[ ‼️ ] How Discord Can Improve 2FA & How to Keep Accounts Secure and Avoid Lockouts.
Let's talk about 2FA on Discord. I know it's important to keep our accounts secure, especially with all the hackers out there, but the current 2FA system needs some serious rework.
Even if we do set up 2FA, it's not always foolproof. If we lose our phone or our authentication app stops working, we could be locked out of our account forever, unless we have a backup code (which most people don't).
The most frustrating part is trying to recover our accounts with 2FA enabled, and it seems like Discord used to allow 2FA recovery in the past but now doesn't even really try to investigate and just sends the copy-pasted response over and over no matter what. Why is it that people who have just lost their phone, codes, or been hacked are unable to get their account back even if they have a huge amount of evidence that they are indeed the owner? It doesn't seem fair. Keep in mind that Discord says "we can't unlock 2FA on this account due to security reasons," which means they can remove it but may not be willing to do so.
Discord isn't even a bank, it doesn't have nuclear launch codes, and anything crazy like that. Even though it is important to keep our accounts secure, how much security is really needed for a social media platform with servers? I understand that credit cards may be attached to our accounts, but Discord can require a password and email notification code to gift Nitro or boost a new server.
Discord should make it easier to set up and manage 2FA. They should also have a recovery process that allows us to unlock our accounts without having to go through a complicated process. And if we provide sufficient evidence to prove our ownership of the account, Discord should help us regain access to our accounts.
It's really frustrating to hear that some users had to resort to dishonesty in the past to regain access to their Discord accounts. However, the current system for account recovery in the event of a hack or lost 2FA has become significantly more difficult, without providing any real assistance or personalized attention. This disregard for account accessibility is unacceptable and needs to be addressed.
Here's how Discord can improve the 2FA system:
- Implement a simpler authentication process, such as sending a code to our email
- Users will be shown the consequences of losing access to 2FA by having them click an "I understand" button that appears for 5 seconds. This will ensure that users are aware of the risks and will take extra care to safeguard their accounts.
- An option to provide the recent transaction number they get when buying Nitro as evidence to recover their account.
- A feature similar to Google's "6 Hour Password Reset." When a user requests to reset their password and 2FA, a warning should appear on the top bar of Discord (which cannot be removed) with an email notification should be sent to the user's registered email address, notifying them of the reset request. This will add an extra layer of security and help prevent unauthorized access to user accounts if it were to occur.
- A tiered security system, allowing users to choose the level of security they want for their account based on their individual needs and preferences.
- The ability to set up security questions instead.
- Provide an option for users to have their backup codes emailed, and make it clear that it's the user's responsibility to secure their email as well.
This list can go on and on, but it's clear that there are many ways Discord can improve their 2FA system to better protect and help their users.
If you guys agree with me, please vote up and make this post known. I'd love to hear what issues you have experienced with 2FA on Discord and how we can make our voice heard and work together to make it better.
TL;DR: The current 2FA system on Discord needs improvement. Even if we set up 2FA, we could be locked out of our account forever if we lose our phone or authentication app stops working. Discord should make it easier to set up and manage 2FA and have a simpler recovery process. They should also allow users to provide evidence such as recent transaction number when buying Nitro to recover their account. Other improvements include a warning and email notification when a user requests to reset their password and 2FA, a tiered security system, and the ability to set up security questions. I wish to push for a better 2FA system on Discord.
-
You guys can do everyone a huge favor by sending this post link around to anyone.
2 -
I agree with this Discord needs to become better wich the account security. Read my post if you don't mind the scenario is not the same but we both agree on the points i upvoted aswell.
1 -
- Users will be shown the consequences of losing access to 2FA by having them click an "I understand" button that appears for 5 seconds. This will ensure that users are aware of the risks and will take extra care to safeguard their accounts.
Good point, I agree with this.
2FA pop up always comes up as a recommendation so users usually just do it to get it done with but they don't actually realise the consequence that comes with it until they go onto the Discord website itself to find out. And often, people will not go to do that.
Discord usually has these caution buttons, for example when you delete a server
So, this would help regarding 2FA, especially since Discord insists it's a security issue
1 -
Niño : I agree with this Discord needs to become better wich the account security. Read my post if you don't mind the scenario is not the same but we both agree on the points i upvoted aswell
Its not surprising to me that Discord does not disable 2FA even when user's accounts got hacked. There's no reason for someone to be hacked and unable to regain their account, especially if they have so much evidence; thank you for responding; I'll revise my post and make the changes soon.
1 -
Implement a simpler authentication process, such as sending a code to our email
Bad idea, hackers can easily access your email. Getting access to your 2FA device is harder.
Users will be shown the consequences of losing access to 2FA by having them click an "I understand" button that appears for 5 seconds. This will ensure that users are aware of the risks and will take extra care to safeguard their accounts.
They have a 3 second delay on the QR code login screen that warns you that you are logging into a computer and people still fall for that scam on a regular basis.
A feature similar to Google's "6 Hour Password Reset." When a user requests to reset their password and 2FA, a warning should appear on the top bar of Discord (which cannot be removed) with an email notification should be sent to the user's registered email address, notifying them of the reset request. This will add an extra layer of security and help prevent unauthorized access to user accounts if it were to occur.
So you'd have to wait 6 hours to reset your password?
A tiered security system, allowing users to choose the level of security they want for their account based on their individual needs and preferences.
This already exists, you don't have to enable 2FA.
The ability to set up security questions instead.
Wouldn't really add that much security to your account considering once a hacker knows your security answers then they know them forever, whereas 2FA changes every 30 seconds.
Provide an option for users to have their backup codes emailed, and make it clear that it's the user's responsibility to secure their email as well.
I don't actually mind this idea, it does lower security but it's no worse than the current security code system and more convenient for 99% of users.
1 -
@Big P
My response is pending approval, but I appreciate the points you've made. It's always important to consider both the Pros and Cons when it comes to different options for account security.1 -
My Reply to Big P
" Bad idea, hackers can easily access your email. Getting access to your 2FA device is harder. "It's important to remember that account security is not always foolproof. There are cases where people have been hacked, and the hacker enabled 2FA, or where a device suddenly stops working. In these situations, people who screenshot their codes but never back them up to a cloud service can be left without access to their account. While it's true that emails can also be vulnerable to hackers, it's essential to take steps to secure them, such as using strong passwords and enabling two-factor authentication. Discord could make it clear that it's the user's responsibility to secure their email if they choose to receive backup codes that way. Allowing users to receive backup codes via email could be a more convenient solution for many users without compromising too much on security.
" So you'd have to wait 6 hours to reset your password? "Google has a system in place where you can request a password reset and 2FA removal in case you lose access to both if you're in your account. During the 6-hour delay, Google waits to see if you successfully reset it, and cancels the request if it detects a potential hijacker.
Discord could implement a similar system where they verify the user's IP address and device history to ensure that it's the actual user requesting the 2FA removal and password reset. And as I mentioned earlier, the system could also show a warning on the top bar of the user's account and send an email to their registered email address for added security.
"Wouldn't really add that much security to your account considering once a hacker knows your security answers then they know them forever, whereas 2FA changes every 30 seconds."While using security questions as an additional security measure can have a potential weaknesses, it's ultimately up to the user to choose a secure custom question and provide an answer that's difficult for others to guess. However, it's also important to acknowledge that there are situations where users may lose access to their devices and backup codes, which can make it difficult to use 2FA. In those cases, having secure security questions as an alternative option can be helpful in regaining access to their accounts.
"This already exists, you don't have to enable 2FA."Enabling 2FA is not always required, there are some cases where it is necessary to have it enabled. For example, some servers require 2FA for added security measures, and as a server owner, you may not want your server to be taken from you if you get token logged. Additionally, as a bot developer, enabling 2FA is necessary to access the developer portal.
Overall, it's important to consider all sides of the issue and weigh the Pros and Cons of each option when it comes to account security.
1 -
better
0 -
Valid points made in this post
0 -
I made a video regarding these problems if you could please check it out so we can help bring this problem to light in a respectful way to Discord : https://youtu.be/9Tnv0S9ssr8
0
Du måste logga in om du vill lämna en kommentar.
Kommentarer
10 kommentarer