Add support for webauthn authentication, Yubikeys and the like

Kommentarer

19 kommentarer

  • Broshan

    I agree, it's the future of 2FA and even passwords in general. Discord should be ready.

    5
    Kommentarhandlinger Permalink
  • pydlv

    Yes please. Much more secure than TOTP/Google 2FA/SMS authentication and many people have Yubikeys now

    0
    Kommentarhandlinger Permalink
  • Da Bald Eagul

    Yes please! (Just support USB please)

    1
    Kommentarhandlinger Permalink
  • BinaryOverload

    This! Using a U2F key is so much quicker and in most ways more secure than using texts or an Authenticator app, would love this! Not enough sites have it...

    5
    Kommentarhandlinger Permalink
  • Defalt

    And have an option for passwordless login if you have security key

    0
    Kommentarhandlinger Permalink
  • Spooker

    It would be just awsome to see uf2 on discord !! 

    0
    Kommentarhandlinger Permalink
  • NHS

    Hi, all.

    Thanks for your comments.

    I really hope Discord listens to this. 

    Best regards,

    Darius.

    0
    Kommentarhandlinger Permalink
  • dissolve

    My Hope is to be rid of 6 digit code entry by the end of 2019

    2
    Kommentarhandlinger Permalink
  • dissolve

    +1 webauthn makes this much simpler than it used to be, and much more secure, yubico has lots of documentation on how it works.

    4
    Kommentarhandlinger Permalink
  • ! Standard Developer 2016-2019 !

    Yup, adding Fido U2F will increase security as well as increase of speed (Which instead of access phone every time authorizing, you click a button), but downside however does not support mobile device so modify it to email based verification would be better than using phone as people cannot always access their phone which can be frustrated (like me).

    Conclude:
    * Yes this is a recommended 2 Factor Authentication to be implemented as well as adding the email verification code (mobile can be kept or removed as it doesn't really matter since more users has access to email than mobile phone (as it free ofc and doesn't need to pay for phone bill xD)).

    0
    Kommentarhandlinger Permalink
  • Zacatero
    YES!!! I'd love U2F access
    0
    Kommentarhandlinger Permalink
  • 𝑯𝒂𝒉𝒎𝒐

    I updated the post to reflect the recent announcement made by the FIDO Alliance.

    0
    Kommentarhandlinger Permalink
  • Nirantali

    Just again had to search the mobile, open the authenticator app, search discord, reading the code off the screen and entering it ... it's boring and additionally all those TOTP things are also phishable.

    So yes please support FIDO U2F and FIDO2 webauthn 2FA and passwordless.

    I have plenty of security keys for that, a lot of yubikey4(3), yubikey5NFC(2) and a yubikey Neo and a FEITIAN Biopass FIDO2, i'm ready since years and also use them already everywhere I can, unfortunately discord still uses boring and phishable stone age 2FA and even SMS 2FA that was deprecated years ago and shouldn't be used anymore.

    Also for the ones saying it doesn't work on mobiles, that's wrong, that's why I have a yubikeyNeo and yubikey5NFCs, they both are NFC capable for use with Mobiles. On Mobiles you simply swipe the Security Key over the Mobile instead of touching the button.

    0
    Kommentarhandlinger Permalink
  • Hiroki

    It's even better for the user.

    Authentication with tokens has been available in countries like France since the 1990s, for popular services like :

    • Banking (at shops and ATMs - chip and PIN was introduced in 1995)
    • Payphones
    • pre-internet Minitels (you could authenticate yourself on remote services, record contacts, and pay with your actual debit card, on later versions).
    • GSM networks (thanks to SIM cards)

    Here is what I bought as a cheap RPI terminal (a Minitel featuring a chip card reader):

    Banks and France Telecom were successful at teaching the 1990s society how to use them. And these services became ubiquitous.

    Also, I didn't live in that period, but I've never seen elderly people or pre-millenials complain about how hard or unsafe it is to use a SIM card or an EMV Debit card.

    On the other side, everyone complains about passwords requirements ; IT guys keep blaming users for phishing, even if better technologies exist to log in (like the ones mentioned above), emails could be signed (with GPG, DKIM, ...) and webmails could check these signatures, ...

    When it comes to internet services, It's as if there was an oak in the middle of the road. It's been there first, so let's not change anything. If you crash in it, you're at fault for having bad driving habits.

    0
    Kommentarhandlinger Permalink
  • StygianBlues

    Hear! Hear!

    0
    Kommentarhandlinger Permalink
  • Nirantali

    When can I finally register one or more of my security keys in Discord?

    Because everytime I need to search my phone, open that silly app, searching the code, read and remember it and then entering it in Discord, I think to myself, how sweet would it be if I only would have to touch my Yubikey Nano that is always plugged in on my Notebook.

    0
    Kommentarhandlinger Permalink
  • ligi

    We need this. Some arguments for it here: https://blog.trezor.io/why-you-should-never-use-google-authenticator-again-e166d09d4324

    1
    Kommentarhandlinger Permalink
  • Nirantali

    @ligi What they forgot to tell there is what happens if your mobile blows up like my Samsung where the battery expanded, then exploded and took everything with it.

    Here's a hint, if you don't saved screenshots of all QR Codes on your HDD or so you're SOL.

    Luckily I took screenshots of all QR Codes, but you know if I need to take screenshots of QR codes that contains the shared secret because there's no backup function and I could loose all 2FA's in a such battery blow up event, then something is wrong anyway.

    The shared secret database also could be stolen from the mobile itself by malicious apps or from the companies server like they said and in my case even from my HDD because i'm forced to save screenshots of the QR codes in case of emergency.

    SMS and TOTP 2FA is dead, long live FIDO U2F/FIDO2 webauthn.

    0
    Kommentarhandlinger Permalink
  • Skeletor

    Discord plis

    3
    Kommentarhandlinger Permalink

Log ind for at efterlade en kommentar.