*HEADS UP!* Passkeys with QR codes are safer than the Discord login QR codes because the device connects to the PC via Bluetooth. This means if you don't have Bluetooth built-in to your PC or you don't have a USB Bluetooth adapter, the QR code will not appear to log-in.

As always, security comes down to users being stupid far more than anything a hacker could come up with.

A little thing about the analogy. The two numbers will be prime numbers, meaning that the result has one and only one set of two numbers to make it. It is really, REALLY hard to crack. You basically need to just guess and check

That gaming computer just to watch KZbin was the biggest callout

Fun fact: You don't have to "wait until the code refreshes because you can't type the numbers fast enough because you only had 2 seconds left to put them in" (2:49): just enter the code that you see and it will just work, even after the code disappeared!

For anyone wondering you can use just Security Keys as 2FA You do not need to have TOTP as a backup Also remember to save those backup codes in-case you lose your Yubikeys

I never thought Discord would think about our security

I'm using a NitroKey 3A NFC (plus a NitroKey FIDO2 as a backup) because they are fully open source (hardware and software) instead of YubiKey. They do have some drawbacks tho

Cool! I love securing my account! Good job Discord.

4:18 that's not quite right, It generate a semi prime number, the program is looking for two prime number multiplied together that equal the semi prime number from before . I'm sure this using U2F which is using Challenge response authentication 6:31 SIM swapping is a bit pointless as under laying protocol SS7 has a simple SMS redirection vulnerability; that's never getting fixed due to governments using the flaw

While it was (in relative terms) a more mild hacking I suffered with a discord keylogger, morning grogginess and luck on the end of a hacker who sold me the 'my friend is making a game' while speaking through a friends account he hacked...that was making a game, got my account hacked.

5:38 you SHOULD hide those codes, people can log in using those

4:44 there is a little annoyance here with Windows 10 (if you're still using that). Sometimes a window will pop up asking you for your Windows PIN when instead you want to register a physical security key. You need to click cancel on that popup and *only then* the window you show in the video here pops up asking you to confirm your security key. Make sure the setup makes you touch your security key's button or otherwise you just set up Windows Hello with your (probably) very weak Windows password.

"On that gaming pc you use to watch youtube" Never felt so called out before lmao

5:38 maybe blur these codes lol (unless you generated new ones)

5:38 uh oh you just showed your backup keys publicly on youtube, this makes it so that anyone can login into your account now by using the backup keys to reset the passkey

To be honest I stopped using Discord a few months ago because I just didn't feel safe on there I use better apps instead. But it is nice to see that they're finally adding precautions for this kind of stuff because my old old account got hacked years ago

For those who just want ELI5 in security keys; The public key is used to encode a message to send to the private key owner. Discord sends your computer a specific question (Challenge) and your PC, with the private key, can read and answer this challenge.

3:54 Nice analogy!

I literally just completed a course on cyber security and it talks about these in great detail :D

I didn't know that scammers can now trigger and ask for 2FA through a fake login page. That's kinda scary. Nice analogy btw 👌

As someone who uses the flipper zero’s U2F feature as a security key for literally everything that I can possibly use it for, I see this as an absolute win (I just like using my silly little cybersecurity pentesting device)

It just dropped so have fun watching everyone

It's such a discord moment. Implementing a log in method that prevents phishing, and leave a thing that is abused by scammers and bypasses your new secure method. God I love discord

I feel like public-private key cryptography needs to be taught in every school these days, its something you use everyday and can benefit from understanding.

dad when are you coming home with the milk

Actually you can just use your PC's pin, which is pretty convivnient too.

Although getting a security key would seem like a good idea, but let's look at it with different eyes: -it's another new way of putting smth private under a same lock and key with a master key held up by a creator of said lock and key; -you can add your phone/any gadget to that key, but if you lose it/ it gets stolen, you out of luck; -all it does is giving a minor setback to hackers, and once it gets passed, we have to think of new ways to secure data; All in all, all those security keys and such are for people who uses their account for business(or popular people, eg youtubers), there's no need for such things for normal people, all it does is gives you more paranoia with each new update for security measures. At the end of the day, a lock is there to keep an honest folk away, if you have a goal to bypass that lock, you will get it eventually.

Discord just needs to change their internal login system. They can add as many security options they want, but if someone is able to grab your login token (which is really easy to do btw), then it's over either way cause just having that token bypasses everything. Edit: apparently this is how most websites work, whoops. still sucks how easy it is to get tho

imo they should add password to mobile app like signal, face id touch id or just password for it to unlock

Nice analogy now hopefully your self esteem is better

Aw yeah, now instead of 2FA (bad) I can use 2FA (good)!

I reported like 6 websites and a Discord server who has this phishing method. the discord server got deleted but 2 hours later a new one was created with the same name and invite link. This method was also done using a fake captcha bot. Unfortunately Discord doesn't do anything about it

This is kinda cool but also kinda useless unless Discord starts requiring 2FA more. I found out the hard way that if your login token gets hijacked from your PC Discord will just let someone use that token to change the email address on your account without requiring you to reauthenticate.

"on that gaming computer you use to watch youtube" i dont like how accurate this is

I hope they are doing something like Roblox's announced "ROBLOSECURITY", which makes logging in via a cookie useless.

Quick tip: Windows 11 has the option for a device as a passkey on Windows Hello. You can pick that option and enroll the phone's passkey. It will even remember your phone to quickly pick it as an option.

For the people that don't have devices with biometric lock features, you can use your Windows PIN as well if your logged into your Microsoft account

Bros catchphrase is we'll talk about that later

I love your vids! Keep it up, please, and I hope you're taking care of yourself :D nice analogy 💗

with windows hello you also can use pin code to make security key, did that myself on my youtube- i mean gaming laptop

They should’ve added this years ago. People have been asking for security key support for a really long time

Nice analogy mg 💪💪

The best security system is and always will be yourself

5:38 I hope you changed those after the video, because I think you shouldn't share your backup keys with the internet…

I just had my account hacked two days ago i got it back yesterday because discord surprisingly responded in a matter of 1 hour and ik trying to reactivate 2FA but it wont let me. Should i just do the security key thing?

0:30 BRO JUST CALLED ME OUT LMAO 😭😭😭💀💀💀

At 7:30 but that is with every business and phone app devs. Look at what phone apps ask permission for without telling you what permissions are needed.

Actually not that bad of an analogy. I assume you were explaining hashing and if if you were you explained it almost perfectly.

Hint about the 2FA code on your phone: You don't have to wait for the new code. You can type in the old one and it will still accept the previous one, even if your authenticator already refreshed the code.

I'm gonna need to do this for my rotisserie chicken later...

A naked man fears no pickpocket.

me when security key

Made security key. Thanks NTTS. Nice analogy btw.

Bro, at 5:39 you showed your backup codes !

3:22 General Security Keys are not easier because of Fingerprints and Face make life hard. Especially when some security expert enforces them ... then realizes he has 100 computers in the workplace that cannot use camera by law or don't have a finger print reader because those are expensive.

4:28 pov it’s a prime number ☠️ (for those of you who don’t know what a prime number is it’s a number only eqaly divisible by 1 and it’s self)

4:30 makes me feel like im storing all the nuclear codes on my discord account

nice anology. Another way of explaining this is that a public key is like a picture of your signature (you know how it looks like but not how to create it). Your private key is the path which the pen will go when writing your signature. Now, when you log in to a website that you created the key-pair for, the website will send you a unique challenge (basically a text) every time you log in. When using your biometrics, you allow the browser to use your private key to create a signature. The browser sends back the challenge text with the signature and the website verifies that it's the correct challenge with your correct signature. Even if someone would be able to capture the signed challenge text, they would not be able to use it a second time, since the challenge is different each time. Also, scanning that passkey qr code (not the Discord one) with your phone, doesn't sent the actual private key to the computer. Your phone connects via bluetooth, get's the challenge from your computer, uses the private key which is stored on your phone, signs the challenge and sends back the signed challenge to the computer so that the computer can send it back to Discord.

in South Africa, i have my Sim Swap set up with my provider that i have to go to my provider store and pysically be present to perform a sim swap, cant be done on the phone and you have to have my physical ID

I understood that great analogy very well! Good job!

LOL "Your stupid (Question mark?)"

u did not forget to regenerate ur 8 character security codes right?

I would like to point out that the stronger a security mechanism is against remote attacks, the weaker it is against physical ones. So, imagine you follow the Microsoft trend of going passwordless and use a hardware key instead. Now that key gets stolen... Opsie! Please, don't go passwordless, and use a password manager.

I love how the only people that will use this are server staff and KZbinrs

jokes on you i have an industrial grade fingerprint reader configured to my pc

Yubikeys are so expensive in my country so, i'll have to pass this 😔

Yeah,,,, that SIM card thingy is old news. That is why my first phone has a slot for them but it does not have a SIM card in it. They are not even required the phone companies are just dumbing down security and installing malware anyways via remote.

I've had a yubico key for a while, happy Discord finally added support. Now my bank needs to get on board!

At first I was mad at being called out with the gamer pc to watch youtube, but then I was able to put him in his place as I logged in using my webcam with Windows Hello. Thanks for the tip!

when you found out you still not safe 😅

Hey man I discovered you and I really like your content I’m going to subscribe to you man I really enjoy your content

I find it funny you plugged in the "pi" in the number slot :D That's not gonna produce an integer, nope. :D

Just wanna say, that if you use the discord desktop app it will not pop up the QR code for your phone

MAN I *LOVE* sticking till the end! I get my hugs and kissies :3

I hope he regenerated the backup codes.

Oh, this made me realise I had sms on, which I THOUGHT I'd turned off. Thanks for reminding me :)

your outro is hella weird but the content is too good to have a sweet kiss scare me away... 😘

I'm actually thinking of getting myself the Yubi physical USB security key. Honestly it's just a stick I can wear on my keys, and whenever I need to use it, I can just pull the keys out of my pocket, or simply just grab them off a shelf and insert it into the PC. I wear my keys almost all the time on myself. So it makes sense to put it on my keys. I have never lost my keys, there's of course the risk of that, but it's very low. Unless I get really drunk, the chance of losing my keys is next to zero.

Imagine we had a generation that was actually smart and never fell for scams. I honestly can't.

already using it

nice analogy

nice analogy mate!

I was considering cracking into NTTS's account as a meme (I didn't intend on keeping it obviously) because he forgot to censor his 2FA backup codes, just to say to one of his friends "hey NTTS forgot to censor his backup codes in his latest video so I reset them for him, logging out now" but I don't want to get on Discord's bad side just because I wanted to do a little chaotic good memery. Hey NTTS, reset your backup codes!

4:57.. What if you use Firefox? I get no popup.

5:40 I'd highly recommend generating new backup codes if this isn't an alt account...

Gonna use my old Amazon staff yubi key for this

3:49 is where I laugh the most, must be what he’s saying.

1:47 Yeah but if you stole someone password and then run it on scam server and paste into real discord website or embed real discord website into scam website then it might be possible to stole token!? 2:05 Google authentication codes are stored in google account cloud as well 3:20 just use windows pin

nice analogy

EFFING FINALLY. I admin several servers I needed this ages ago.

NTTS: Yubikeys My last braincell: Heh heh, yubi yubi!

my brother has a passkey and he usually uses this with discord and that feature was there for him for like 2 months

what a wonderful analogy

3:20 you said gaming laptop like a slur... feelsbadman...

except for the fact tokens allow anybody to login no matter how much protection..

Be aware that Windows does not sync your passkeys to your Microsoft account! Also the scam sites know they get flagged by browser so they keep geting new domains all the time. So don't expect your browser to save you, the example is just poorly explaining this that is was an old scam link. New scams are probably not flagged yet.

Damn. Literally just migrated away from Discord and they rolled out this cool update... hopefully the Matrix team is working on this, haven't seen any issues/prs though.

I haven't fact-checked this but... I think that if someone's worried about scams or getting scammed... they won't, or are less likely to get scammed.

nice analogy mate