Comment by jedberg
5 years ago
Oh please do. This seems like the perfect time to bring this up:
I had a piece of software that used Discord for support. They required that users be verified, which requires you to give you phone number to Discord. I gave them my Google Voice number, which is the only number I have, and they rejected it because they don't support VOIP numbers. I asked them if there was any other way to verify my identity.
They told me, "Just use a friend's phone to verify. As long as they don't try to verify on Discord in six months it should be fine, we won't check again".
Their official answer to identity verification was to impersonate someone else!
I constantly run into this problem, I've used my google voice number for everything for years (yeah it's not a great move but very hard to migrate away from) and a frustrating number of services recently have been rejecting it for verification. I end up having to take the sim out of my laptop and put it in my PinePhone. It's such a hassle. This whole "you're not a human unless you have a phone number" thing sucks. Same thing with having a credit score. You're just assumed to participate in these systems even though there's no mandate to do so or protection for you if you don't.
Just a couple of days ago, I signed in to a gmail account using the correct username and password.
Gmail intercepted me and claimed to be worried that they couldn't recognize the device I was using. According to the flow, they wanted me to verify my identity in one of three ways: (1) I could verify the backup email address associated with the account; (2) if unable to do that, I could provide the 2FA code sent to that same backup email address (how would I be able to know this without being able to know what the address was?); or (3) I could provide a phone number -- previously unknown to Google -- on the spot, and then provide the 2FA code sent to that brand-new phone number. (How is this supposed to help them verify my identity?)
I went for option (2), the email 2FA code. After providing the code, I was informed that, before signing in to my existing gmail account, I must also provide a phone number and enter the 2FA code sent to my new phone number.
So I went back and went for option (1), typing in my backup email address. Same thing happened. Because Google "couldn't recognize the device I was using", I was not allowed to sign in to an account I obviously controlled without providing a phone number with absolutely zero authentication value.
I did find a workaround. If you attempt to sign in to an account afflicted in this way in an incognito browser window, Google will, for the moment, allow it.
"Don't be evil" is long gone.
Never ever ever ever give your phone number to Google for verification or authorization. People just don't understand how easy it is to find someone's phone number and then steal it for long enough to steal e.g. emails. Has happened, will happen etc. Like ssn, phone numbers were never made for this purpose. In fact phone numbers and services (e.g. SMS) are just the front end and are setup to be easy to redirect.
We had incidents in the past just because the colleague had given the number to Google and those were corporate accounts.
Every time a service moves to SMS or phone calls for 2FA a cry can be felt across the universe by any security engineer/cryptographer.
If you are a person responsible for this: please don't. If my antiquated bank that is insured and doesn't really care can understand this, so can you, if you care just a bit.
11 replies →
It's especially nice when traveling. I was once asked by a client to do something while I was in other country about 5k km from regular location. Couldn't login to the apps account for this reason (no backup email or phone set). So I didn't do the work.
I suspect it's some work-life balance enhancing thing. :D
I don't really mind, since it also helps me bash Google services in front of my clients who still use them, without being aware of these failure modes.
Personally speaking, it's absolutely a no go service. I can probably handle service loss at home quite fine, but if I relied on google or other services with these "anti-abuse" features while traveling that would be very stressful. I usually print out everything important before departing so I don't rely on any electronics, anyway, because none of it is as reliable and as quickly accessible as a piece of paper or a bunch of cash.
8 replies →
I had that happen, too — even after successfully receiving the passcode at my recovery address, and entering it, they still denied login. Presumably it's a bug in their system (being generous), but who knows when they'll fix it, if ever?
I currently have an old (infrequently used) gmail account, with a valid recovery email, that I cannot log in to at all.
I don't have (or want) 2FA set up for it.
I tried an incognito window just now, and same problem ):
Just had this happen to me with my Microsoft/Minecraft account. I had migrated my mojang account 2 days ago and today I was told that apparently they "detected some activity that violates our Microsoft Services Agreement" and locked my account. They did not explain what the violation was and apparently it would magically go away if I verified my phone number (which they did not have before).
Never doing any buissness with ms again.
10 replies →
I've actually found it hysterical. The phone number question seems to be for their data mining as well as evidence. But anyone can get into any email address when prompted this way. It is possible to send a text to someone else's phone, the servers connected to phones online are often polluted but many times they are not. You can send a text to those and get the code.
Or of course, just send the code to anyone and SS7 hijack that specific text message. You aren't hacking them, after all, you're hacking yourself or someone else.
2 replies →
>if unable to do that, I could provide the 2FA code sent to that same backup email address (how would I be able to know this without being able to know what the address was?)
I am one of those people using option 2, by virtue of keeping a lot of old email accounts that I have set up to forward to my main account. So I don't usually need to remember which account if was, and just wait for the email to come through from the void
Once upon a time not long ago, I got off from my flight into a foreign country (I don't have a SIM card that would work there). I turned on my wifi and was delighted to see they had a public network you can use. There was a captive portal, and the only sign in options (besides using a local phone number) were Facebook and Google. I chose Google, and entered my id and password. Google promptly went into the "sus" mode as you described.
Now I can't use option 1 or 2 because I don't have internet access until Google approves my sign in. I can't use option 3 because I don't have a SIM card that would work locally. Thankfully Facebook login worked.
2 replies →
When I sign into a Google apps account I have associated with a school about half the time I am forced to go through option (3) whereby I’m asked for a number they can send a SMS to. I am never presented with option 1 or 2. Per the tenant settings which I do not control, 2FA is disabled and users cannot enable it, nor provide a backup email last I checked. Extremely frustrating- especially not being able to use a VoIP number, landline to dial, or set up a more robust TOTP generator or the like. Perhaps the school should codify the requirement for students have cellular service just to enroll, since it’s the de facto case already. sigh
How does that story have anything to do with being evil, by any stretch of the definition?
Are you insinuating that Google has this convoluted verification flow to intentionally harm people in some way? Or even to intentionally harm privacy or further business goals at users' expense?
Or are you just using "evil" to refer to anything you don't like?
11 replies →
I had this problem this week too. I have a secondary Gmail account that is forwarded to my main one. I tried to login to it, they demanded a phone number (even though I do have access to the backup email), and wouldn't let me in because the only number I have is one that's already in use on my main account. I guess now you need one unique fully-functional phone number for ever Google account you have?!
2 replies →
> if unable to do that, I could provide the 2FA code sent to that same backup email address (how would I be able to know this without being able to know what the address was?)
Two options from the top of my head:
1. you have email forwarding configured so received mails will be delivered to another account. That's generally configured in the settings of the provider (I.e. directly under account settings in Gmail iirc)
2. You have a logged in device which receives mails through an application password. You cannot read it out because it's masked and even if you could, it wouldn't help you because it's only allowed to receive mails, not login.
I don't think this is particularly rare, honestly.
But yes, it is obnoxious.
I have real anxiety about being locked out from "digital self" someday due to issues like this. Sometimes I really think this just isn't worth it anymore and I'm far too invested in "the Internet".
There's a workaround to fix an account afflicted this way, use a yubikey to add as a security key and then add a 2fa through the google authenticator standard (which works with 1password). Once that's setup google will never ask for your phone number again.
I seem to recall fb doing similar. It's similar to banks or telecom providers requiring a persons home address (or worse: to prove it using a utility bill).
Wherever I can I set up code generation / TOTP 2FA precisely to avoid lockouts. Then to avoid losing all of those whenever I change/reinstall my phone I opt for the less secure option of storing them in a password manager...
I can't think of another way not to get locked out in case I ever lose my phone.
Google, Paypal and a few others seem to be the worst offenders at "protecting me".
Phone numbers are tied to your identity. You cant buy a mobile sim card without showing your id and the phone number will be registered to your id.
This happened to me years back. What would you say to the argument that it's to protect users from identity theft
Check your internet connection and Google/Gmail certificates. It looks like you are taped.
Yep, the latest example was my credit card company rejecting my GV number. They easily have the means to see that I've been using it for 10+ years and it's definitely me. Luckily they wanted my business more than they cared about that policy; a CS droid was able to "force" the system to allow it.
Requiring cell phone numbers isn't about anti-spam or 2FA or anything else these services and sites claim.
It's about linking your account to a real person identity, so they can sell that to someone - either live, or later when they get bought out (privacy policies almost always have a clause that allows them to just fork over all your info to whoever buys the company.) "Where was phone number 111-555-1212 at any point in time" is really valuable these days.
SMS for 2FA is less secure because cellular accounts are almost trivial to take over. Carriers never intended for their accounts to become so important to security. These days you can get a second password added to prevent shipping out a new SIM or transferring the account, but that's bypassable by a cellular store on the corner, and poorly implemented (my carrier just adds it as a CUSTOMER VISIBLE AND EDITABLE comment on my profile. WTF?)
If you get someone's unlocked cell phone or a SIM card, you can get access to their email account, their bank and credit cards...damn near everything. How fast can you lock and wipe your phone if it was ripped out of your hands while you were using it in a public place?
> It's about linking your account to a real person identity, so they can sell that to someone - either live, or later when they get bought out
Yeah, this can't be emphasized enough. Phone numbers are established as universal identifiers. Discord is sitting on a giant heap of personal information including DMs from millions of young people. It is all centralized, both in terms of data, and in terms of accounts (instead of them having to correlate an account between multiple forums, most of which volunteer run and they don't turn over non-public data for money), and also associated with phone numbers. Making multiple accounts for different areas of life is made hard. Beautiful for whoever has access to the data.
2 replies →
Asking for information for one purpose and using it for another is amazingly user-hostile and abusive, and it's an almost universal practice for technology companies.
I first noticed phone number abuse with facebook, which asks for a phone number for "security" but then uses it to match you with advertisers.
It's the same scam that sites have been running for years where you have to use an email address as a user login, and that address is instantly added to spam lists.
"Sign in with Apple" is hilariously useless since privacy-violating apps can just require a phone number for "security" or "verification" purposes.
1 reply →
It's 100% about linking identities between services. I've had my cell phone number for 25 years. It's basically a lifelong identifier at this point and I constantly have to use it for low value online accounts. I wish I could go back 10 years and get a dedicated phone number for online verification.
The security side is a total lie as well. Your post made me think about the biggest risk for myself and, like many people I know, I put my email address on my lock screen so that if I lose my phone someone can get it back to me. Now it just clicked for me and I realize I need to change that because if I lose my phone someone has everything they need to recover a lot of my online accounts. My Google, Microsoft, Amazon, etc. accounts all use that same email address and all they need to do to perform SMS recovery is put my (unlocked) SIM in another phone.
1 reply →
> This whole "you're not a human unless you have a phone number" thing sucks.
Oh it’s even worse than that. I have a land line that I use exclusively for when I’m forced to give a phone number (and also for faxing doctors and lawyers which is apparently still a thing). Many internet forms reject it because it can’t accept text messages. Yeah, that’s the fucking point. I don’t want text messages from your shitty service. It’s still a legitimate phone number you can call. Don’t ask for a phone number if you won’t actually accept a valid phone number! FFS!
Yeah same. ETrade recently changed their phone verification system and can no longer send me a text message to verify my identity. I'm actually ok with that because it forces them to use the security token instead, which they should be doing anyway!
And often I'll run into problems with silently failed messages because they don't accept the number.
I think this is completely different than having a credit score.
I’ve never ‘needed’ a credit score unless I was requesting a line of credit. I’m which case a credit score is better than the alternative where I need to personally know someone that the lender already trusts and trusts their ability to trust other people.
You don’t ‘need’ a credit score but if you want a line of credit then it’s good to have. Otherwise you get the products that they offer to high risk individuals which costs a pretty penny.
A credit score is used as a trustworthiness analog in arenas other than lending. For example renting a house or car, and some phone companies won't give you access to a post-paid plan, all of which can have a stratifying effect. The idea that because I don't take on debt that I am not trustworthy is wrong. I can pay a larger security deposit to offset risk, but often times that's not an option.
I've also heard tell of employers using credit checks to evaluate potential employees though I haven't researched that.
5 replies →
Meanwhile the community is having a big debate over the CoC, deciding what exact wording they should use to say "be nice and include everyone".
Why just communities be forced to accept everyone? Or even be nice? When in a group of friends we can often times not “be nice” however because we know each other, we understand it comes from a place of love. Perhaps it’s a military background thing, but exclusivity has its benefits.
10 replies →
> I end up having to take the sim out of my laptop and put it in my PinePhone
Just in case you are not aware, you can receive verification SMS on your laptop as well! On Windows 10 there is a built-in app simply called "Messaging" which shows you all the SMS received on that number. I'm sure something different exists for other OSes.
This is what I do when asked for a verification number and there is absolutely no way around it, I just put the phone number of my laptop's SIM card, that way I don't have to worry too much about spam too because I will never use that number in a real phone.
Nice, thanks for pointing this out. It's fucking annoying that I'll have to figure out how to install the Windows Store on my computer to get an app that can receive text messages, something that you know, should be available through a pipe/file/tty or some dead simple interface since it's not exactly rocket science to receive 160 characters of text.
But thank you none the less.
There are laptops with SIM card slots?
6 replies →
I tried to log into the IRS.gov portal, but it says I can't because I don't have any credit score. (I don't have any credit because I'm an immigrant)
I’m sorry you ran into that problem. I ran into the opposite problem, of thousands of fake accounts a day using VoIP phone numbers to create accounts. Almost all of them were fake/abusive when they were investigated manually. Blocking these numbers felt like the sensible thing to do, because it made the abusive account creators spend more time, money and energy creating their accounts. I’m sorry it impacted you.
Using SMS as a login verification thing is just so irritating. My bank asks me to enter an SMS OTP every time I login to the website. I know my username and password! Let me into my bank account!
They're trying to do that to break 3rd party financial integrations. Not for your security but because they think they deserve to get paid for your data and these other people haven't paid up.
Credential stuffing is a widespread problem. Im sure everyone on HN uses a password manager and different passwords for every service, but many people don't.
It's makes a lot of sense for a high-value target like banking to require 2FA, but SMS is the worst way to do it.
How does this work for Fi users?
I've had a Google Voice number for so long it's the only voice number I have these days. I can't say it's a recent experience that it doesn't work with certain things though it has been a recent experience the things are aware it doesn't work and will alert you. Overall though I've yet to run into anything I couldn't use an alternative method for authentication be it luck (e.g. got into Discord before they required phone numbers) or email or calls being a thing (and working when text doesn't).
Ironically the biggest PITA I had was when I decided to migrate my primary cell number to Google Voice it was my fallback contact number. Thankfully I only ran into that as an issue once and was able to get back in to set up Google Authenticator (which was also new and hip at the time).
I'm not sure if there are any issues on Google Fi, since they're an MVNO, so identical to any other cellular network.
1 reply →
Isn't it a shame how the world got Google Voice backwards? The savvy among us saw it as a way to present our one true phone number/identity to the world, and have options for different back end phones and services we could use. Cell phones, land lines, Hangouts, computer voicemail, all that. But the average schmoe sees Google Voice as a way to get multiple disposable numbers to sacrifice to spammers and bar hookups and commit minor fraud. So it became useless for its main purpose: being your phone identity.
Every one used to use your social security number instead to uniquely identify people but that was made illegal because of the many problems this caused. But company's want a unique identifier for people. Now that everyone has cell phones people never change their phone number so it is a great unique identifier that is legal to use. Not enough edge cases, yet, like yours too worry about. Maybe it will be made illegal in the future.
It's never been made illegal to use, or even ask for, an SSN.
You can refuse to provide it (unless it's required for tax/employment purposes) but whoever's asking can then just refuse to transact with you.
1 reply →
I had been using my gv number for 9 years for everything as well. I recently ported it out of gv into my mobile carrier since no one knew my carrier number and I was running into too many annoying voip restrictions. So far I don’t miss gv.
Wait what? You literally put a sim card into a phone for it to be treated as a cell number? Thats odd and interesting to me how does that work?
> You literally put a sim card into a phone for it to be treated as a cell number?
Well of course -- the SIM is the (as others have pointed out, "currently assigned", yada yada) phone number. So what else would any device with a working SIM slot be treated as, than a cellular device?
The SIM has its own phone number, so when they put it in a phone they can do "phone" things like make calls. In their laptop it's just for data.
5 replies →
I don't understand, isn't that how SIM cards are supposed to work ?
Instead of "phone" do you actually mean "laptop"? Interfacing with a SIM through a computer seems pretty Futuramaistic to me. How does _that_ work?
9 replies →
Phone verification can certainly be annoying, but anyone who's been part of large Discord communities will know that spambots that DM users with all kinds of scams are a huge issue. Phone verification stops someone from raiding a server with it enabled with hundreds of bot accounts. As for VOIP numbers not being allowed, that also makes sense; VOIP numbers are extremely cheap and allowing them to be used would defeat the whole purpose of phone verification.
Personally I think that giving server admins the ability to require phone verification is a good thing. It's not mandatory and it's only used if the server admin enables it. I don't think it's fair to blame Discord when it's a choice made by the server admin, plus a forum could have the same requirement.
My problem isn't with the phone verification. I totally understand why they do that. I don't even have a problem with not accepting VOIP. I get why they do that too.
My problem is that they don't have an alternative, and there is no way for channel admins that turn on that feature to know how many people can't get in because of their choice.
They should either have an alternative way to verify oneself, or a way for the channel admin to allow you in without the verification, or both.
The alternative is to have an admin/mod assign you a role. If you read the the text under "Verification Level" https://discord.com/safety/360043653152-Four-steps-to-a-supe... you will see that members with role don't need to have phone verification.
That being said, anecdotally I have heard Discord locking/terminating accounts without verified phone numbers (usually if suspicious activity has been detected).
Definitely, I agree that phone numbers are a flawed verification method. Something better needs to be created, but I can't think of anything that wouldn't have the same or different flaws.
8 replies →
Admins can just lower the verification level for the server, can't they?
https://discord.com/safety/360043653152-Four-steps-to-a-supe...
2 replies →
There’s a bot that will ban most of those spam bots called Beemo. You realize a lot of bots are verified right? I’ve seen scripts to verify accounts on GitHub and spoken to the kinds of people who would automate accounts via scripts just to have a bunch of alts. They get numerous alts into servers just to spy. Its a kind of art I guess. I wouldn’t recommend doing any of these things.
Personally I just wish Discord wouldnt rate limit bans if they’re not going to make a true effort to catch these bot farms. Gee I wonder how likely it is that three thousand accounts will decide to join the same exact server at the exact same minute? Having modded a decent (tens of thousands) sized Guild I gotta say people pop in every few minutes or seconds. Unless something big and relevant to your server happens that draws more traffic, but even then never thousands in seconds.
Spy bots get away because they don't spam or do anything weird. No one is sitting there auditing users who haven't spoken much. Spam bots will end up with their account banned and phone number blacklisted.
Yeah, they definitely need to do better, but forums can have the same phone verification requirements, it's not really a negative of Discord compared to forums in my opinion
>As for VOIP numbers not being allowed, that also makes sense; VOIP numbers are extremely cheap and allowing them to be used would defeat the whole purpose of phone verification.
Cool, except whoever or whatever is deciding what is and isn't VOIP is not doing a good job at making that determination. A few years back I ported my old cell phone number to a VOIP provider. I now have a new phone number on a different carrier. $OldPhoneNumber is apparently not a VOIP number and $NewPhoneNumber is. So I had to use the $OldPhoneNumber on a VOIP provider to verify my account because $NewPhoneNumber with a carrier wasn't acceptable.
But hey, it's their closed platform and they can use whatever means of keeping people off of it that they want. I don't really care for it anymore.
> It's not mandatory
That's not true at all. At any point your account can be flagged by their internal system and on your next login you will be forced to add a phone number "for security purposes". It happens to people all the time, but in particular, though not limited, to TOR and VPN users. So, yea, sure Discord's not at fault in the situation where a server admin turns on the phone number requirement, but they are definitely to blame when they force users, some who prefer to remain anonymous, to either give up personal information or lose their account forever (support will not help you).
Not sure if this can still happen if you've got 2FA turned on, but seeing as I see it mentioned more often from tech literate people (e.g. on here) who are more inclined to setup 2FA I doubt it makes a difference.
> It happens to people all the time, but in particular, though not limited, to TOR and VPN users.
The best part is that this only matters to people who care about their account. Most malicious actors won't care and will just create a new one.
Phone verification would be fine if discord had support for multiple accounts/identities. It's a fundamentally important feature of any online social service to be able to retain privacy and have different identities for different purposes. Discord makes this very difficult.
If they allow the user a chance to send an appeal or out-of-band alternative method to verify then this becomes less of an issue. It's when people presume certain baselines — like a phone number — that it becomes a showstopper to community.
I have seen Discord servers that use 3rd party verification systems, but very rarely. An alternative to phone numbers would be ideal, but there will always be flaws similar to the flaws of phone verification in my opinion.
1 reply →
Discord pushes SMS verification because it a)gives them your identity which is valuable and b)avoids them having to spend money on proper bot/troll mitigation.
VoIP number bans don't accomplish much because there are lots of services that sell real-sim-backed numbers and nowadays there's even eSIMs.
> Phone verification can certainly be annoying
Not just that. Why do you need to share such private information for every service out there? It's pure madness. It is, and will be used for tracking you online everywhere.
I have a regular phone number in Singapore from a new range of numbers that doesn’t work with many services, even with some government services.
Customer care typically replies by having me first prove that the number is real (by showing a phone bill for getting an verification OTP, think of the irony) and then goes silent because they can’t work around their (human) robot way of thinking when something is unaccounted for in the handbook. (Already shifted a significant portion of my regular spend on groceries to a different provider, but they don’t seem to care)
It’s very frustrating because there are other ways to prove my identity (government even provides a digital Id / signature app) and contacting me.
Services should work with the minimal needed set of properties from the user, discord and slack are very annoying , there’s no need for all this hassle for a small question. I would spend the extra time looking for an alternative product where I can than signing up.
What happened to people caring where users drop off in the funnel?
Losing a user or customer once you’ve spent all that time, effort or money acquiring them by having barriers that don’t have any benefit is just silly.
On the other side of there are bots that impersonate users to send spam or raid servers to overrun moderation and “DoS” the server’s communication. Part of the value proposition of running on Discord or Slack is that they handle offloading a large amount of user verification/spam prevention and moderation tooling. The only one you really have to do is manage rules and have some sort of rotation so at least one moderator is online to handle potential issues.
Is this the only viable solution today? Fully opt in to a provider that isn’t user friendly?
For a free service maybe ok, but then you typically shouldn’t have the bot problem to such an extent if it’s small enough.
For a paid service: no way, please find a way around this or I’ll find a way around your service as soon as a problem pops up and causes me extra inconvenience just to sign up.
What I like about forums is that a) they're indexable by search engines! and b) because there's no expectation of an immediate response, people tend to put more time into their requests for help.
I support a FOSS project via Slack, and information sparse requests are sadly the norm, I found that 95% of my responses are "Can you please provide more logs/configuration/actual description of what you were expecting, and what happened instead".
> What I like about forums is that a) they're indexable by search engines! and b) because there's no expectation of an immediate response, people tend to put more time into their requests for help.
For me there is also c) I can browse the content that is already there without signing up. Not going to join your Discord "server" when I don't even know anything about your community.
>Not going to join your Discord "server" when I don't even know anything about your community.
Why not? It's just as easy to join a discord server as to visit a site. If you don't have a Discord account already you can just type something random for your nickname.
4 replies →
Oh yes, that's an amazing reason.
Slack is great for the masses to get someone's attention. Not much else. I'm betting most of those requests start with:
"Hey, I have a problem, can someone help?"
No actual information follows, just minutes idle, waiting for someone to respond.
Slack is like a bird's nest. Baby birds chirp loudly, open up their mouths, and hope you'll regurgitate some worms into them.
And a cuckoo bird managers who said „i implemented slack on this project“ then threw out those little birds you mentioned and put his little bird in
1 reply →
For me it starts with:
"Hello."
2 replies →
I don't think it's really about identification. Binding user accounts to SIM-based phone numbers is an effective way of limiting account creation as it's effectively binding it to a physical token.
I can only guess why Discord wants to do this (fighting scam bots?), but for example for Tinder this is a very effective way of preventing abuse on the huge early discovery boost after signup or long inactivity.
I understand why they do it, and I have no problem with that. My problem is their lack of an alternative. Either have an alternative way for me to verify, or a way for an admin to let me into their channel without verification.
what if that alternative was "worse" than the phone number method? Would you then complain that there's no "easier" alternative?
For example, a photo-id as an alternative, which imho is way worse?
The problem with presenting an alternative is that if it is "better/easier" than phone number, then it gets exploited by the spam bots. If it's worse than the existing phone number method, then you'd have the exact same complaints, or worse.
1 reply →
The real issue parent and many sibling comments are running into has answers all the way down in individual liberty and sovereignty. Technology companies have pulled out the rug from under us to deliver the illusion of convenience and safety. Benjamin Franklin seems to be ever relevant: "Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety."
But we're here now, and as much as I might fantasize I can't make myself believe that anyone would willingly accept a significant regression on the convenience front. The only way out that I see is to reconstitute sovereignty in a modern form.
We need "something" and I think we're getting close. Web3, dapps, and cryptocurrency are all aiming in that direction, and even if some instances are a miss I think we'll hit it eventually.
This is super frustrating. Discord requires server operators to enable phone number verification if they want any of the additional "Community" features. It's a hugely backwards requirement and it's the main reason I haven't given the community feature set a second look for any of the servers I run.
> Members of the server must have a verified email on their Discord account before sending messages or DMing anyone in the server. (Note that this doesn’t apply to users that have assigned roles!)[1]
I also help with running a community server which doesn't have the phone number requirement enabled either. It's also not required for partnered servers as far as I'm aware.
You can even get around the email requirement if you just add a bot that gives every new user a role, since any role will automatically verify you as mentioned here.
[1] https://support.discord.com/hc/en-us/articles/360047132851-E...
Ah, I was misremembering whether email or phone verification was required. Either way, it's still a very heavy-weight requirement for what's basically a drop-in drop-out support channel for us.
From what I see the only verification related setting you need to enable for community features is the member email verification requirement - Please correct me if I'm wrong.
I have to imagine that most SWATTING is done using a VOIP number of some kind. No one would use their cell phone or land-line connected to their real identity (also: your real identity likely isn't physically located in the area you want to perform swatting. You wanna change your area-code to match the target)
sounds like they are more interested in keeping bots out than verifying identity
It's also not required by discord. Discord doesn't even require that you have an account. They leave it up to "server" admins. You can pick options from allowing guests, allowing only accounts, and requiring only phone number verified accounts.
Quite possibly, but they should still have an alternative other than "impersonate someone else".
Any alternative would have to be inconvenient by design in order to work though, that's why phone numbers are used in the first place.
An effective verification system usually involves money at the root; verification in the style of phone verification works using proof of ownership of a limited resource, and most limited resources cost money (phone numbers, IPv4 addresses, etc).
In the real world this is analogous to charging money for access to an event purely in order to ensure it's not overrun with attendees,improving the experience for people who care enough to pay to get in. There are similar downsides to this; people who don't have money are left out.
Why not? It still limits bot creation (same number can only be used every 6 months). They don't actually want to know if the number belongs to you. Not much different than using a burner number.
2 replies →
I simply don't use services that demand a phone number to use them.
It won't get better if we keep caving.
And hope we can find a way to educate the staggering masses of children who are growing up thinking this is normal and good.
One of the best ways we can educate people is not being reachable on these sorts of platforms. Delete your Facebook accounts so you can't be reached on Messenger or WhatsApp or Instagram. Delete your Discord account so you can't be reached on Discord. Delete your Clubhouse account so you can't be reached on Clubhouse.
The choices we make affect those around us.
That is bad enough, but the worst part is that the content is not really discoverable outside of Discord. Sometimes you don't want that of course but I have seen communities pretty much dying because they only met there with no influx of new users.
every time I sign in at asks me to input my university email address
I cancel it then it comes back next time
I'm in my 30s...
You’re probably deleting its cookies. I had the same problem until I set up a (Firefox) container for it and whitelisted its cookies in that container. Now, no university reminder and no need to re-login either.
(I use the Cookie AutoDelete extension to automatically delete cookies.)
I've just been filling out the form with bogus school names and pointing the invite email to (randomword)@discord.com.
I used a VoIP number with Discord, because, f them, "I don't [need to] have a mobile phone". Also I think we should call ADA violations on any company that requires people to have a mobile phone.
It's possible to use a VoIP number. Happy to share how if you can prove to me that you don't work for them.
https://www.burnerapp.com/ ?
Note: no affiliation, just a satisfied user. Also, not free.
Hmm, something in my uBlock Origin filters blocks their signup page.
Anyways, I've been using https://www.numberbarn.com/ for SMS-based 2FA for a few years. Works great for stupid services that demand a US phone number (I'm an American who lives abroad, grrr) and don't have time-based one-time passwords.
Microsoft does the same thing. Crazy beans.
just wait til they roll out 2FA with the phone number being needed for a confirmation call (no authenticator app, there was a bug found in auth app 7000! voice calls only way!)
this won't happen on Slack or Matrix though