Add support for webauthn authentication, Yubikeys and the like

完了

コメント

84件のコメント

  • eriNa_

    Excellent WebAuthn support is no longer the future, it's been here for a while now :)

    Chrome, Firefox and Safari support it. You can use physical tokens (of which there are tons that support either fido2 or u2f), Windows Hello, or Touch ID. Chrome has testing (WebDriver) support for it.

    Supporting passwordless login would be the cherry on top but 2fa is a good place to start. Electron also should support it on recent versions.

    3
  • epicfacethe3rd

    there is a demand for it and it's not hard to implement. just do it.

    4
  • lolrepeatlol

    bump. pls add this.

    3
  • Deleted user

    BUMP! This is really needed, for hardware key users. I don't see why it shouldn't be added.

     

    4
  • Neodidymos
    It's a very good idea.
    2
  • Request

    Please Discord. It tickles our fancy.

    5
  • LookAtFr3sn0

    epicfacethe3rd the "demand" you're talking about is quite low and it might be really hard to implement as far as we know.

    1
  • ! 兽迷 !

    LookAtFr3sn0 Your right, the demand aren't as high as other require but it rather easy to implement (as far as I know since I implemented it once on one of my site) and this is rather a security than a feature. So adding it would increase the security of the account if the user accept to use it.

    2
  • LookAtFr3sn0

    ! 兽迷 ! Sure, but they have more important things to do instead of adding an option that only a really small percentage of users is going to use, we do not know much about how the whole thing is made and managed so we cannot know if it would be as easy as you or others may think.

    I think it is really likely to be a quite hard thing to implement because of how big discord itself is, but that's just my opinion.
    We cannot know if the discord staff is already working on it or not because of any reason, just like we cannot know the time and energies it would take to implement because again, we do not know how the whole thing is managed.

    So unless a member of the discord staff joins the comments and tells us, we can only make hypotheses.

    2
  • ! 兽迷 !

    LookAtFr3sn0

    For me personally, I don't carry around my phone often so most of the time, I use the backup code to authenticate instead of my phone (matter of fact, I use the backup code more than the OTP) because I carry around my USB due to their size.
    Though in my opinion, the security it provides could make a difference in those small percentage user base and even if it just the small amount of users that wants it as of today, the demand could potentially increase in the future.

    but like you said, we can only assume for now since we do not have any information on whether they are implementing it or not.

    2
  • epicfacethe3rd

    LookAtFr3sn0 webauthn is actualy shockingly easy to do. and saying discord is a "big thing" and that makes it hard to implement is pretty absurd. Discord runs off of an implementation of a program called Electron, which allows for cross platform applications to be built with HTML5. Basicly, they would only need to implement it once to get it implemented on all platforms. maybe twice for android. and the security difference is not negligible as you claim. the in house solution discord uses for 2FA has had issues in the past. namely the exploit that worked through a user scanning a malicious QR code, and the fact that relying on a mobile device for 2FA is known to be a bad idea - it just moves the target vector from the computer to the phone. phone based 2FA was shown to be useless as soon as it was created.
    on the other hand, physical security keys have been proven to be very secure for literally decades.
    lastly, it's a good idea to note that physical security keys actually use less server resources compared to OTP applications, as they move the storage and heavy calculation onto the keys. all the server has to do is check signatures, which is pretty quick, and store a public key for each user, instead of storing an OTP scheme
    the only reasonable excuse for this not being implemented was that Electron did not support Webauthn a long time ago. Webauthn has now been supported by Electron since 2018

    3
  • Antho
    Add this feature, please!
    2
  • Thrimbor

    This request is two years old now, and Discord is pushing people to force mods to use 2FA. It's about time to implement this.

    4
  • coderboy14

    Common Discord. We have been asking for this, what, two years now? It is still something we want. As somebody who's phone died, and caused me to loose my Google Authenticator data (and thus, my Discord account), please just add bloody support for this! I'd love to be able to use my USB Security key as a 2FA method.

    3
  • Hiroki

    As somebody who's phone died, and caused me to loose my Google Authenticator data (and thus, my Discord account), please just add bloody support

    coderboy14

    Tbh, security keys can also die or be lost. I've seen a post with someone complaining that their cat broke their Yubikey by playing with the keychain, somewhere on the internets. On its own, it's not a silver bullet for this kind of issues.

    But in some way, I might also be about to drop OTP 2FA, since my phone is close to its EOL, I don't want it to be very important when it fails.

    And if some friends would prefer to keep exchanges safe, I'd move to a service with security in mind, where I can have easier 2FA, where I can manage messages in bulk, where I can't be locked out of a server with data I can't erase, and without an English approach to server management and moderation.

    -1
  • Fred

    The gold-standard for supporting lost/broken is to register multiple WebAuthN devices with the same account - and any one key is sufficient; few sites support this, and it's honestly pretty inconvenient for users.

    Good is to support (some sites even require) that another 2fa of any kind is also registered - for example, webauthn+OATH, or webauthn+"recovery codes" (just please not SMS :D); login should require either webauthn *or* the other form, not both, so if one breaks you can gain access to your account again.

    2
  • Hiroki

    Personally, I don't trust recovery codes, as it's like additional passwords, and they're stored like my passwords database on my computer. That leaves a lot of common causes and correlated modes of failures. eg if the database with the latest codes is recovered or erased, you loose both to attacker, and you loose the advantage of 2FA, so you need to have perfect habits to limit the risk. I even prefer SMS because this vector has independence.

    To guarantee the availability of 2FA data, and limit the exposure due to various technologies, I usually keep my OTP secrets on two phones. For now, that is my current phone, and the former one. The latter is too broken to be convenient to use as an everyday smartphone, but it can just stay in airplane mode and be rebooted for 2FA once in a while.

    EDIT : I was too focused on the previous guy's availability problem, so I updated my example so that it has sense

    1
  • anand

    A year later and we still need this. I think there should be an option for YubiKey/the secure protocol is uses, and then the option to download backup codes just in case.

     

    That way you can disable the normal 2FA, still have backups codes, and also have YubiKey.

    4
  • Bobcat

    Bump ...this needs to happen!!!

    2
  • Metroseksuaali

    Bump We need this

    2
  • leagris

    Dear Discord devop team,

    Is there something that is dragging this feature request behind unscheduled, or it needs more rating in here?

    Please, whatever the reason WebAuth OTP is not featured yet, a few words from one of Discord team member would be welcome here.

    3
  • WispTheHusky

    Come on, Discord Devs.

    This is an essential thing, especially if Discord is wanting to move to more business-oriented endeavours.

    Why is such a basic feature taking so long?

    Years of comments, upvotes and discussion, but not a word from the Discord team.

    Get your act together, and implement this simple feature that hugely increases account security?

    4
  • morpheuscielo

    I would love this as an extension before adding more features requiring payments to ensure the highest reasonable protection for my account.

    Adding more features requiring to link your card, unlock specific paywalled content will take any account to even more attacks.

    While I understand the low priority, which is not an excuse, people wouldn't have wanted to lose their option of adding passwords less than 6 digits due to being so the easy workflow.

    Be a future-orientated company, which sets a high standard in ensuring to deliver the tools for your high spenders and general company (as a ton of companies profit from Discord, but having such access might damage their environment).

    Optimally, as an extension, make it possible to activate walls of server moderation related to keys.

    Thank you.

    4
  • Matroi

    Come on add this feature already, its been two years since this post has been up and not even a post about fido2/WebAuthn or any update.

    3
  • ☭Soda☭Fountain☭

    Bring bring support for Yubikey and u2f. I wont use 2fa here till that happens. I already have a damn robust password, and it’s going to be the way sooner or later.

    2
  • BeastyBlake101

    This thread is still very relevant. Twitter and Google offers physical key authentication, why shouldn't discord too?

    Owners of partnered servers like YouTubers or other influential individuals are targeted accounts and need optimal protection across all their online accounts and communities, not just some of them.

    3
  • IronDoge

    It's long past due for this feature to be put in. If Discord is going to heavily push for 2FA, it needs to offer much more secure solutions than just OTPs.

    2
  • TheWhiteSheep_

    We need it!!! 

    1
  • 7wells

    It's indeed bad to have a YubiKey or similar hardware token but to have to use a software like Yubico Athenticator with that token to create an OTP for Discord. Why not integrate direct auth with the token itself? It works for e.g.

    https://github.com/sessions/two-factor/webauthn

    https://gitlab.com/users/sign_in

    You just have to put your finger on the blinking field of the hardware token and get logged in. It can be that easy. :-)

    Erm, is anynody from Discord reading these posts at all?

    2
  • ☭Soda☭Fountain☭

    my main point, and I'm semi-sure this post is not being monitored/watched by discord as they think 2factor is enough, is that it would increase the security on top of the existing 2-factor system. i refuse to use the current system because i see the codes as a nuisance to get and just having to plug in your yubikey and tap and go would be much better, and as long as you don't loose that security key, nobody else can get in, without having the magic bypass token.

    1

サインインしてコメントを残してください。