Discord does not understand Security and instead instructed me to make a feature request. This should be taken seriously.
Currently, the 2FA is a joke, it has no feedback or integrity involved, and is quite easy to spoof the discord login page. I'm sure many people who are aware of this have been asked to 'test' a game that suddenly logged them out of Discord with a prompt to login.
I propose a selection of essential feature upgrades to the 2FA system.
1. In the mobile app, after scanning the QR code, prompt the user with the GeoLocation of the login device and the IP, and if possible, if this IP is behind a known VPN service or on a list of suspicious IPs
2. Opt-out feature that enables GeoLocation locking, preventing any Auth logins from new a country or not present on a list of approved countries. If this attempt is happening, the user must click a dedicated link sent to their email or mobile phone via SMS or notification.
3. List of active login tokens in use that can be accessed via email or mobile. Allow a user to expire any refresh tokens on devices that they may no longer use or do not know.
4. Set a 24-hour restriction on GeoLocation hopping from account critical options, such as changing the password, phone number, email.
5. Major edits, such as changing password, email, phone number, should have an Opt-in 2FA verification step. Like Steam Guard.
By voting for this, you are interested in account security and preventative measures. Please share this around.