Change how back up codes are handled.

Comments

3 comments

  • Lord BadBones

    I agree as this does cause issues with people who get their tokens taken like this. If the user is legit and it's their account they won't have any issue getting a code from your phone or going to a link in their email to disable the 2fa. The only convenience in having it be able to be turned off from the settings is for a hacker as they don't have to prove anything else to discord to prove they are who they are pretending to be.

    3
  • Weston

    This seems like a very simple thing to have. You should not, SHOULD NOT, be able to regenerate the backup codes without entering your 2fa code. Making it only password protected completely negates the purpose of 2fa. 2fa needs to be used to verify you are who you say you are on important parts of your account, for example rerolling backup codes. I'm not sure of any other places that are not 2fa protected that should be but if this is one there are probably others...

    2
  • ĐɆ₵₳Ɏł₦₲ ⱧɄ₴₭

    For real, what's the point of having 2fa if it can easily be bypassed through having your token stolen, and changing your email and disabling 2fa shouldn't be this easy, 2fa is basically pointless at that point

    0

Please sign in to leave a comment.