Authentication Manager (3.3.2)
A compromised admin account, and your server can be destroyed in seconds. Verifying member identity every time they need access to a sensitive role becomes essential. Authentication Manager fills this critical gap in Discord.
❓ The Problem
An admin account gets compromised. Within seconds: mass bans, deleted channels, exposed data. Even with Discord 2FA enabled, a token stolen by malware or a phishing page is enough to bypass that protection — the attacker is already logged in, 2FA is never prompted.
Discord offers no mechanism to verify who is actually behind a role with sensitive permissions. Anyone with access to the account can act with full powers, with nothing to stop them.
A single channel deleted through an admin account hack is already too many.
🔐 The Solution: Authentication Manager
With Authentication Manager (AM), roles with sensitive permissions are no longer permanently assigned — they are granted only after an additional layer of authentication. Combined with temporary sessions that expire automatically, the exposure window is drastically reduced: roles are automatically removed at the end of the session.
Even if an attacker steals a Discord account, they cannot use the server's destructive permissions: the role simply isn't there, and obtaining it requires an authentication they don't have.
✨ What's Included
🛡️ 4 Authentication Methods
| Method | Description | Grade |
|---|---|---|
| Simple PIN Code | Classic input, 4 to 12 digits | E to D |
| Anti-spy PIN Code | Randomized numeric keypad layout, 6 to 12 digits | C to B |
| OTP (2FA) | Temporary 6-digit code via Google Authenticator, Authy, 1Password... | A |
| Passkey (WebAuthn) | Fingerprint, facial recognition, or physical key (YubiKey) | S |
🔑 Security Grades
Each method corresponds to a grade (E to S). You choose the minimum grade required per role: an internal channel can settle for a PIN, while an admin role will require a passkey.
⏱️ Temporary Sessions
Roles are no longer permanent. Each authentication opens a time-limited session (configurable up to 8 hours). When it expires, the role is automatically removed.
⚙️ Manager System
Grant admin permissions to a member without giving them access to the authentication system. Managers must authenticate themselves and can only manage roles below their ceiling, preventing backdoor creation and privilege escalation.
📋 Audit Logs and Sessions
Every authentication, role assignment, and action is recorded directly in the bot. Unlike Discord logs, no one can delete them — even a compromised admin cannot erase their tracks.
🚫 Brute-force Protection
5 failures: one-hour lockout. 10 failures: full account reset.
For the full list of 3.3.2 updates, check out the changelog.