In light of recent discussion. I am deciding it’s best for everyone to have multi-factor authentication enforced for the forum. This enhances your security to prevent advanced phishing techniques as well as prevent chain compromised attacks and credential stuffing.

You can enable MFA here : Account > Preferences > Security

I also highly advise using Passkeys, this is effectively a guarantee to prevent unauthorised access even when your computer is compromised (depending on implementation)

MFA enforcement is coming 2026-03-31T00:00:00Z

I recorded a video to help you out: (unfortunately streaming isn’t working)
https://od.lk/d/NzFfMzAzMTEwNjVf

I will be doing an educational Livestream on discord 2026-03-01T20:00:00Z

There’s a lot of misinformation surrounding MFA being spread, so I’m writing this additional portion to inform you.

Q: What exactly is being enforced?
A: TOTP authentication is being enforced. Nothing else. Everything else is optional.

Q: Is this private? What sensitive information will be given to you?
A: No sensitive information will be visible, nor stored by me. In the case of TOTP I will only have stored a symmetric key which is used to generate OTP codes. This key cannot be used to identify you.

Q: What apps can I use that are privacy respecting for being an authenticator.
A: Technically all of them are. But if you’re paranoid (and you should be) using an offline authenticator that is FOSS (Free And OpenSource) is best.

• KeepassXC
• Aegis Authenticator
• Chrome Authenticator

Q: How does this enforced MFA work?
A: When you enroll a TOTP, what happens is a symmetric key is generated (Symmetric means the key is the same, not public/private). You keep yours in your authenticator and the authenticator app generates one-time passwords (OTPs). These codes change every 30 seconds which is why it’s Timed (Timed one-time passwords (TOTP)). When you authenticate, you enter the current code and if it matches the code the server is expecting (they’re doing the same thing on the server), then you authenticate.

When you enroll your authenticator, you can scan a QR code or manually enter the key. For additional privacy, manually entering the key is preferred.
The QR code will provide more than just the key, it also contains metadata that you don’t necessarily need. Review the video above I have recorded, it covers how you can remove this metadata for additional privacy.

Q: How is this different from discord’s id verification?
A: I don’t want your private information, and I don’t need it for you to prove you own an account. MFA is a way to prove you are who you claim to be. This claim can be completely anonymous, and not contain any information about you. I can claim to be VladTheImplier, but I need to prove I registered that account and own that account. VladTheImplier is not my real name.

Q: What is a Passkey?
A: This is a complex topic so I have 2 answers:
Short answer: This is a password replacement that’s very convenient to use and skips traditional MFA. The original domain to a passkey is tied to the login process, making it impossible to fall for a phishing page when using passkeys.

Love this move.

Honestly, if someone is out there trying to credential-stuff their way into my forum account just to see my hot takes and half-finished thoughts, they deserve at least two layers of disappointment.

Also, passkeys? Say less. If my account requires my face, my fingerprint, and possibly my soul to log in, that just means it is going to be more difficult to kink shame me.

Appreciate you prioritizing security. Phishers can go cast their nets somewhere else.

This is a misunderstanding of what MFA is. I will never be able to see your face or identifying information. That stays on your device and is used with your private keys, It never leaves your local client.

Email is considered a weak MFA method. You should only use TOTP (the rolling 6 digit codes) or passkeys. SMS (text messages) are also bad.

This is not a justification for bad security.

This is why I professionally educate on security. There’s so much misinformation and lack of understanding on how security works. The only thing changing is requiring a second factor for authentication. Using a TOTP code or passkey is perfectly privacy respecting and dramatically enhances your security. In the realm of cybersecurity TOTP and passkeys are used all the time because they don’t require revealing sensitive information and dramatically decrease unauthorized access.

The thing is, I have a background in cybersecurity. I know the difference between security theatre and real practical security involving real cryptography and logic.

Discord wants you to reveal sensitive information. I want to use cryptography to prove you are who you say you are with math and private keys. I don’t care what your real name is. I don’t want to know. But I need a way to prove you are who you claim to be to ensure I don’t let just everyone into your account. That’s what MFA/Passkeys are for.

Not a fan of people using AI to try and discredit me.

You can use these tools anonymously. In fact that’s why I prefer NOT using email or SMS which is Less anonymous.

The whole point to passkeys is it’s an anonymous credential. Not even you can know your private key because it’s not stored in a way you can see it. If you sync your key with google, not even google can see it, because there’s multiple layers of cryptography built into the protocol.

You’re right, and quite frankly enforcement is way overdue.

It shows that you don’t know how MFA/Passkeys work. This sentence doesn’t make sense.
I have decided. I will be doing a security education on discord later.

I hope whatever you’re gonna do over there can be later summarized on the forum, or I fear, it will be of very limited reach.

Could you elaborate/explain a little more?
MFA - Multi-factor Authentication, alright, but what kind exactly?

Or asked a little differently, what I would have to do to log into my account (simply phrased)?
What ways are possible?
I already got some fake PayPal-Warn calls on my phone, makes me hesitate to give phone number somewhere ever again.

Maybe I just get it wrong, so I wanna wait for some clarification first, but I don’t like the sound of ‘enforcement’, in general I’m quite fed up of all the babysitting everywhere, and at the first read, it sounds a bit like that (again, I could be wrong and just don’t really get it, english isn’t my first language).

For MFA (which will be enforced):

image549×383 10.3 KB

Passkeys (which will not, but I want to encourage use of):

image635×473 15.8 KB

I do not want your phone number, sms otp is not allowed nor configured

It’s unfortunate you choose that but ok. (A user chose to have their account deleted)

One user with no senes of OPSEC fell for a phishing e-mail, and now the pr0n script site needs to become fort knox?

Don’t get me wrong, I have MFA for stuff with sensitive information but this site aint it. If someone took over my account, they could barely do more than if they started a brand new account themselves.

To be clear it wasn’t phishing.
It was a game (unrelated to the forum) that was malware masquerading as a game.
It stole session tokens and that user was being impersonated.

Anyone could have fallen for it. Don’t think anyone (including me) is special.

And to address this specifically, MFA isn’t even really enough these days. There are way more advanced ways of breaking into accounts like the malware that was used as well as reverse proxy phishing which is much harder to detect MFA doesn’t prevent. (which is why I suggest passkeys)
It’s worth noting that once you login you shouldn’t have to login again. You should remain logged in thanks to a primary refresh token (which renews new authenticated sessions for you transparently in the background.)

this feels like an overreaction, and i dont support it. i only use one device for these kinds of things i dont want to use my phone or another device to acess this site.

You don’t have to.
A password manager, chrome extension or just the builtin browser passkey store would work.

I am not arguing with you about the severity of malware attacks. I am just a normal user, but I know that there are some nasty stuff out there. What I am questioning is if the people stealing credentials actually cares about this site. It is not like they are gaining anything by impersonating the average ES user.

With this in mind, it seems strange that ES will now require more security for logging in than like Paypal for instance.

This is called security through obscurity, and yes there are real threats to users impersonating other users. When the user was hacked, they were a friend of mine. The hacker DMd me impersonating them trying to get me to download the game/malware. That user informed me they were hacked prior so I knew it was fake, but someone else may have gotten infected as well.

This is only one aspect called social engineering. There are many threats you or I haven’t even begun to think about. I’m not leaving that risk open.

That should concern you.

This is great
Stay safe on the net people

but then i would be locked out if my device stops working? before i could just remember my password.

You can make backups like I show above:

i cant check that menu without turning 2fa on how does backup codes work?

The codes are generated and given to you in the page, you copy them wherever, make sure to put them somewhere safe, and if you lose access, you can use one of the codes (typically 12 are generated) as a MFA bypass. The codes are one time use. You can write them down in a notebook or put them somewhere you’re confident that they won’t be stolen easily.

cant i just generate new back up codes and use that instead then? i rather have 2 passwords then all this other stuff