Enhanced 2FA Security
Discord does not understand Security and instead instructed me to make a feature request. This should be taken seriously.
Currently, the 2FA is a joke, it has no feedback or integrity involved, and is quite easy to spoof the discord login page. I'm sure many people who are aware of this have been asked to 'test' a game that suddenly logged them out of Discord with a prompt to login.
I propose a selection of essential feature upgrades to the 2FA system.
1. In the mobile app, after scanning the QR code, prompt the user with the GeoLocation of the login device and the IP, and if possible, if this IP is behind a known VPN service or on a list of suspicious IPs
2. Opt-out feature that enables GeoLocation locking, preventing any Auth logins from new a country or not present on a list of approved countries. If this attempt is happening, the user must click a dedicated link sent to their email or mobile phone via SMS or notification.
3. List of active login tokens in use that can be accessed via email or mobile. Allow a user to expire any refresh tokens on devices that they may no longer use or do not know.
4. Set a 24-hour restriction on GeoLocation hopping from account critical options, such as changing the password, phone number, email.
5. Major edits, such as changing password, email, phone number, should have an Opt-in 2FA verification step. Like Steam Guard.
By voting for this, you are interested in account security and preventative measures. Please share this around.
Great suggestion.
2 -
I've recently by accident changed my daily device and when uninstalling google authenticator i didnt realise it would affect my discord account and now im locked out & support are "truly sorry" but offered to "fully delete my locked account securely" but i must create a new account also they apparently dont collect user identifiable information hmm ?! I dont recall anything about 2FA Backup Codes being downloaded or stored...so i agree with your points they need to do something about this as its really poor,they should at least have a set of the backup codes for an account uploaded to them.
0 -
new version of this proposal: https://support.discord.com/hc/en-us/community/posts/25011633068311-Enhanced-Security?page=1#community_comment_25636896120983