Add support for webauthn authentication, Yubikeys and the like

Комментарии

Комментариев: 19

  • Broshan

    I agree, it's the future of 2FA and even passwords in general. Discord should be ready.

    4
    Действия с комментариями Постоянная ссылка
  • pydlv

    Yes please. Much more secure than TOTP/Google 2FA/SMS authentication and many people have Yubikeys now

    0
    Действия с комментариями Постоянная ссылка
  • Da Bald Eagul

    Yes please! (Just support USB please)

    1
    Действия с комментариями Постоянная ссылка
  • BinaryOverload

    This! Using a U2F key is so much quicker and in most ways more secure than using texts or an Authenticator app, would love this! Not enough sites have it...

    4
    Действия с комментариями Постоянная ссылка
  • Defalt

    And have an option for passwordless login if you have security key

    0
    Действия с комментариями Постоянная ссылка
  • Spooker

    It would be just awsome to see uf2 on discord !! 

    0
    Действия с комментариями Постоянная ссылка
  • NHS

    Hi, all.

    Thanks for your comments.

    I really hope Discord listens to this. 

    Best regards,

    Darius.

    0
    Действия с комментариями Постоянная ссылка
  • dissolve

    My Hope is to be rid of 6 digit code entry by the end of 2019

    2
    Действия с комментариями Постоянная ссылка
  • dissolve

    +1 webauthn makes this much simpler than it used to be, and much more secure, yubico has lots of documentation on how it works.

    2
    Действия с комментариями Постоянная ссылка
  • ! Standard Developer 2016-2019 !

    Yup, adding Fido U2F will increase security as well as increase of speed (Which instead of access phone every time authorizing, you click a button), but downside however does not support mobile device so modify it to email based verification would be better than using phone as people cannot always access their phone which can be frustrated (like me).

    Conclude:
    * Yes this is a recommended 2 Factor Authentication to be implemented as well as adding the email verification code (mobile can be kept or removed as it doesn't really matter since more users has access to email than mobile phone (as it free ofc and doesn't need to pay for phone bill xD)).

    0
    Действия с комментариями Постоянная ссылка
  • Zacatero
    YES!!! I'd love U2F access
    0
    Действия с комментариями Постоянная ссылка
  • 𝑯𝒂𝒉𝒎𝒐

    I updated the post to reflect the recent announcement made by the FIDO Alliance.

    0
    Действия с комментариями Постоянная ссылка
  • Nirantali

    Just again had to search the mobile, open the authenticator app, search discord, reading the code off the screen and entering it ... it's boring and additionally all those TOTP things are also phishable.

    So yes please support FIDO U2F and FIDO2 webauthn 2FA and passwordless.

    I have plenty of security keys for that, a lot of yubikey4(3), yubikey5NFC(2) and a yubikey Neo and a FEITIAN Biopass FIDO2, i'm ready since years and also use them already everywhere I can, unfortunately discord still uses boring and phishable stone age 2FA and even SMS 2FA that was deprecated years ago and shouldn't be used anymore.

    Also for the ones saying it doesn't work on mobiles, that's wrong, that's why I have a yubikeyNeo and yubikey5NFCs, they both are NFC capable for use with Mobiles. On Mobiles you simply swipe the Security Key over the Mobile instead of touching the button.

    0
    Действия с комментариями Постоянная ссылка
  • Hiroki

    It's even better for the user.

    Authentication with tokens has been available in countries like France since the 1990s, for popular services like :

    • Banking (at shops and ATMs - chip and PIN was introduced in 1995)
    • Payphones
    • pre-internet Minitels (you could authenticate yourself on remote services, record contacts, and pay with your actual debit card, on later versions).
    • GSM networks (thanks to SIM cards)

    Here is what I bought as a cheap RPI terminal (a Minitel featuring a chip card reader):

    Banks and France Telecom were successful at teaching the 1990s society how to use them. And these services became ubiquitous.

    Also, I didn't live in that period, but I've never seen elderly people or pre-millenials complain about how hard or unsafe it is to use a SIM card or an EMV Debit card.

    On the other side, everyone complains about passwords requirements ; IT guys keep blaming users for phishing, even if better technologies exist to log in (like the ones mentioned above), emails could be signed (with GPG, DKIM, ...) and webmails could check these signatures, ...

    When it comes to internet services, It's as if there was an oak in the middle of the road. It's been there first, so let's not change anything. If you crash in it, you're at fault for having bad driving habits.

    0
    Действия с комментариями Постоянная ссылка
  • StygianBlues

    Hear! Hear!

    0
    Действия с комментариями Постоянная ссылка
  • Nirantali

    When can I finally register one or more of my security keys in Discord?

    Because everytime I need to search my phone, open that silly app, searching the code, read and remember it and then entering it in Discord, I think to myself, how sweet would it be if I only would have to touch my Yubikey Nano that is always plugged in on my Notebook.

    0
    Действия с комментариями Постоянная ссылка
  • ligi

    We need this. Some arguments for it here: https://blog.trezor.io/why-you-should-never-use-google-authenticator-again-e166d09d4324

    1
    Действия с комментариями Постоянная ссылка
  • Nirantali

    @ligi What they forgot to tell there is what happens if your mobile blows up like my Samsung where the battery expanded, then exploded and took everything with it.

    Here's a hint, if you don't saved screenshots of all QR Codes on your HDD or so you're SOL.

    Luckily I took screenshots of all QR Codes, but you know if I need to take screenshots of QR codes that contains the shared secret because there's no backup function and I could loose all 2FA's in a such battery blow up event, then something is wrong anyway.

    The shared secret database also could be stolen from the mobile itself by malicious apps or from the companies server like they said and in my case even from my HDD because i'm forced to save screenshots of the QR codes in case of emergency.

    SMS and TOTP 2FA is dead, long live FIDO U2F/FIDO2 webauthn.

    0
    Действия с комментариями Постоянная ссылка
  • Skeletor

    Discord plis

    2
    Действия с комментариями Постоянная ссылка

Войдите в службу, чтобы оставить комментарий.