Thoughts on 2-Step Verification?

Sure, nothing wrong with supporting multiple options. Supporting SMS is an important factor in promoting the usage of this feature though, it does provide an extra authentication method that is much harder to intercept without the proper hardware compared to the email attacks we’ve been seeing lately, and you have no idea where the user’s phone is in the network to begin with.

1 Like

Others dont use google authenticator…
Both SMS and whatever you’re attempting to describe are both TOTP, just I am unsure of what medium you want to receive the OTP in.
Email can be just as slow as SMS as can any server really, so to argue congestion is to be against anything that uses a form of server.

@buildthomas

There certainly is something wrong with supporting insecure and unreliable options and suggesting them to users, especially when they have no advantage over other options, especially when these insecure and unreliable options require an implementation, especially when they are presented to users as intended to increase account security. Most users won’t have the technical knowledge to understand each approach.

@pauljkl

Email uses the Internet for message delivery. It has its problems, but doesn’t have the security issues there are with SMS text messages and doesn’t have the same kind of reliability problems. I’m not particularly in favor of email, since I prefer simply giving the user the shared secret (then the user generates the temporary passwords himself and there is no possible security or reliability problem—this is what websites usually do), but I’m not against it either because it has the advantage of not requiring any software, and doesn’t have security issues like SMS.

1 Like

I trust Google and their decision that SMS was good enough for 2factor more than I trust some random individual on the internet saying “SMS is insecure!!!”.

3 Likes

How/when are the passwords generated? When you log in? Because if so, it removes the whole point of 2-step.

The first version of 2SV is under development. It’s not going to be TOTP. It’s going to be email to start, and hopefully SMS not too long after (soonTM on SMS). You will be able to choose between email and SMS when SMS becomes available.

8 Likes

If I summarise this you are saying “two-factor authentication using SMS will not increase account security”. It’s simply not true, it will increase account security over what we have right now.

Not only is there a second authentication method over password-only that way, but you also cannot intercept specific SMS messages related to ROBLOX and also link them to specific accounts at the same time. You would have to know the whereabouts of the user’s phone as well as their ROBLOX username, and then force a code to be sent and intercept that from the network. At that point, the perpetrator may as well threaten you IRL to give up your account and/or steal your phone in passing, since they know where you are.

I have SMS set up with PayPal. The only flaw with PayPal is that you can skip 2 step verification by using my recovery questions. (I think on mobile they let you skip SMS as well at one point). As long as nothing ridiculously redundant like that is implemented, I’d vote for SMS as my favorite 2 step authentication method!

Keeping in mind there needs to be new recovery options in case someone has their phone number changed.

2 Likes

+1 Really the only thing I can be absolutely positive that I’m the only one that’s using it. Email for example can be accessed if someone has my password (well not really since I have 2factor authentication for it with my phone, but if we pretend I didn’t), and the same is true with other web-based authentication (if someone from ROBLOX manages to sneak a RAT onto someone else’s system, they can access any web-based 2factor authentication), opposed to SMS authentication where only someone physically touching my phone can authenticate.

The LARGE majority of stolen accounts on ROBLOX are just scam sites, so of course SMS wil prevent this, and you shouldn’t dismiss extra security just because it’s not the best security possible.

4 Likes

Is TOTP support something you want to add in the future?

In light of recent events I believe that this feature’s progression should be sped up so that it could be shipped as soon as possible.

3 Likes

The account break-ins can be prevented easily if people use different passwords for different web services and make sure that their usernames for different services aren’t comparable (e.g. your email prefix is not related to your ROBLOX username). This has been posted here so many times as well.

Either way, they’re not going to speed up the development of this just because one guy got hacked in the past 24 hours, and I would feel really uncomfortable if they released a feature too early that could have a major negative impact when not implemented and tested thoroughly and properly.

4 Likes

13 Likes

InB4
ad84a88ef21d34ce4f9bb7196ed25a85affd52aa_1_690x389.png

I CAN MAKE MY ACCOUNT MORE SECURE FINALLY? ROUGHLY A YEAR LATER BUT IT’S COMING?!?

3 Likes

So excited!

2 Likes

Are you able to say how soon? I understand an exact estimate is impossible, but are we talking a couple of weeks, months, etc?

2 Likes

Yeah, it’s needed now more than ever.

1 Like

Yes with the recent events, it is clear this needs to be prioritized after having been put off for an entire year.

I got to be the first hand witness of this and I am sure Roblox’s moderation team is going through a great deal to settle the damages of what happened.

Not to mention, the same attacker has attacked again with the same methods on another developer immediately a day after me.

4 Likes