Discord has made security key multi-factor authentication available for all accounts on the platform, bringing significant security and anti-phishing benefits to its 500+ million registered users.
The popular social platform first highlighted the benefits of using security keys with WebAuthn in August 2023 when it rolled out additional account protections for its employees.
Discord has now brought the WebAuthn feature to all Discord users, allowing users to replace the legacy MFA system that relies on time-based one-time passwords, 8-digit one-time backup codes, and SMS messages carrying a 6-digit verification code.
Discord users can now go into Settings > My Account > Register a Security Key and use WebAuthn to configure Windows Hello, Apple's Face ID or Touch ID, and hardware security keys for authentication.
This new feature enhances protection against credential theft, as it requires a physical device, whether that is a computer or mobile phone, to log into your Discord account.
WebAuthn is a web standard for secure, password-less authentication developed by W3C and the FIDO Alliance.
It allows users to log in to internet accounts using biometrics, mobile devices, and physical security keys, which are more secure than traditional passwords and inherently phishing-resistant.
Non-phisable: Only discord.com can request authentication via WebAuthn, so the keys are out of the reach of phishing actors.
Non-guessable: Unlike static passwords, WebAuthn's response changes with each login, making it immune to replay attacks.
Easy to use: By offering seamless integration with Windows Hello, Apple Face ID, and Touch ID, logging into your Discord account securely becomes much easier and quicker.
While WebAuthn is supported across all major web browsers, making its integration more straightforward on Discord's electron client and mobile apps was a bit more complicated.
The Electron framework was selected for Windows and macOS desktop apps.
A custom Objective-C++ module was developed for macOS to call Mac native code for the WebAuthn functionality.
Legacy MFA options remain available for those who need them, so if you haven't set up any 2FA protections for your Discord account, consider adding one now.
Discord promises to continue working on introducing WebAuthn-based password-less login in the future.
Bloomberg Crypto X account snafu leads to Discord phishing attack.
Microsoft Authenticator now blocks suspicious MFA alerts by default.
Microsoft will roll out MFA-enforcing policies for admin portal access.
Okta one-time MFA passcodes exposed in Twilio cyberattack.
BazarCall attacks abuse Google Forms to legitimize phishing emails.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 14 Dec 2023 18:25:17 +0000