Token Stealing Prevention

Hello folks,

this has probably come up one or another time already :)
However, I would still like to contribute to this topic.

Now, discord is not the only application that's "vulnerable" to token logging. In fact I see it as less of a vulnerability, as this is just how their auth works. It's just like someone was to steal your password, you cannot really call that a vulnerability, with the slight difference that it is way easier to steal somebody's token in comparison to their password.

I have once became victim of a token logging scam aswell, they charged about 150€ from my credit card. After contacting the discord support I was able to get the money back, however they explicitely told me that if it was to ever happen again to my account, that I would not be refunded. Which in one or another way makes sense but, please discord, I know for a fact that I am not the only one who had this issue at least once, and there are definitely people out there that became victim of such an attack more than once. If you enforce such a "one-time refund" thing, at least do something about token logging, give victims the opportunity to defend against such attacks.

Now you might think "You have been token logged once, how can you be that stupid and fall for the same thing again". If that's what you think, you definitely underestimate social engineering. It can be really manipulative and easily trick people into scanning some QR code or such. Especially if you're not too much into technology, or just haven't heard about it, things such as scanning QR codes might seem to trivial to give an attacker access to your account. And it really is, I mean, it already sounds stupid. 

I understand why discord doesn't enforce a specific kind of protection layer against token logging like requiring 2FA every time somebody attempts to log-in via a auth token. It might not be as user-friendly and there probably are a few other reasons for that. However, imo. discord should give you the option to protect against these kinds of attack.

Maybe one that requires the 2FA key when using the token from a new ip address/location or one that hashes/encrypts the auth token in some way, just any simple protection layer. The discords developers can probably think of a better, maybe more user friendly solution than these, they were just examples. 

I know an upcoming solution might not be as user-friendly but, you should let the user decide whether he prefers a more secure account. If the user doesn't want to keep re-entering his password everytime he's being assigned a new ip-address, or whatever such a solution would require, hey, just turn off the extra security layer but do not complain if you become victim of such an attack.

feel free to share your opinion about this and correct me if I said something wrong :)