Two step verification is not a silver bullet which prevents all account theft, but it mitigates many phishing attacks where users enter their ROBLOX passwords into look-alike websites.
@TobotRobot tried tying .ROBLOSECURITY cookies to the IP they were created on but found that a device’s IP changes far too frequently, even for some desktop computers (not everyone has a static IP).
If you know how obtain a user’s .ROBLOSECURITY without asking them to copy the cookie and send it to you please let us know so we can patch it.