd love U2F access0
I updated the post to reflect the recent announcement made by the FIDO Alliance.0
Just again had to search the mobile, open the authenticator app, search discord, reading the code off the screen and entering it ... it's boring and additionally all those TOTP things are also phishable.
So yes please support FIDO U2F and FIDO2 webauthn 2FA and passwordless.
I have plenty of security keys for that, a lot of yubikey4(3), yubikey5NFC(2) and a yubikey Neo and a FEITIAN Biopass FIDO2, i'm ready since years and also use them already everywhere I can, unfortunately discord still uses boring and phishable stone age 2FA and even SMS 2FA that was deprecated years ago and shouldn't be used anymore.
Also for the ones saying it doesn't work on mobiles, that's wrong, that's why I have a yubikeyNeo and yubikey5NFCs, they both are NFC capable for use with Mobiles. On Mobiles you simply swipe the Security Key over the Mobile instead of touching the button.2
It's even better for the user.
Authentication with tokens has been available in countries like France since the 1990s, for popular services like :
- Banking (at shops and ATMs - chip and PIN was introduced in 1995)
- pre-internet Minitels (you could authenticate yourself on remote services, record contacts, and pay with your actual debit card, on later versions).
- GSM networks (thanks to SIM cards)
Here is what I bought as a cheap RPI terminal (a Minitel featuring a chip card reader):
Banks and France Telecom were successful at teaching the 1990s society how to use them. And these services became ubiquitous.
Also, I didn't live in that period, but I've never seen elderly people or pre-millenials complain about how hard or unsafe it is to use a SIM card or an EMV Debit card.
On the other side, everyone complains about passwords requirements ; IT guys keep blaming users for phishing, even if better technologies exist to log in (like the ones mentioned above), emails could be signed (with GPG, DKIM, ...) and webmails could check these signatures, ...
When it comes to internet services, It's as if there was an oak in the middle of the road. It's been there first, so let's not change anything. If you crash in it, you're at fault for having bad driving habits.2
When can I finally register one or more of my security keys in Discord?
Because everytime I need to search my phone, open that silly app, searching the code, read and remember it and then entering it in Discord, I think to myself, how sweet would it be if I only would have to touch my Yubikey Nano that is always plugged in on my Notebook.2
We need this. Some arguments for it here: https://blog.trezor.io/why-you-should-never-use-google-authenticator-again-e166d09d43242
@ligi What they forgot to tell there is what happens if your mobile blows up like my Samsung where the battery expanded, then exploded and took everything with it.
Here's a hint, if you don't saved screenshots of all QR Codes on your HDD or so you're SOL.
Luckily I took screenshots of all QR Codes, but you know if I need to take screenshots of QR codes that contains the shared secret because there's no backup function and I could loose all 2FA's in a such battery blow up event, then something is wrong anyway.
The shared secret database also could be stolen from the mobile itself by malicious apps or from the companies server like they said and in my case even from my HDD because i'm forced to save screenshots of the QR codes in case of emergency.
SMS and TOTP 2FA is dead, long live FIDO U2F/FIDO2 webauthn.0
I would like the second the Yubikey support, as someone who is trying to tighten up their security having this as a feature would be huge. I would go with the NFC 5 as a starting point but more keys would be great. If the epic game store has this as a feature surely we can ask for it for discord.1
Unfortunately the Epic Games Store also still has Stone Age 2FA, just like Discord.
Here a Picture of the Options I just took:
They only have TOTP and even worse Email-2FA!
It's also btw. the reason why I personally didn't enter any PII and also won't register any CC there, but the same also is valid for Humble Bundle, I won't register any CC for Humble Monthly till they support at least FIDO U2F. I already requested it 2 years ago there and they replied that they will add it soon, well it seems that their concept of "soon" deviates strongly from mine.1
+1 For adding support. Just bought my Yubikey 5, makes logging in convenient and secure. There's plenty of documentation on how to add support as well.0
I created this suggestion over a year ago, and since then market for physical FIDO2 compatible security keys has matured considerably.
Yubico now offers a wide range of keys with different connectivity. Other vendors, such as Feitian, the open source-centric Nitrokey and Google Titan have also joined in on providing webauthn compatible hardware keys.
Similarly the support for USB and NFC based keys is now very good. Whether you're using Windows, Linux or macOS, all of the major browsers offer full support for webauthn out of the box.
On Android, Chrome and Firefox support these keys though the Google Play services API and iOS and iPadOS also provide a native API.
During this time Discord has introduced convenient login with mobile, even though the user isn't required to input a password at login, for the time being every account does have a password associated, and login without the mobile device remains a possiblity.
Discord has also not indicated any plans to move away from vulnerable SMS based - or the more secure but less convenient TOTP based second factor.
The market has now answered many of my original questions. Now is a good time to start thinking of passwordless login and the use of hardware embedded authenticators.6
100% agree - I would love to force the need for my security key in order to login. I'm hoping this starts becoming standard.0
Discord, update us on this. Give the users what they want, which in this case is also what they need!1
This would be very epic.2
still alive in 20201
This really would be awesome and make my accounts more secure.
Can we please get hardware security support?1
With requiring 2FA for Moderators of servers listed as Public now is as great of a time as any to implement this.0
Excellent WebAuthn support is no longer the future, it's been here for a while now :)
Chrome, Firefox and Safari support it. You can use physical tokens (of which there are tons that support either fido2 or u2f), Windows Hello, or Touch ID. Chrome has testing (WebDriver) support for it.
Supporting passwordless login would be the cherry on top but 2fa is a good place to start. Electron also should support it on recent versions.3
Please sign in to leave a comment.