Two-factor auth receiving codes on email/sms

Comments

18 comments

  • Draco
    That's basically E-mail verification when you login in a new location
    0
  • mesub
    It would defeat the purpose of 2FA
    -6
  • Ness
    I don't think that would be a good idea 🤔
    -4
  • Kenai

    Discord is the only company I know about that doesn’t have this.

    2
  • Apparently my post about the same subject has been merged with this one so I'm just gonna leave my full opinion here as well.

       With the recent "threat" of the July 27th Discord Attack I believe we could use the option to authenticate via E-mail, even if they aren't serious or it's nothing to be too concerned about. Considering not all members actually have mobile devices to use these apps, yes not everyone has a phone/tablet/etc, to defend their accounts (Authentication apps are not downloadable on PC, at least not the reputable ones that I'd trust (i.e. Google/Microsoft/Authy) ) (Authy actually does have a desktop app but still REQUIRES a mobile phone number). I've got a few friends who are worried but can't put two-factor on their accounts due to a lack of a mobile device that can run an authenticator.

       If we could have an e-mail authentication option that would resolve the need for an authentication app for some users and should still remain very secure as long as the user's e-mail & discord passwords are different, which should be common sense. Additionally even if you can setup an authentication app they can easily result in the loss of an account should you lose/break your mobile device or uninstall without disabling authentication first. Meanwhile, your e-mail would still be available even if your mobile device was broken/lost and you could still access Discord somewhere else.

    Additionally E-mail authentication could be implemented as mandatory part of all Discord accounts, unless another form of 2FA was in use instead, then it should in theory solve many future security risks.

    If you agree with this idea please give it an up-vote, share a link to this page with your friends & Discord servers, and give any feedback so we can convince Discord to implement this feature.

    7
  • @mesub
    No it's another option of 2FA for those who don't want to/cant' use a 2FA app.

    @Ness
    I truly believe we could only benefit from an E-mail 2FA option. Assuming the user has common sense to use different passwords on their Discord & E-mail this is a great option for extra security.

    0
  • @Draco
    A friend actually pointed out last night that there is a requirement to E-mail verify when you log in from a new device/location, but I have NEVER had to do this in any of my log-in attempts from multiple devices since I joined Discord. I still think we need a E-mail 2FA system anytime you log-in, whenever you try to make a major change, or view you most private info on Discord. Not just for new sign-in locations/devices, and seeing as how I've never received a verification E-mail it may not currently be a reliable means to protect accounts at time and I still believe we need a full 2 Factor Authentication E-mail option.

    0
  • Dany-LF
    I don't think that's good for security reasons
    -4
  • Echowolf97

    An emailed method shouldn't be an issue if you have personally setup the email to 2FA with. Any further issue is at the hands of the account owner. For example my login is email1@g.com so I setup my 2FA with email2@g.com to protect the account.

    0
  • Asthetic

    Email/SMS isn't 2FA. Email/SMS is just another knowledge factor, it's basically like having two passwords for one account instead of one. The second factor is possession factor, you need to have something to prove who you are, such as a phone with a 2FA app or a Yubikey, ect. 

    The problem with SMS/Email is that if that account can be compromised, then the Discord account can be as well. Discord has to act as if all email addresses are compromised because they cannot prove that they aren't. By using a 2FA app, Discord controls the auth flow and can prove that you've entered your password and your 2FA code.

    https://searchsecurity.techtarget.com/definition/authentication-factor

    Edit:

    Another reason why this is a bad idea is because it makes users think their accounts are safe when they are not.

    There have been news stories of people "SIM hijacking" people in order to get their SMS authentication text messages. Using this people were able to steal millions of dollars from people's bank accounts. Not to mention that emails and SMS messages can be intercepted unless encrypted.

    1
  • [GSCH] Jairone

    Remains a problem, Discord.  This remains a problem.

    There's got to be a better way than just pushing it all to phone stuff, for those who either can't, or won't, use phones in that manner.

    Any serious attempt to break in will look for a linked phone, and there are programs to manipulate remotely, use remotely, or intercept data with phones.  Even without a linked phone, a person with intent and enough knowledge to bother will be able to find a phone number through other means.

    The simple truth is that phones aren't really any more secure than just an email check.  The only thing even close to secure is a physical device, but those two have potential security issues.

    As such, please allow other options for those who are unhappy with the current setup.

    1
  • ⛥Marianne von Aegir⛥

    This needs to become a thing, pronto

    Personally I'd rather 2FA not exist at all, but if it has to exist, then options are needed for those without a compatible mobile device. My phone is not a smartphone. It doesn't even run the Internet, never mind downloading apps, so do I look like I can enable 2FA in its current mobile-only state? No. Didn't think so

    "But wait," you say, "why do you care about enabling 2FA if you hate it?"

    Because, Karen, one of the server owners for a server I moderate decided to enable server-wide 2FA, meaning that unless your account has 2FA, your mod powers are gone without the assistance of a moderation bot. Apparently the owner don't even trust their own staff, a handpicked bunch that has to meet certain criteria to even be considered. So unless a mobile-less 2FA option is implemented, I literally cannot do my job as a server moderator without having to fall back on moderation bots. Now imagine when the bots go down. Then I'm completely screwed because I cannot do my job. So guess what? I have no choice

    Me? Salty? Salty doesn't even begin to cover it

    0
  • Asthetic

    https://support.discord.com/hc/en-us/community/posts/360047805091/comments/360012450452

    No, that's not how 2FA works. The best they could do for you is support Yubikey which you'd have to go spend $20+ on depending on which one it supports.

    Email/SMS are not 2FA by definition. It literally isn't 2FA, they're mutually exclusive. If you want to see stories of why it isn't a 2FA substitute go look up "sim swap", 2FA prevents these types of attack because you need the physical object (similar to a key) as well as your normal account password in order to gain access (the physical object is the SECOND FACTOR in two factor auth). So an attacker couldn't just steal your password and email/sim swap your phone and have access to your account because the key is in your phone's storage. 

    They could add another option for email/sms auth which is separate from 2FA, but you'd likely still have less privileges on some servers because the security of your account is lesser than those with 2FA.

    I'm not saying "you hate 2FA" I'm just telling you why from the standpoint of a software engineer why what you want is technologically impossible, because the very thing you want violates the definition of 2FA. 

    Added some bold for some people who'll "tldr".
    I wish this forum had some sort of "upvotes float to the top" or "select best answer" similar to Stack Overflow so my answers could be at the top to inform people why it's not really possible.

    0
  • Kenai

    They have a way to receive Auth codes over SMS now, that is all they needed to add - because you can lose your phone and need to set up a new auth app.

    Another thing "2FA" isn't about trusting the end-user, it's about preventing a compromised account from doing damage to a community.

    If you don't have a smartphone just use Authy, the desktop client works fine.

    -1
  • Asthetic

    That's incorrect, companies offer SMS verification and incorrectly call it 2FA. My bank does this and it's not actually 2FA. There are other problems other than sim swapping as well. It's possible for SMS messages to be intercepted. It's not as secure as you probably think it is.


    The reason why they do this is because it's easier/cheaper. Imagine all of the support they'd need to offer if someone lost/damaged their phone. Now they somehow need to verify identity to remove the 2FA device. There are recent stories of people having their sim cards "stolen" (generally just call up your mobile provider and ask for a new one) and losing all of the money in their bank/investment accounts

    0
  • SuperJedi224

    If you're going to have servers requiring people to use 2FA for "server discovery" reasons the ability to receive the codes by email seriously needs to be a thing

    0
  • [GSCH] Jairone

    Asthetic:

    There are multiple attack vectors KNOWN to compromise 2FA that is not email/sms based.  That is to say, your phone having the code STILL isn't secure.

    Any device that is able to be connected to in general is not a secure 2FA.  It's honestly that simple.  Thus why any expert worth their weight noted that a physical device that is only on/off when the actual user is verifying is the only reasonable secure method.

    Phones are popular anymore.  There's a ton of malware for them, along with the ability to remote takeover and every other issue a computer faces.  Most users have the devices linked in some way, or are using their phones for Discord (actually, phone use for Discord is insanely high, so most likely the majority of people are in trouble with their device being linked already).  You think SMS and Email aren't secure?  Guess what, neither is that phone that they are using for 2FA.  There's plenty of stories of issues there as well.

    This is the problem that people have... they are trying to be secure, but when the people with ill intent have the tools to bypass the idea of a step up in difficulty it is neither secure, nor convenient.  When you have neither, you have made it inconvenient for no reason.  That's not going to make anyone happy, unless they are ignorant of the lack of security.

    Your information would have been more correct a couple years ago.  Since then phone takeover attacks, malware and direct, are a much bigger problem.  There isn't any reason to consider them safer anymore.

    1
  • Asthetic

    [GSCH] Jairone:

    That's somewhat inaccurate, security isn't about a silver bullet, there is none. It's about making an attempt to unlawfully access an account/server/ect. as difficult as possible in order to be prohibitive for the potential bad actor. 2FA doesn't make it impossible to steal an account, there are workarounds such as a MITM (if Discord doesn't take precautionary steps). One of the most effective ways is "Social Engineering" where an attacker contacts support in order to get a 2FA device removed from an account.

    The thing is that 2FA makes accessing an account exponentially more difficult as the attacker needs to not only get your password, but needs to specifically target you to get your 2FA code AND access the account before the 2FA code expires (although easy w/ automation). 

    Your claim that 2FA isn't more secure is inaccurate. Every security expert suggests using a 2FA device, none will tell you not too, but the user still has to be careful not to click suspicious links or get malware ect.

    Your claims are not only inaccurate, but harmful to the normal person who may not have knowledge in this space. Every person should use 2FA as an additional security layer wherever possible and understand that email and SMS is not 2FA. 

    I'd like to know what your credentials are to be giving your opinion on this matter, I've got a BA in Computer Science, 5 years industry experience working in Software Engineering, and an interest in InfoSec which has exposed me to a variety of articles and best practices.

    1

Please sign in to leave a comment.