Add support for webauthn authentication, Yubikeys and the like

コメント

68件のコメント

  • Roshinator

    I agree, it's the future of 2FA and even passwords in general. Discord should be ready.

    15
  • BinaryOverload

    This! Using a U2F key is so much quicker and in most ways more secure than using texts or an Authenticator app, would love this! Not enough sites have it...

    8
  • dissolve

    +1 webauthn makes this much simpler than it used to be, and much more secure, yubico has lots of documentation on how it works.

    6
  • Bou

    I created this suggestion over a year ago, and since then market for physical FIDO2 compatible security keys has matured considerably.

    Yubico now offers a wide range of keys with different connectivity. Other vendors, such as Feitian, the open source-centric Nitrokey and Google Titan have also joined in on providing webauthn compatible hardware keys.

    Similarly the support for USB and NFC based keys is now very good. Whether you're using Windows, Linux or macOS, all of the major browsers offer full support for webauthn out of the box.

    On Android, Chrome and Firefox support these keys though the Google Play services API and iOS and iPadOS also provide a native API.

    During this time Discord has introduced convenient login with mobile, even though the user isn't required to input a password at login, for the time being every account does have a password associated, and login without the mobile device remains a possiblity.

    Discord has also not indicated any plans to move away from vulnerable SMS based - or the more secure but less convenient TOTP based second factor.

    The market has now answered many of my original questions. Now is a good time to start thinking of passwordless login and the use of hardware embedded authenticators.

     

    6
  • Request

    Please Discord. It tickles our fancy.

    5
  • Da Bald Eagul

    Yes please! (Just support USB please)

    4
  • dissolve

    My Hope is to be rid of 6 digit code entry by the end of 2019

    4
  • epicfacethe3rd

    there is a demand for it and it's not hard to implement. just do it.

    4
  • VƎNOM

    This request is two years old now, and Discord is pushing people to force mods to use 2FA. It's about time to implement this.

    4
  • anand

    A year later and we still need this. I think there should be an option for YubiKey/the secure protocol is uses, and then the option to download backup codes just in case.

     

    That way you can disable the normal 2FA, still have backups codes, and also have YubiKey.

    4
  • WispTheHusky

    Come on, Discord Devs.

    This is an essential thing, especially if Discord is wanting to move to more business-oriented endeavours.

    Why is such a basic feature taking so long?

    Years of comments, upvotes and discussion, but not a word from the Discord team.

    Get your act together, and implement this simple feature that hugely increases account security?

    4
  • morpheuscielo

    I would love this as an extension before adding more features requiring payments to ensure the highest reasonable protection for my account.

    Adding more features requiring to link your card, unlock specific paywalled content will take any account to even more attacks.

    While I understand the low priority, which is not an excuse, people wouldn't have wanted to lose their option of adding passwords less than 6 digits due to being so the easy workflow.

    Be a future-orientated company, which sets a high standard in ensuring to deliver the tools for your high spenders and general company (as a ton of companies profit from Discord, but having such access might damage their environment).

    Optimally, as an extension, make it possible to activate walls of server moderation related to keys.

    Thank you.

    4
  • pydlv

    Yes please. Much more secure than TOTP/Google 2FA/SMS authentication and many people have Yubikeys now

    3
  • Skeletor

    Discord plis

    3
  • lolrepeatlol

    bump. pls add this.

    3
  • Deleted user

    BUMP! This is really needed, for hardware key users. I don't see why it shouldn't be added.

     

    3
  • epicfacethe3rd

    LookAtFr3sn0 webauthn is actualy shockingly easy to do. and saying discord is a "big thing" and that makes it hard to implement is pretty absurd. Discord runs off of an implementation of a program called Electron, which allows for cross platform applications to be built with HTML5. Basicly, they would only need to implement it once to get it implemented on all platforms. maybe twice for android. and the security difference is not negligible as you claim. the in house solution discord uses for 2FA has had issues in the past. namely the exploit that worked through a user scanning a malicious QR code, and the fact that relying on a mobile device for 2FA is known to be a bad idea - it just moves the target vector from the computer to the phone. phone based 2FA was shown to be useless as soon as it was created.
    on the other hand, physical security keys have been proven to be very secure for literally decades.
    lastly, it's a good idea to note that physical security keys actually use less server resources compared to OTP applications, as they move the storage and heavy calculation onto the keys. all the server has to do is check signatures, which is pretty quick, and store a public key for each user, instead of storing an OTP scheme
    the only reasonable excuse for this not being implemented was that Electron did not support Webauthn a long time ago. Webauthn has now been supported by Electron since 2018

    3
  • coderboy14

    Common Discord. We have been asking for this, what, two years now? It is still something we want. As somebody who's phone died, and caused me to loose my Google Authenticator data (and thus, my Discord account), please just add bloody support for this! I'd love to be able to use my USB Security key as a 2FA method.

    3
  • leagris

    Dear Discord devop team,

    Is there something that is dragging this feature request behind unscheduled, or it needs more rating in here?

    Please, whatever the reason WebAuth OTP is not featured yet, a few words from one of Discord team member would be welcome here.

    3
  • Matroi

    Come on add this feature already, its been two years since this post has been up and not even a post about fido2/WebAuthn or any update.

    3
  • BeastyBlake101

    This thread is still very relevant. Twitter and Google offers physical key authentication, why shouldn't discord too?

    Owners of partnered servers like YouTubers or other influential individuals are targeted accounts and need optimal protection across all their online accounts and communities, not just some of them.

    3
  • 󠇰󠇰

    And have an option for passwordless login if you have security key

    2
  • Spooker

    It would be just awsome to see uf2 on discord !! 

    2
  • NHS

    Hi, all.

    Thanks for your comments.

    I really hope Discord listens to this. 

    Best regards,

    Darius.

    2
  • Nirantali

    Just again had to search the mobile, open the authenticator app, search discord, reading the code off the screen and entering it ... it's boring and additionally all those TOTP things are also phishable.

    So yes please support FIDO U2F and FIDO2 webauthn 2FA and passwordless.

    I have plenty of security keys for that, a lot of yubikey4(3), yubikey5NFC(2) and a yubikey Neo and a FEITIAN Biopass FIDO2, i'm ready since years and also use them already everywhere I can, unfortunately discord still uses boring and phishable stone age 2FA and even SMS 2FA that was deprecated years ago and shouldn't be used anymore.

    Also for the ones saying it doesn't work on mobiles, that's wrong, that's why I have a yubikeyNeo and yubikey5NFCs, they both are NFC capable for use with Mobiles. On Mobiles you simply swipe the Security Key over the Mobile instead of touching the button.

    2
  • Hiroki

    It's even better for the user.

    Authentication with tokens has been available in countries like France since the 1990s, for popular services like :

    • Banking (at shops and ATMs - chip and PIN was introduced in 1995)
    • Payphones
    • pre-internet Minitels (you could authenticate yourself on remote services, record contacts, and pay with your actual debit card, on later versions).
    • GSM networks (thanks to SIM cards)

    Here is what I bought as a cheap RPI terminal (a Minitel featuring a chip card reader):

    Banks and France Telecom were successful at teaching the 1990s society how to use them. And these services became ubiquitous.

    Also, I didn't live in that period, but I've never seen elderly people or pre-millenials complain about how hard or unsafe it is to use a SIM card or an EMV Debit card.

    On the other side, everyone complains about passwords requirements ; IT guys keep blaming users for phishing, even if better technologies exist to log in (like the ones mentioned above), emails could be signed (with GPG, DKIM, ...) and webmails could check these signatures, ...

    When it comes to internet services, It's as if there was an oak in the middle of the road. It's been there first, so let's not change anything. If you crash in it, you're at fault for having bad driving habits.

    2
  • Nirantali

    When can I finally register one or more of my security keys in Discord?

    Because everytime I need to search my phone, open that silly app, searching the code, read and remember it and then entering it in Discord, I think to myself, how sweet would it be if I only would have to touch my Yubikey Nano that is always plugged in on my Notebook.

    2
  • ligi

    We need this. Some arguments for it here: https://blog.trezor.io/why-you-should-never-use-google-authenticator-again-e166d09d4324

    2
  • SamHDev

    This would be very epic.

    2
  • eriNa_

    Excellent WebAuthn support is no longer the future, it's been here for a while now :)

    Chrome, Firefox and Safari support it. You can use physical tokens (of which there are tons that support either fido2 or u2f), Windows Hello, or Touch ID. Chrome has testing (WebDriver) support for it.

    Supporting passwordless login would be the cherry on top but 2fa is a good place to start. Electron also should support it on recent versions.

    2

サインインしてコメントを残してください。