Upgrade your Discord Account Security!
Вставка
- Опубліковано 19 лип 2024
- Discord released a brand new update available to everyone that allows you to make your Discord account more secure. But it does have some drawbacks and it's not going to allow you to dive head first into discord without your brain enabled.
Discord scams have been extremely prevalent, and general good practice says that we should always secure our important accounts with two factor authentication. But there are drawbacks, your 2FA code could be phished through a devious Discord login page. Only if there was a system that could make it nearly impossible for a normal person to fall for a phishing page...
SOCIALS
-----------------------------------------------------------------------------
Discord Server
/ discord
Twitter
/ notexttospeech
TIMESTAMPS
-----------------------------------------------------------------------------
00:00 - Security Keys!
00:45 - 3 Reasons why security keys are better
01:51 - 2. Backed up in the cloud
02:44 - 3. Easy to use
03:27 - How it works
04:29 - Set up and Use
06:48 - Drawbacks - Наука та технологія
*HEADS UP!*
Passkeys with QR codes are safer than the Discord login QR codes because the device connects to the PC via Bluetooth. This means if you don't have Bluetooth built-in to your PC or you don't have a USB Bluetooth adapter, the QR code will not appear to log-in.
@@nanopiyou not existing helps too
Yes
Jk 1:52
Thank you, if noone told me it doesnt work without bluetooth I would have sat here wondering why it doesnt work for me
xd. Its fun but it happend to me too a time ago@@BobOrKlaus
As always, security comes down to users being stupid far more than anything a hacker could come up with.
.... or old. Wait till you 5 years older. Then you learn how hard it is to keep up.
@@clipbitlocker skill issue
No lol. Data leaks on other websites are very common, and if you reuse a single password, that could get your account compromised.
@@bloosixjr7505 Correct and data leaks and data breaches happen for 2 main reasons. There's an insider (social engineering) or people are so old that they are not aware of safe cybersecurity practices. How many people out there have a grandma/grandpa that has been tricked by scam?
@@bloosixjr7505 What if I reuse a married password?
A little thing about the analogy. The two numbers will be prime numbers, meaning that the result has one and only one set of two numbers to make it. It is really, REALLY hard to crack. You basically need to just guess and check
very well put. His explanation was spot on except for this
once i saw this comment i thought of the modular multiplicative inverse operation
omg kodu haiiii
That gaming computer just to watch UA-cam was the biggest callout
I feel so seen. Bought a new computer a few years ago just to play runescape and watch youtube.
I bought a top of the line PC and I only play league so pretty much yea
I feel personally attacked 😅
For anyone wondering you can use just Security Keys as 2FA
You do not need to have TOTP as a backup
Also remember to save those backup codes in-case you lose your Yubikeys
The same way you should have saved your recovery codes for 2FA before, by the way. Otherwise, passkeys only swap out your password (which has relatively little entropy compared to the usual public-key system) for a challenge-response authentification.
Fun fact: You don't have to "wait until the code refreshes because you can't type the numbers fast enough because you only had 2 seconds left to put them in" (2:49): just enter the code that you see and it will just work, even after the code disappeared!
from my experience not long after it disappears that code would have expired, assuming the device you were using's clock is synced closely
Indeed. That authentication system actually checks 3 separate codes - the one for the current time, and the one before and after, so assuming your system time is synced up, that code will work for a whole 30 more seconds.
...and now you know that it's technically a 3 in 1000000 chance to guess the code rather than 1 in 1000000.
@@chlorobyte_projects didn't realize Discord did that, guess it makes sense, since it increases the reliability
so a 1/333333 chance@@chlorobyte_projects
I never thought Discord would think about our security
@@VaultCord I think checking the device hardware/whatever would also help, or whenever a page is reloaded it checks if the device is still the device prior to loading, having you reauthenticate if whatever marker they use is changed. I'm sure there's probably a simpler way but this sounds secure, no?
Cool! I love securing my account! Good job Discord.
Same
Npc
@@raiban0 💀
@@raiban0you just said the same message twice did you ai glitch? (Joking btw)
@@raiban0 huh?
4:18 that's not quite right, It generate a semi prime number, the program is looking for two prime number multiplied together that equal the semi prime number from before .
I'm sure this using U2F which is using Challenge response authentication
6:31 SIM swapping is a bit pointless as under laying protocol SS7 has a simple SMS redirection vulnerability; that's never getting fixed due to governments using the flaw
dang
gotta love the govt causing security issues
I literally just completed a course on cyber security and it talks about these in great detail :D
4:44 there is a little annoyance here with Windows 10 (if you're still using that). Sometimes a window will pop up asking you for your Windows PIN when instead you want to register a physical security key. You need to click cancel on that popup and *only then* the window you show in the video here pops up asking you to confirm your security key. Make sure the setup makes you touch your security key's button or otherwise you just set up Windows Hello with your (probably) very weak Windows password.
I understood that great analogy very well! Good job!
I love your vids! Keep it up, please, and I hope you're taking care of yourself :D
nice analogy 💗
It's such a discord moment. Implementing a log in method that prevents phishing, and leave a thing that is abused by scammers and bypasses your new secure method. God I love discord
I'm using a NitroKey 3A NFC (plus a NitroKey FIDO2 as a backup) because they are fully open source (hardware and software) instead of YubiKey. They do have some drawbacks tho
whats the drawbacks? might get one
@@darwinpolio YubiKeys are just more well-known and might be better supported. But I can only tell one instance where only YubiKeys were allowed, and that was on Kraken (kinda niche, trading platform). As far as I understand, FIDO2 is a standard, so it's not really a restriction because they can't support others - just because they want to.
Then NitroKeys are a bit more expensive and the setup for YubiKeys might be a bit easier as they have a bit better fledged out software.
Just do your own research, but these are no actual drawbacks for my personal taste.
security shouldnt be open-source
@@freshcutbackup380 Security by obscurity is not actual security.
@@freshcutbackup380it should. You never ever want to use something poopiotary.
To be honest I stopped using Discord a few months ago because I just didn't feel safe on there I use better apps instead.
But it is nice to see that they're finally adding precautions for this kind of stuff because my old old account got hacked years ago
Didn't feel safe? What are you sharing, military secrets or some shit?
Get a good password, it's not hard to make one that's easy to remember AND secure.
And don't be a brainlet clicking on every link and downloading every file someone sends you.
If you get hacked, it's your own stupidity that's at fault.
Most of the time being hacked is your fault, you used a password that can easily be guessed
3:54 Nice analogy!
As someone who uses the flipper zero’s U2F feature as a security key for literally everything that I can possibly use it for, I see this as an absolute win (I just like using my silly little cybersecurity pentesting device)
Nice analogy mg 💪💪
I didn't know that scammers can now trigger and ask for 2FA through a fake login page. That's kinda scary. Nice analogy btw 👌
Hey man I discovered you and I really like your content I’m going to subscribe to you man I really enjoy your content
MAN I *LOVE* sticking till the end!
I get my hugs and kissies :3
While it was (in relative terms) a more mild hacking I suffered with a discord keylogger, morning grogginess and luck on the end of a hacker who sold me the 'my friend is making a game' while speaking through a friends account he hacked...that was making a game, got my account hacked.
Had a similar situation. Bought something overseas (smth from kickstarters) and I was waiting until it finally shipped to me. Then I get an email "Delivery failed, verify address". Luckily I thought about messaging the sender and he told me they didn’t start the delivery and that they still had to prepare my package.
EFFING FINALLY. I admin several servers I needed this ages ago.
"On that gaming pc you use to watch youtube" Never felt so called out before lmao
5:38 uh oh you just showed your backup keys publicly on youtube, this makes it so that anyone can login into your account now by using the backup keys to reset the passkey
obviously he regenerated them lol
"on that gaming computer you use to watch youtube" i dont like how accurate this is
Actually not that bad of an analogy. I assume you were explaining hashing and if if you were you explained it almost perfectly.
with windows hello you also can use pin code to make security key, did that myself on my youtube- i mean gaming laptop
For the people that don't have devices with biometric lock features, you can use your Windows PIN as well if your logged into your Microsoft account
in South Africa, i have my Sim Swap set up with my provider that i have to go to my provider store and pysically be present to perform a sim swap, cant be done on the phone and you have to have my physical ID
nice analogy mate!
I just had my account hacked two days ago i got it back yesterday because discord surprisingly responded in a matter of 1 hour and ik trying to reactivate 2FA but it wont let me. Should i just do the security key thing?
I reported like 6 websites and a Discord server who has this phishing method. the discord server got deleted but 2 hours later a new one was created with the same name and invite link.
This method was also done using a fake captcha bot. Unfortunately Discord doesn't do anything about it
Made security key. Thanks NTTS.
Nice analogy btw.
thank you, very cool mr discord man
also nice analogy
5:38 maybe blur these codes lol (unless you generated new ones)
was about to say that lol
Yeah, seriously please generate new ones
it looks like a burner account anyway he wouldnt have lost anything valuable lol
Throw away account
Actually you can just use your PC's pin, which is pretty convivnient too.
5:38 you SHOULD hide those codes, people can log in using those
Was just going to comment the same thing
He probably changed them after recording the video.
It even says that generating new backup codes makes the old ones invalid
Oh, this made me realise I had sms on, which I THOUGHT I'd turned off. Thanks for reminding me :)
I've had a yubico key for a while, happy Discord finally added support. Now my bank needs to get on board!
At 7:30 but that is with every business and phone app devs. Look at what phone apps ask permission for without telling you what permissions are needed.
Nice analogy now hopefully your self esteem is better
Nice analogy!
nice anology. Another way of explaining this is that a public key is like a picture of your signature (you know how it looks like but not how to create it). Your private key is the path which the pen will go when writing your signature.
Now, when you log in to a website that you created the key-pair for, the website will send you a unique challenge (basically a text) every time you log in. When using your biometrics, you allow the browser to use your private key to create a signature. The browser sends back the challenge text with the signature and the website verifies that it's the correct challenge with your correct signature. Even if someone would be able to capture the signed challenge text, they would not be able to use it a second time, since the challenge is different each time.
Also, scanning that passkey qr code (not the Discord one) with your phone, doesn't sent the actual private key to the computer. Your phone connects via bluetooth, get's the challenge from your computer, uses the private key which is stored on your phone, signs the challenge and sends back the signed challenge to the computer so that the computer can send it back to Discord.
Quick tip: Windows 11 has the option for a device as a passkey on Windows Hello. You can pick that option and enroll the phone's passkey. It will even remember your phone to quickly pick it as an option.
At first I was mad at being called out with the gamer pc to watch youtube, but then I was able to put him in his place as I logged in using my webcam with Windows Hello. Thanks for the tip!
Nice Analogy❤
Although getting a security key would seem like a good idea, but let's look at it with different eyes:
-it's another new way of putting smth private under a same lock and key with a master key held up by a creator of said lock and key;
-you can add your phone/any gadget to that key, but if you lose it/ it gets stolen, you out of luck;
-all it does is giving a minor setback to hackers, and once it gets passed, we have to think of new ways to secure data;
All in all, all those security keys and such are for people who uses their account for business(or popular people, eg youtubers), there's no need for such things for normal people, all it does is gives you more paranoia with each new update for security measures.
At the end of the day, a lock is there to keep an honest folk away, if you have a goal to bypass that lock, you will get it eventually.
> At the end of the day, a lock is there to keep an honest folk away, if you have a goal to bypass that lock, you will get it eventually.
thats corrent in the "real" world, but not to that degree in the "virtual" world.
there is crypto, that is mathematically secure at least for now, (takes trillion of years to crack)
nice analogy
what a wonderful analogy
nice analogy mate
Nice Analogy :)
Nice analogy!
u did not forget to regenerate ur 8 character security codes right?
Nice analogy 😊
your outro is hella weird but the content is too good to have a sweet kiss scare me away... 😘
For those who just want ELI5 in security keys;
The public key is used to encode a message to send to the private key owner. Discord sends your computer a specific question (Challenge) and your PC, with the private key, can read and answer this challenge.
presumably through reverse pub key it would encrypt it and send it back, unless of course the challenge is non critical. not familiar with the specifics there.
@@killingtimeitself Not sure what you're saying, but I'm pretty sure that your "reverse pub key" is, in fact, the private key, which is *EXTREMELY* difficult to get from the public key (this is how all of cryptography works, make it DIFFICULT for the attacker to gain the key).
i meant reverse pubkey as in reversing the direction of the transaction with another key set@@erikkonstas
if you are interessed in it, and know "basic" (probably at least prime, modulo and Fields, and how they are (mathematically) connected) math/Crypto things, it is not that hard
They should’ve added this years ago. People have been asking for security key support for a really long time
I feel like public-private key cryptography needs to be taught in every school these days, its something you use everyday and can benefit from understanding.
useless, not everybody is a geek
@@hi-kt3qrinstead they're dumbasses that fall for scams like these
Nice analogy 👍 , your welcome
dad when are you coming home with the milk
This is kinda cool but also kinda useless unless Discord starts requiring 2FA more. I found out the hard way that if your login token gets hijacked from your PC Discord will just let someone use that token to change the email address on your account without requiring you to reauthenticate.
@@VaultCord To be fair, I'd argue that changing your email address on your account should be inconvenient seeing how commonly it's abused by scammers to lock someone out of their account.
One thing left to ask is this useful even if someone has grabbed a person discord token.
I can't activate Touch ID on my iPhone as a Security Key, it asks to scan the displayed QR-code or use an external device (like a YubiKey).
Damn. Literally just migrated away from Discord and they rolled out this cool update... hopefully the Matrix team is working on this, haven't seen any issues/prs though.
I'm actually thinking of getting myself the Yubi physical USB security key. Honestly it's just a stick I can wear on my keys, and whenever I need to use it, I can just pull the keys out of my pocket, or simply just grab them off a shelf and insert it into the PC. I wear my keys almost all the time on myself. So it makes sense to put it on my keys. I have never lost my keys, there's of course the risk of that, but it's very low. Unless I get really drunk, the chance of losing my keys is next to zero.
Yeah, that's fair. It's still good to have peace of mind though, because the one day in your life that you *do* lose or damage your keys could be a very bad day if you lost access to all of your accounts.
I hope they are doing something like Roblox's announced "ROBLOSECURITY", which makes logging in via a cookie useless.
Aw yeah, now instead of 2FA (bad) I can use 2FA (good)!
2:49 I seen been long using the authenticator app browser extension, and based on my experience, is very convenient, since, I don't really use a mobile phone, and I can back up the authenticator keys from the browser extension, and copy paste directly from the browser. But this isn't ideal for anyone with different situations.
nice analogy
NTTS you don't need to blur QR codes because your phone connects to your PC/laptop with Bluetooth
Just wanna say, that if you use the discord desktop app it will not pop up the QR code for your phone
Bros catchphrase is we'll talk about that later
5:38 I hope you changed those after the video, because I think you shouldn't share your backup keys with the internet…
Nice analogy
The best security system is and always will be yourself
I find it funny you plugged in the "pi" in the number slot :D That's not gonna produce an integer, nope. :D
The floor function: Am I a joke to you?
I'm gonna need to do this for my rotisserie chicken later...
Thank you buddy 😉😉
It just dropped so have fun watching everyone
my brother has a passkey and he usually uses this with discord and that feature was there for him for like 2 months
Let's GO I paused before the kiss !!!
Sim swap will not work with me because of the passcode you have to have for my cell provider I enabled number lock I need it every time I activate a new line so sim swap fails for me
thats not the only way if you enable use pin on the account you can add a windows passkey I did this it works
imo they should add password to mobile app like signal, face id touch id or just password for it to unlock
have you considered just adding a password to your phone
i mean i do understand more things make you feel more secure, this is the reason people pay thousands dollars a year for antivirus
who the fuck is paying thousands a year for a fucking antivirus thats a fucking scam@@Milenakos
@@Milenakosi have password and ID on phone it would be just more secure if you could use ID or password on app directly. When someone borrows your phone and there’s private messages, you know what i mean
Yubikeys are so expensive in my country so, i'll have to pass this 😔
Yeah,,,, that SIM card thingy is old news. That is why my first phone has a slot for them but it does not have a SIM card in it. They are not even required the phone companies are just dumbing down security and installing malware anyways via remote.
A naked man fears no pickpocket.
Not sure if this is deliberate or not but you showed your backup keys at 5:38 might wanna reset them
I would like to point out that the stronger a security mechanism is against remote attacks, the weaker it is against physical ones. So, imagine you follow the Microsoft trend of going passwordless and use a hardware key instead. Now that key gets stolen... Opsie! Please, don't go passwordless, and use a password manager.
Discord just needs to change their internal login system. They can add as many security options they want, but if someone is able to grab your login token (which is really easy to do btw), then it's over either way cause just having that token bypasses everything.
Edit: apparently this is how most websites work, whoops. still sucks how easy it is to get tho
this is how it is on every website. How do you think the website knows it is you.
@@xE92vDit is? ahh didn't know that
Unfortunately, if they did that then you would have to constantly resign into discord. The reason the tokens exist is that you don't have to resign, and that is how every website works.
@@Theinatoriinator we live in 2023 you can simply store that token in an encrypted form that is nearly impossible to crack. There is no good excuse for storing passwords and especially tokens in plain text.
@@killingtimeitselfexactly. I'm sure there's a way to encrypt it or something. If a slight technical person like me can just find it using the developer console and the token is just there in plain text, I don't think that's a good thing.
when you found out you still not safe 😅
There are backupcodes on discord so it dosnt matter if you loose acces
me when security key
Gonna use my old Amazon staff yubi key for this
Finally!
nice analogy kid
5:38 I'm pretty sure you left your backup codes visable for us intentionally to get ppl like me to write sth like this and then reset them, but why is truly the question.
jokes on you i have an industrial grade fingerprint reader configured to my pc