Add 2FA field for QR logging and toggle for feature

Comments

3 comments

  • hp

    this is a serious issue. i agree with all points made in this.

    0
  • js.dev

    I was about to make the suggestions above but you hit the nail on the head. I was surprised to see that the QR code circumvents 2FA. If someone has 2FA on, making them enter it on the device being logged into (e.g. the desktop) prevents remote attacks which is the issue here. If someone has the 2FA device then w/e, but someone not in possession of the 2FA device has no business accessing the account. And having the toggle with it defaulted to "off" means that people have the option to use the QR code system, but that the ones who don't know anything it aren't ready to be exploited. Heck, if you must then allow the toggling of 2FA override as well with big blaring alarms when someone goes to turn it on, just don't default the system to its less secure state.

    A button with some text is a start, but it's not the solution. It's easy for us who are more knowledgeable and vigilant to say "RTFM", but at the end of the day this is about us developers creating a system that encourages user success and not allowing ignorance to be easily exploited. Not everyone on Discord is tech-savvy, and heck maybe not even a lot use 2FA. But for those of us that do, we expect that prompt to stop us in our tracks when we're about to shoot ourselves in the foot, at least when we're about to log into our account no matter who, what, when, where, or why. Convenience at the price of security should be an exception, not a rule.

    3
  • xan517

    I agree with all the above. This was a cool improvement without proper planning of implementation. Now we are left with a question of trust, to both the ones who exploit the system and the ones who make the system. If nothing but a prompt to start, please make this feature more secure. Many people are spreading the word but there are those who do not know the risk. New users to Discord can be at risk and sequentially not continue using the service. 

    Sadly there are a great number of hackers and exploiters on the platform but only have power through social engineering and exploits. Discord has been great at keeping the large threats at bay, but the little fish have a much easier time abusing the platform while a major exploit is unpatched. 

     

    I think it is not only the duty of Discord but is in Discord's best interest to patch this and patch it quickly before the damage to both business and users is able to grow.

    0

Please sign in to leave a comment.