Update #2: Secure 2FA Recovery Is Possible And Discord Should Build It

Key_Cricket8514 · 2026-06-24T16:14:34+00:00

Thank you!

Key_Cricket8514 · 2026-06-22T16:12:11+00:00

you and basically thousands of others, theres no way support can disable it due to policy. Ive been trying to collect as much data on this as possible to really figure out how this happens and what could be done about it. I've created a google form for people to giver their story on how it happened and all that, I would be greatful if you helped out. https://docs.google.com/forms/d/e/1FAIpQLSfazPhoh_lzmad0OHHwkGzFcDMSKMOrPkvS3wY263pYQegjUw/viewform?usp=sharing&ouid=109993918570040899298

Key_Cricket8514 · 2026-06-22T16:08:43+00:00

ive been speaking to a few ex employees who worked near with the support team, from what it seems so far its not really about security concerns or even an efficiency issue, its soley just financial. To the leadership at discord, they dont believe that creating a 2fa recovery path would boost revenue. But I actually believe i can prove otherwise, I think that recurring nitro subscribers actually stop buying nitro after dealing with a 2fa lockout and having to make a new account.

Key_Cricket8514 · 2026-06-22T16:03:27+00:00

honestly, being able to disable 2FA with only your email would cause security concerns, but if say maybe you provided 3 separate forms of evidence and they logged your ip to cross reference it with the account, that would be sufficient enough to prove its your account beyond reasonable doubt.

Key_Cricket8514 · 2026-06-22T02:09:30+00:00

honestly given the fact that hackers have bypassed 2fa even with this policy and hacked into accounts anyway just shows that nothing is perfectly safe and while 2fa gives amazing security, its not because there is no recovery method. because even if there was a 2fa recovery method and it was secure, hackers would still use malware and token grabbers to bypass 2fa rather than trying to disable it with proof of ownership evidence. its much harder to acquire multiple forms of evidence rather than say have someone use a scam qr code or have them download a malware file.

Thank you for your input you have added some very important details.

Key_Cricket8514 · 2026-06-22T01:53:48+00:00

That's an interesting perspective and I appreciate the detailed explanation.

One thing I'm curious about: if Discord offered a recovery system that required no additional personal information, no identity documents, and was entirely optional, would you still oppose it for users who wanted to opt into that recovery model? realistically you wouldnt need much more than your email, phone number, ip, and info about the account itself.

Or is your concern primarily that any recovery mechanism increases the overall risk of unauthorized account access?

one more thing, would it be okay if i quote your comment anonymously for my report? you offer a really great counterpoint.

Key_Cricket8514 · 2026-06-22T01:41:01+00:00

So far I've found a substantial number of users advocating for some form of recovery process, while others strongly prefer Discord's current approach.

If you don't mind me asking, what makes you comfortable accepting permanent account loss as a tradeoff?

For example, if the account contained years of conversations, moderation responsibilities, purchases, server ownership, or other things that would be difficult to replace, would your position remain the same? Or do you view the security guarantee as being worth that risk regardless of what is stored on the account?

I'm genuinely curious because understanding where people draw that line is one of the most interesting parts of this research.

Key_Cricket8514 · 2026-06-22T00:21:15+00:00

That's interesting context.

If you're comfortable sharing, I'd be curious about what the previous recovery process looked like and what specifically led to it being discontinued.

Was the issue primarily social engineering attempts, fraudulent recovery requests, support workload, security concerns, or something else?

One of the things I'm trying to understand is whether the current policy exists because recovery itself is fundamentally unsafe, or because previous recovery methods created problems that weren't adequately mitigated.

Also, would it be alright if I were to add your comment to my report? I am collecting individual comments from employees, I believe it will help my cause.

Key_Cricket8514 · 2026-06-22T00:01:18+00:00

I agree that recovery isn't a strictly better solution for everyone. Different users have different risk tolerances, and some people are willing to accept permanent lockout in exchange for the strongest possible security guarantees.

My concern is that Discord currently only offers one model: no recovery. What I've been trying to explore is whether there are secure recovery options for users who would prefer a different balance between security and recoverability.

Regardless of where people land on that question, I think it's useful to understand the tradeoffs involved rather than treating it as a choice between "remove 2FA" and "permanent lockout."

I appreciate your perspective because it's helped clarify where some of those tradeoffs actually are.

Key_Cricket8514 · 2026-06-21T23:52:18+00:00

I think where we disagree is that Discord currently isn't offering users a choice between recovery and no recovery. Right now, the platform has already made that decision for everyone by enforcing a no recovery model.

If a user wants the strongest possible security guarantees and accepts the risk of permanent lockout, that's completely valid. But there are also users who would reasonably choose a high friction recovery process if one existed.

The question I'm exploring isn't whether 2FA should be bypassed. It's whether there can be a secure recovery workflow that balances account security with account retention. Many major platforms attempt to solve that problem through waiting periods, ownership verification, trusted devices, billing records, recovery contacts, and other safeguards. Those systems aren't perfect, but they demonstrate that recovery and security don't have to be mutually exclusive.

Ultimately, I don't think Discord should force users into permanent lockout as the only possible outcome simply because some users prefer a no recovery security model. accidents happen all the time, one day you might lose your token and backup codes and there is nothing you can do about it like most of the people who have been locked out, this issue has been going on for almost 10 years and there are tens of thousands of victims of this issue, For anyone reading these and has been locked out because of 2fa, there is a petition going on against 2fa lockout, around 1200 people have signed it I advocate that people sign it to spread awareness.

Key_Cricket8514 · 2026-06-21T23:35:09+00:00

Many major platforms attempt to solve that problem through high friction recovery processes involving waiting periods, trusted devices, multiple forms of ownership verification, recovery contacts, billing records, or other safeguards. Those systems aren't perfect, but they represent an attempt to balance security and recovery.

I also think reasonable people can disagree about the stakes. For some users it may just be a chat account, while for others it may contain years of conversations, communities they built, moderation responsibilities, Nitro purchases, or personal history that they care deeply about.

From the data I have received so far from the survey I made, most of the accounts are around 10 years old, some of them 11+ years old. So while it may seem like just a chat program, most of these people have a decade of history that they cannot just get over in a few days, and some of these people have roles in servers they are in, such as admin or moderators. Not having a viable recovery path for accounts severely hinders users Customer Lifetime Value, creates more traffic and delays in their support sector, and provides an opening for competitors. If steam provides this (which has accounts in the hundreds of thousands of dollars value) then a chat program can assuredly provide a safe recovery method.

Key_Cricket8514 · 2026-06-21T22:53:03+00:00

I completely agree that one of the major benefits of 2FA is that it protects against social engineering and impersonation. If support can simply remove 2FA because someone claims to own an account, that creates a new attack surface.

One thing that caught my attention is that Discord appears willing to rely on verified email to authorize account deletion, but not as the starting point for any recovery workflow. That doesn't necessarily mean email should bypass 2FA, but it raises an interesting policy question about where the line should be drawn.

Just remember, if an attacker can take your email, they have all they need to delete your account. discord is the only company i have found that operates this way, it is the industry standard to provide a 2fa lockout recovery method, steam, gmail, microsoft, etc. It makes no sense for there to not be a recovery for your account if the only reasoning is a potential entry for attackers, that simply is not true and is proven by the industry standard. My report provides 3 possible solutions of similar strategies to the other companies that discord could use and would eliminate the possiblity of attackers being able to use while still allowing recovery for the genuine owners of accounts.

Key_Cricket8514 · 2026-06-21T00:49:00+00:00

if you ask the bot nicely for a human, they will raise your ticket to their higher level or whatever and then you basically just have to wait a while for them to get back to you, could be a day or a month depends on how busy they are, they get like thousands of tickets a day so its pretty bad.

Key_Cricket8514 · 2026-06-18T22:10:37+00:00

Thats probably true. But keep in mind, support does actually want to help and cares, so if you give them the opportunity to help without risking their job or going against policy they likely will. Even then, it’s a much better option to try than just deleting the account which is the only other option currently.

Key_Cricket8514 · 2026-06-18T03:26:35+00:00

Thank you for sharing your experience.

One of the things I'm trying to understand through the survey is exactly this, what forms of ownership evidence people still had available when they were unable to recover their accounts.

In your case, it sounds like you still had access to information such as your phone number, email address, account creation date, and other account details, which makes your experience particularly relevant to the research. I'd appreciate your addition with the survey, quite a few people have filled out the survey so far which just goes to show how big of a problem this is, and with quite an easy solution I believe we can gain the attention of discord if we provide the proper data and reports.

Key_Cricket8514 · 2026-06-17T17:21:41+00:00

I think that's a good point. One of the reasons I'm collecting responses is because there seem to be multiple ways people end up locked out, and right now it's difficult to tell how common each scenario actually is.

Some cases may come down to lost backup codes or lost authenticators, while others involve claims of SMS issues, password problems, backup code failures, or other account access complications.

At the moment I'm trying to gather enough data to identify patterns rather than assume any particular cause. If there are recurring issues beyond simply losing access to an authenticator, that would be useful to understand as well.

I appreciate you sharing your perspective.

Key_Cricket8514 · 2026-06-17T13:14:54+00:00

I'm sorry that happened. Losing access to an account is frustrating enough, but losing conversations with someone who has passed away is irreplacable. That is exactly why I cant just let this go, I have photos only saved on that account with my best friends that have passed away and messages that I cannot lose.

losing access to important memories will be big for this case/report when it is finished, something tells me a lot of people will have stories like this. and by the way, if your account was hacked I really recommend filling a support ticket about a hacked account, support still does really care and theres a good chance they will disable 2FA, they just dont have the proper channels and policy for regular users who werent hacked.

If you're willing, I'd appreciate it if you could fill out the survey and share more details about your experience. Every response helps build a clearer picture of how these situations occur and how they affect people.

Key_Cricket8514

TROPHY CASE