I have always had an icky feeling about being required to input my password on the DevEx. It feels extremely unnecessary to send the password over plaintext in order to submit a DevEx request.
With the recent release of 2FA, inputting your password, only for it to be sent as plaintext, feels obsolete, fairly insecure, and should be removed in favor of a 2FA requirement when submitting a DevEx.
Your password being sent “in plaintext” is not “insecure”. The security present to ensure that nobody can see the data you’re sending/receiving is already there - it’s HTTPS.
When you login, signup, or do other actions that require passwords on Roblox, the same behavior is there - it’s “sending your password in plaintext”, sure, but it’s secure because you’re accessing the site through HTTPS. Saying that this is “obsolete” is casting doubt for no reason.
I agree that accepting 2FA on the DevEx page rather than a password could be a good idea - I just think it’s important to understand what the actual security implications of the current system are. If they were to implement 2FA, your 2FA code is still going to be sent “in plaintext”
Bumping this to add another data point; it would be great to make this more secure and prompt a 2FA gate on sensitive actions like DevExing Robux, so that they need more than just the password / an active cookie to prompt this action.