Improving Discord Security

[Philos]

With the increased presence of our griefer(s), Arawn has posted that 2 Factor Authentication will be a requirement for use of the official PotM Discord. This seems to have evoked a passionate response from a rather large number of players, myself included, who feel this is either an extreme or ineffective measure.

If you have ideas, suggestions, or questions please post them here for better viability.

[Tunes]

From what I've noticed, the griefing seems to be mostly affecting the server in game? I could be wrong, though this seems like an extreme response for the discord server. Maybe should look into implementing better login security for the in game server. Such as requiring the correct CD key or IP.

[GeneralBonobo]

I agree with tunes, it seems really extreme, especially since the griefing is entirely in game. Honestly I think asking everyone for their forum account and at least one ingame account should be enough. Other than that there should be some in game system in place such as requiring the correct CD key, although I would stray away from requiring an IP since some people do travel while playing.

[julienchab]

Removing the permanent link to Discord would have people need to ask the access link on the forum here, which would allow the DMs to have a better idea of who is actually joining the Discord. It would be a bit more job for the admins of the discord server, but I don't think we have 10 new people joining the discord everyday, so it wouldn't all that much more work.

[Philos]

My biggest issue with this change is that I don't see what it accomplishes. The vast majority (entirety?) of his or her actions are done IG. While it has been suggested that they are using discord to somehow exacerbate the problem, I think discords influence is minor.

Further, what is stopping them from enabling 2 Factor Authentication with a legitimate discord handle/ Forum and Gaming login and not having it associated with any of their illicit activities? Or as Peccavi mentioned, what is stopping them from obtaining a virtual cell number and using that to circumvent the increased security. We already know they're using a key generator and a VPN. I don't think the jump is that great based on their current MO.

Lastly, many of our community members mentioned either not having a cell phone or not wishing to further entwine their phones into their life if at all possible. (I'm of the latter) I think we risk alienating a sizable portion of our community for a security measure that is both limited in applicability and effectiveness.

[Arawn]

I'm glad to have this feedback, but two notes:

Firstly, we already know that people who have been banned from the community continue to enter into the Discord. We continue to catch them and ban them, but the need to make the process a bit more difficult to overcome is there.

Secondly, we have not enabled two-factor authentication, which is something completely different. With 2FA you would need your cell phone every time you login; instead, we are requiring that each account be authenticated once with Discord to prove it belongs to a real person. I am happy to consider other perspectives, but please make sure what you say is correct before you post. I asked that those with questions contact me directly for this reason.

[Philos]

I think something like this is a better solution.

These griefers can continue to do all these things indefinitely as it's basically impossible to permanently ban anyone in NWN anymore. CD Keys are easy to acquire and can even be obtained with generators, while IP addresses are easy to change.

While I think it's possible to prevent people from chatting unless they enter the correct password, I think all these problems could be neatly avoided by implementing a system like Arelith's that simply kicks people from an account if they do not use the original CD Key. This can lead to annoyances if a player ever loses or has to change their CD Key, but I think these occasions are worth it if it means avoiding the above issues.

[Arawn]

I think something like this is a better solution.

These griefers can continue to do all these things indefinitely as it's basically impossible to permanently ban anyone in NWN anymore. CD Keys are easy to acquire and can even be obtained with generators, while IP addresses are easy to change.

While I think it's possible to prevent people from chatting unless they enter the correct password, I think all these problems could be neatly avoided by implementing a system like Arelith's that simply kicks people from an account if they do not use the original CD Key. This can lead to annoyances if a player ever loses or has to change their CD Key, but I think these occasions are worth it if it means avoiding the above issues.

Good solution, different problem.

[peccavi]

So I just did a thorough test to prove how useless this is going to be. You do not need multiple phone numbers to enable two factor authentication. You require a smart phone and Google Authentication. It is completely possible to enable two factor authentication on multiple discord accounts via one phone.

In short, this new ruling will do nothing and was poorly thought through.

[peccavi]

I'm glad to have this feedback, but two notes:

Firstly, we already know that people who have been banned from the community continue to enter into the Discord. We continue to catch them and ban them, but the need to make the process a bit more difficult to overcome is there.

Secondly, we have not enabled two-factor authentication, which is something completely different. With 2FA you would need your cell phone every time you login; instead, we are requiring that each account be authenticated once with Discord to prove it belongs to a real person. I am happy to consider other perspectives, but please make sure what you say is correct before you post. I asked that those with questions contact me directly for this reason.

Since I was mistaken then, let me begin a list of apps that will allow for you to have multiple phone numbers at no charge:

• Sideline
• Talkatone
• TextMe Up Free
• 2nd Line
• Burner

All andrioid apps, easily accessible. With likely dozens of others also on the play store. This rule will be laughably circumventable.

[FinalHeaven]

I was going to say, I've used 2FA for Discord for quite some time and you can definitely use one phone to handle multiple accounts.

The CD Key method really does seem the best.

[Arawn]

Thanks all. As I posted in the Discord:

@everyone Hey everyone, thank you for the feedback. Some people have approached me privately pointing out issues with how the Discord system itself works, and I'm a bit concerned about whether this will function as intended. I'm going to hold off on implementing this until I've had a chance to resolve my concerns. If I can't make it work as designed, we'll look for other solutions.

Thank you again to those who offered measured perspectives. Cheers all.

[Norture]

Thank you for reverting the proposed change. I do not want to give my phone number to discord, I don't trust random free programs with my real life information.

[Iluvatar / Madness]

Just as a side note, I did the 2auth thing and you're not giving your phone number to Discord, but to an authentication app made by Google. Many application uses the Google authentication, I'm using for Steam as well.