Require 2FA after QR Code Scan

Nebula Rasa

• 01 Februari 2023 23:32

QR code scanning should not bypass account 2FA. This design flaw enables common account hijacking attacks reported by Discord users when QR codes are referred by an attacker from a desktop they control to a target user. If an account has 2FA configured, every sign-on should require 2FA. That is the purpose and function of the technology. Allowing a bypass for 2FA, especially one that is such a common login experience for the desktop app, essentially means no accounts actually have 2FA configured. 

Implementing this suggestion will save hours of support staff time dealing with users who have experienced account compromise, and will prevent your billing staff from needing to refund transactions in these cases. 

2

• 

  Adaly1

  • 04 Februari 2023 12:39

  Je suis de mêmes avis, 2FA chaque doivent avoir sont authentiques facteur.

  0
• 

  weboy

  • 08 Februari 2023 12:38

  This sound more like you dont understand how 2fa works, 2fa is not a magic pill that just makes it impossible to login to your account. sure ... Discord could ask for the code when logging in, but then the hackers will simple just forward the 2fa page also...

  The only way to combat this is to check that you are actually on discords website when logging in, and not a fake one setup by hackers.

   

  0
• 

  Nebula Rasa

  • 08 Februari 2023 15:19

  weboy

  It adds a layer of security and forces people to understand that they are logging into an account and not just scanning a code. Most people who have 2fa configured would not enter 2fa on anything except for a login prompt, but they may be more likely to scan a QR code especially as that has been so normalized in society in the last few years.

  Security is all about adding layers. There is no such thing as a magic pill in information security. No one should expect that. Everything is about adding layers of defense. 

  I have another feature req related to this here, both together makes for a best practices configuration to prevent account compromise: https://support.discord.com/hc/en-us/community/posts/12109842009623-Require-Out-of-Band-OOB-Acknowledgement-For-Unknown-Location-Sign-On 
  
  Both should be configured and deployed.

  0

Du måste logga in om du vill lämna en kommentar.