Change how back up codes are handled.
Problem:
- If you click a phishing link & type in your username and password ( as many have done on Discord judging by the increased reports ). They also have your token.
- Viewing your backup codes requires a password. They now have bypassed 2FA due to having your token, They can also turn off your 2FA by viewing the back up codes and just copying one into the disable 2FA box. Now they have full control of your account which means they can change your email, re-roll your back up codes, remove your authentication for SMS and make it their own.
Solution:
- TLDR: Don't put the key with the chest i.e remove the view backup codes button & email the backup codes once or protect your backup codes with 2FA as well.
- Solves the problem if someone comprises your account, They won't be able to fully take control...
Before you go straight to the comments and attempt to murder me with your 6 years of pent up aggression, I find the way codes are currently handled as pretty much anti-security, Users getting phished in more ways then one now have to deal with this..
It would lower the amount of support emails Discord has to browse through and actually allow the Staff to not be swamped.
-
I agree as this does cause issues with people who get their tokens taken like this. If the user is legit and it's their account they won't have any issue getting a code from your phone or going to a link in their email to disable the 2fa. The only convenience in having it be able to be turned off from the settings is for a hacker as they don't have to prove anything else to discord to prove they are who they are pretending to be.
3 -
This seems like a very simple thing to have. You should not, SHOULD NOT, be able to regenerate the backup codes without entering your 2fa code. Making it only password protected completely negates the purpose of 2fa. 2fa needs to be used to verify you are who you say you are on important parts of your account, for example rerolling backup codes. I'm not sure of any other places that are not 2fa protected that should be but if this is one there are probably others...
2 -
For real, what's the point of having 2fa if it can easily be bypassed through having your token stolen, and changing your email and disabling 2fa shouldn't be this easy, 2fa is basically pointless at that point
0
Please sign in to leave a comment.
Comments
3 comments