Add 2FA field for QR logging and toggle for feature
Curently when logging using QR code discord will just show warrning on screen and ask if you are sure, even if you have 2FA enabled on account. Sadly this causes a gaping security issue that can be exploited by social engineering (making user scan code and accept it). Adding requirement for 2FA code **in field on PC** would solve that issue as most people have common sense to know that sending those codes to 3rd party is ussualy not smart idea. Another usefull feature would be toggle to enable QR logging in User settings (confirmable by 2FA due to obvious security risks related to that) which by default would be turned off.
this is a serious issue. i agree with all points made in this.0
I was about to make the suggestions above but you hit the nail on the head. I was surprised to see that the QR code circumvents 2FA. If someone has 2FA on, making them enter it on the device being logged into (e.g. the desktop) prevents remote attacks which is the issue here. If someone has the 2FA device then w/e, but someone not in possession of the 2FA device has no business accessing the account. And having the toggle with it defaulted to "off" means that people have the option to use the QR code system, but that the ones who don't know anything it aren't ready to be exploited. Heck, if you must then allow the toggling of 2FA override as well with big blaring alarms when someone goes to turn it on, just don't default the system to its less secure state.
A button with some text is a start, but it's not the solution. It's easy for us who are more knowledgeable and vigilant to say "RTFM", but at the end of the day this is about us developers creating a system that encourages user success and not allowing ignorance to be easily exploited. Not everyone on Discord is tech-savvy, and heck maybe not even a lot use 2FA. But for those of us that do, we expect that prompt to stop us in our tracks when we're about to shoot ourselves in the foot, at least when we're about to log into our account no matter who, what, when, where, or why. Convenience at the price of security should be an exception, not a rule.3
I agree with all the above. This was a cool improvement without proper planning of implementation. Now we are left with a question of trust, to both the ones who exploit the system and the ones who make the system. If nothing but a prompt to start, please make this feature more secure. Many people are spreading the word but there are those who do not know the risk. New users to Discord can be at risk and sequentially not continue using the service.
Sadly there are a great number of hackers and exploiters on the platform but only have power through social engineering and exploits. Discord has been great at keeping the large threats at bay, but the little fish have a much easier time abusing the platform while a major exploit is unpatched.
I think it is not only the duty of Discord but is in Discord's best interest to patch this and patch it quickly before the damage to both business and users is able to grow.0
Please sign in to leave a comment.