Discord adds Security Key support for all users to enhance security

Discord has made security key multi-factor authentication (MFA) available for all accounts on the platform, bringing significant security and anti-phishing benefits to its 500+ million registered users.

The popular social platform first highlighted the benefits of using security keys with WebAuthn in August 2023 when it rolled out additional account protections for its employees.

Discord has now brought the WebAuthn feature to all Discord users, allowing users to replace the legacy MFA system that relies on time-based one-time passwords, 8-digit one-time backup codes, and SMS messages carrying a 6-digit verification code.

Discord users can now go into Settings > My Account > Register a Security Key and use WebAuthn to configure Windows Hello, Apple's Face ID or Touch ID, and hardware security keys for authentication.

This new feature enhances protection against credential theft, as it requires a physical device, whether that is a computer or mobile phone, to log into your Discord account.

WebAuthn advantage

WebAuthn is a web standard for secure, password-less authentication developed by W3C and the FIDO Alliance.

It allows users to log in to internet accounts using biometrics, mobile devices, and physical security keys, which are more secure than traditional passwords and inherently phishing-resistant.

Discord's post highlights the following three main advantages of using the WebAuthn API:

• Non-phisable: Only discord.com can request authentication via WebAuthn, so the keys are out of the reach of phishing actors.
• Non-guessable: Unlike static passwords, WebAuthn's response changes with each login, making it immune to replay attacks.
• Easy to use: By offering seamless integration with Windows Hello, Apple Face ID, and Touch ID, logging into your Discord account securely becomes much easier and quicker.

While WebAuthn is supported across all major web browsers, making its integration more straightforward on Discord's electron client and mobile apps was a bit more complicated.

On the mobile, the team used Swift for iOS and Kotlin for Android to develop the implementation in native languages.

The Electron framework was selected for Windows and macOS desktop apps. A custom Objective-C++ module was developed for macOS to call Mac native code for the WebAuthn functionality.

Legacy MFA options remain available for those who need them, so if you haven't set up any 2FA protections for your Discord account, consider adding one now.

Discord promises to continue working on introducing WebAuthn-based password-less login in the future.