2FA Requirement Circumvention Protection

ArcaneDisgea

• 18 aprile 2020 01:36

At the moment a user can circumvent the 2FA requirement using a bot to ban a user instead. This is because the bot has no way of knowing a user needs to have 2FA to use the permission, it can only see that they have it from the roles they have. In my opinion this is a massive oversight that makes requiring 2FA pointless if you have bots that can ban in the server.

There are two solutions in my opinion:

1. Allow bots to see who has 2FA and who does not as well as if the server has the 2FA requirement enabled.
2. Remove any and all roles that have permission to ban/kick/etc if the 2FA requirement is enabled.

At the moment bots can get 2FA info via OAUTH2 but that requires the user to sign in via their discord account into a website but the bot still has no way of knowing that the server requires 2FA as far as I am aware. Bot makers could create a dashboard or add a panel to their dashboard if they have one, that a user can tick a box that their server requires 2FA but this is all super clunky. 

0

• 

  donovan_dmc

  • 18 aprile 2020 01:40
  • Modificato

  You can easily check if a server has the 2FA requirement on by checking the "mfa_level" property
  0 (NONE) = not required
  1 (ELEVATED) = required
  
  https://discordapp.com/developers/docs/resources/guild#guild-object

  https://discordapp.com/developers/docs/resources/guild#guild-object-mfa-level

  0
• 

  ArcaneDisgea

  • 18 aprile 2020 01:48

  This still does not resolve the issue of the bot not knowing if a user has 2FA enabled without visiting an external site and logging in via discord.

  0

Accedi per aggiungere un commento.