New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Two-factor Authentication #5
Comments
Please make sure that you can't access your backup codes with your main account password ... Discord does this and a friend had an account stolen because of this flaw. |
That's very interesting, I didn't know that about Discord. I understood backup codes are typically generated and displayed once only at creation time and can't be retrieved afterwards. |
please don't do like discord to authenticate through google authenticator, because for those who format a smartphone it's a drag |
Discord uses the standard TOTP format, you can use other apps that manage those codes much better than google authenticator. Authy is a popular one |
but this creates a lot of problems for some people, Email account, phone number, and sending the code via messages or to the verification email are sufficient |
@telmobss1 Codes sent like that are far less secure |
That's far less secure, especially SMS based codes (see SIM swapping for example). TOTP is a great standard for 2FA, the problem is that most platforms tell people to use Google Authenticator which does not back your codes up properly, locking you out of your account if you lose your phone. |
Does Security Key 2FA Login mean FIDO2/U2F/WebAuthn or the proprietary YubiKey OTP "standard"? I'd much rather prefer the former because it's an open standard that many security dongles support while the latter is only supported by dongles of the YubiKey brand. |
I think maybe what @telmobss1 is hinting at is to not recommend Google Authenticator like Discord. I agree, something OSS should be recommended, like Authy |
@errhammr I'm hoping for WebAuthn that seems the most like a protocol a lot of services would hop on, and allows built-in peripherals like Apple's Touch ID or Face ID and even Windows Hello. Logging in with my phone 2FA is pain, but if all I need is a fingerprint, it would be very nice. More importantly, it needs to support more than one method (of course) Notable platforms that do this: Cloudflare, GitHub, I'm sure the list goes on. |
TOTP is a must and very happy to see it being considered! TOTP is meant to be an open standard, so it's probably best to avoid direct recommendations. "Scan with your authenticator app" is probably a better solution.
Authy is not open source. Also please for the love of god let's not utilize an Authy-only TOTP solution like Twitch & Gemini have done. Just standard TOTP that is compatible with anything. |
My bad, Authy isn't open-source. This sounds even better, no direct reccomendations. We can probably link to a neutral list of auth apps (preferably only OSS ones) in case some users are just starting out with 2FA. I think that users should probably be nudged to 2FA as it's much more secure. |
I respectfully disagree please keep that feature. The fact that your friends discord account was stole is their fault not discord fault. |
Discord is switching to requiring email confirmation for backup codes anyway... Some services show you the backup codes once, but services like GitHub and Google let you view it whenever. Personally, I'm ambivalent, but it still needs to be easily accessible, if it is at all. I do also disagree with the above user's attempt to use ad hominem to prove their point, it's still a valid point in terms of security. While it may have been caused by them, I still wouldn't put the blame on them, nor the fault of security on Discord's end (not that they particularly seem to care, despite them putting some effort, it's still disappointingly little). |
I disagree with your disagreement, had my account stolen the same way by an automated script due to an exploit that existed in Discord a while ago. Discord support being ass and completely unhelpful, having not done anything. So I agree with the first poster: Do NOT let anyone access backup codes without Email Confirmation or at all once displayed the first time. |
In reply to the argument above: In reply to the security key stuff above: |
Also I wanted to mention, SMS 2FA will never be supported. It is an insecure standard and isn't worth the trouble. |
Implemented MFA flow, now writing tests: |
Add different MFA methods.
1FA
1FA (requires email specified)
2FA (requires email + password specified)
The text was updated successfully, but these errors were encountered: