That would defeat the purpose of the MFA.
I really think you guys are missing how easy this is to use.
For simplicity, it is also possible to use the built in password manager of Apple or Google Authenticator can be used for TOTP. TOTP are the 6 digit numbers that change every 30 seconds.
The feature is free and easy to set up, without needing a new account, or a password manager.
Though I do encourage using proper password managers.
4 Likes
Good call. Honestly people struggling to use password managers and 2FA/MFA/TOTP in '26 is borderline pathetic. I get it if one is new on the web, then maybe.
Would help to spread the word on some tools in the posts, and/or have these suggested in the user security settings panel:
KeePassXC for password management (and optionally 2FA too)
Sync the KeePass files between all devices for sync (no cloud stuff needed)
Android: KeePassDX
iOS: nope
Aegis for 2FA on Android
All of these are free as in freedom
3 Likes
I Personally use these tools as well.
I would also highlight easier to use
Chrome Authenticator - Source code
1 Like
I have setup a passkey. Should I delete my password now? I just want to make sure, as I don’t want to lose access to my account TIA
I’m really glad to see how quickly you handled this.
It shows how much you care about the community.
I’m proud of the work you’re doing here seriously, thank you!
5 Likes
No, Although passkeys are more secure, they are generally device specific (not always, if you use a password manager).
Passwords + MFA can still be used to authenticate new devices where you can also setup a passkey, Or if you need break glass access (losing all your access) password + MFA backup code would get you back in.
There’s always ways to get back in, it just requires a bit of setup beforehand.
The best way to manage this is with a password manager that supports passkeys.
this. I cancelled my nitro and deleted discord entirely due to the upcoming nonsense discord is pushing. kinda funny how short-lived that banner was on here
2 Likes
That’s a good point. I will put that back up later. The discord ID issue is more important.
2 Likes
I’ve used my phone to setup the passkey, so I can use it with any device. I do have a strong password, and I never reuse passwords on any sites. I was just thinking that I wouldn’t need a password anymore, now that I have a passkey setup.
1 Like
For using Token based 2FA, will i have to use it every login? i use a private browser with a VPN, so having to use MFA would increase annoyance with using the site, im not strictly against it, but could i use a Passkey INSTEAD of MFA? or will MFA be required whether i use a passkey or not?
1 Like
Oh good lord…someone is definitely gonna have to make sure I do everything right. I’m not borderline pathetic…I’m like Madonna. I’m well over…
You can also host your own passkey/MFA/password vault if you want more peace of mind. I use Bitwarden hosted locally and it’s great for controlling your own data.
I see a lot of people complaining about anonymity and privacy but the truth is 2FA can be completely controlled by you with no third parties if you take a little time to set it up. All eroscripts will see is a two factor code linked to your preferred manager. They won’t see PII like biometrics or a photo of you, it’s inherently different from the discord shenanigans.
Take the time to minimum set up a 2FA even if this rule gets backtracked, its good practice ad can save you a massive headache down the line. Then generate backup codes and save it locally with a backup and you’ll harden your account and rarely have to worry again.
1 Like
I think I set up a passkey in like 5mins on chrome. 2FA took a bit more cause I needed to setup a diff thing to act as an authenticator.
As far as I can tell if im signing in with the passkey I don’t need the authenticator but If im using email and password I do?
2 Likes
I’ll be honest, mandatory enforcement gives me pause. Adding a required extra step to login is, by definition, adding friction to the user experience for everyone on the site, and I thought keeping that friction low was a priority here.
I’m also curious: is this tied to the onboarding improvements you mentioned back in November? You’d floated the idea of a proper new user setup flow, and it seems like if MFA is going to be required, rolling it into that would at least soften the landing for less technical users. How’s progress on that going?
4 Likes
I set up passkey very quickly, and the intrusion feels minimal/acceptable. Is this enough, or do I need to also enable an authenticator app? That would be a no for me in that case, I would rather delete this account than use a third party auth app and/or a second device.
I am currently using 2FA. Now Passkey can not be used with cloud computing shadow computing, right? There needs to be a BT connection to the PC you log in with which is not the case if you connect to another PC. Any solution using Passkey abroad?
1 Like
In China, the software we use also incorporates cybersecurity-related verification methods, such as facial scans, fingerprints, passwords, personal IDs, or phone numbers. Both official and private software typically include some form of security verification. However, we all know that despite all these verification measures, your personal information is already “streaking” on the internet. It’s just that no one bothers to look for it specifically, and even if they did find it, it wouldn’t really matter.
There are a few main reasons for this:
- Why would anyone waste energy looking for your information?
- What benefit would they gain from finding your information?
- It is illegal to find and publish your information to do anything with it.
Security verification is like a lock on a door—it makes the door harder to open. Strengthening security verification is akin to making the lock more complex. While this increases the difficulty for wrongdoers, there is always a way to open it if they are determined.
The key lies in improving laws and their enforcement against offenders, as well as raising people’s ethical standards. When everyone truly understands that illegally opening someone else’s lock is against the law and will lead to arrest, then even if they are faced with a lock so flimsy it could be yanked open with one pull, they won’t deliberately open it. This is because opening it would lead to media exposure, moral condemnation, and legal judgment. This approach significantly raises the cost of committing a crime, consuming fewer resources and costs than purely defensive measures.
There is an old Chinese saying: “One can be a thief for a thousand days, but one cannot guard against thieves for a thousand days.” Therefore, even if others obtain our information, we don’t really care. Everyone’s information is already out in the open. Even if someone gets my personal information, there’s not much they can actually do with it.
Of course, I personally am still in favor of having security verification. After all, the enforcement of laws relies on the push from the public and politicians. The lock on the door doesn’t need to be overly complex, but it cannot be absent. No lock means anyone can enter, while having a lock serves to signal that the owner of this place does not want outsiders to come in.
2 Likes
There are billion dollar companies and entire sectors of the economy dedicated to gathering this information and using it for various purposes. Blindly trusting that these profit only motivated entities won’t do something ethically immoral with your information is too “glass half full” for me. Not even mentioning the insane damages and losses that have occured in the past from these same companies mismanaging data leaks.
There absolutely is incentive to gather personal data/passwords/accounts for malicious actors and subsequently there is also incentive to protect your data and be vigilant against those who want it.
1 Like
It is true that there are many large and small enterprises here that obtain your information and then sell it to other companies. These other companies can then use this information to recommend products to you through algorithms on certain platforms, such as shopping apps, much like how TikTok recommends videos based on your preferences. There have even been instances here where input method software obtained users’ text information. However, the impact of this on individuals is minimal, and no one has ever blatantly transferred money out of your bank account.
Perhaps due to cultural differences, we are not overly concerned about the acquisition of online information. Instead, what matters to us is whether those who obtain the information use it to do anything illegal. From our perspective, if someone gains access to your information, why should you be afraid, as long as you haven’t done anything illegal? The only concern might be if the information includes embarrassing content that you wouldn’t want others to see. But in such cases, that’s when the police should step in. Our law enforcement agencies also use a system that can track anyone’s online records, but the police won’t intervene over trivial matters.
We are not blindly trusting that people won’t use information unethically; rather, we trust that the law will ensure that those who commit crimes face consequences.
I admit that there will always be individuals with malicious intent who deliberately break the law. Therefore, it is also very good to prevent them from accessing information as much as possible and to strengthen security verification. I am merely presenting the approach we take here in dealing with the situation of “exposed” online information. After all, no lock can ever be completely unbreakable. So, our focus is not on the lock itself but on what happens after it is opened.
1 Like