I see a lot of people talking about Discord's use of tokens these days due to the large quantity of phishing attacks going around. With this discussion comes a lot of false assumptions and misconceptions about tokens, which I hope to clear up a bit in this gist. Note that this primarily refers to the specific situation that the user has downloaded token stealing malware as a result of the scam.
First, some common complaints I see:
- Tokens are insecure because they bypass 2FA
- Tokens are insecure because aren't encrypted at rest
- Tokens could be locked to an IP, but they're not, which is a bad design