2FA via Authenticator - Now Fully Rolled Out!

I’m more saying that if the codes can be guessed easily, it makes the app useless.

3 Likes

This is great! I was hoping for this feature for a while, hopefully support for security keys is implemented to Roblox aswell. I believe the use of security keys would highly benefit many players and developers as its easier and resists phishing attacks. If Roblox recieved proper WebAuthn support it would tremendously resist threat actor breaches.

4 Likes

You get backup codes that you should write down in notes on your phone or paper in a secure place

5 Likes

I’ve been using this for the past few days and it’s been a great addition to Roblox account security. Would definitely recommend everyone to enable this new feature, and disable 2FA via email to maximize security incase your email account is compromised. I’ve been liking the recent changes to Roblox, prompts to those working on these features! :heart:

3 Likes

Are you referring to using your email and your authenticator app at the same time?

If so, you will get the option to use either email or the authenticator app.

6 Likes

LETS GO! i loved the beta for this, now being able to login to the studio is nice. i also dont play on xbox or uwp so i wont need to worry about those.

for anyone who like me doesnt have a phone you can still use this, i use an application call winauth, its a desktop authenticator. works really for me.

though if you have a phone id reccomend using that.

anyways, nice to see this finaly get released. its nice to get some more secuirty :slight_smile:

5 Likes

Best update of the year hands down. Security is a number one priority that Roblox should always take on to protect its users. We as developers, rather people, deserve to have the best security practices at our hands, so we may protect our intellectual property. As someone who loves this platform, I am extremely excited and happy to see this change. It is my almost 10 years of time and work on Roblox that can be even more safe with this update. Thank you. :heart:

4 Likes

All the codes are 9 ASCII characters in length. It’s perfectly acceptable, one could even say better than industry which typically follows XXXX-XXXX (where X is either a just a number or ASCII characters).

To even attempt to brute guess these codes, you would already need their username and password or be on the same LAN as an already logged in device with a 6 character (Upper case only ASCII) entered.

The risk is extremely low and is not a concern for most users. I expect that there is ratelimitting.

CC: @Crazedbrick1

11 Likes

WOOO IT"S OUT!!! Thank you roblox!

2 Likes

Finally released, thank you ROBLOX :slight_smile:

2 Likes

As well, all is working for me.

2 Likes

Pro-tip to some of y’all: Do not make your account password the same as your email password.

You’d be surprised how many accounts out there on varying platforms mirror the same. All it takes is someone to figure that out, know your email and render this not as impactful.

Solid update.

3 Likes

This is a good step forward. Any info on the possibility of using api keys instead of the cookie to access the api. Cookie logging will still be an issue until the api is secured as well. Unless this fixes that issue as well

2 Likes

This is a great step in the quest for better account security. Although I still have some concerns, as I wish the authenticator was more like Steam’s, where you have to confirm on the mobile app whenever you do something, and it sends a push whenever someone is trying to get into your account. The problem I see is that whenever someone gets into your account, it’s often too late to take any actions.

Another concern is the underlying issue with the customer support being social engineered into giving away access to people’s accounts, until these issues are fixed, I don’t know if I will ever be able to fully sleep at night with any items of value on my account. The sad part is, people with limited items are generally ignored when they are compromised.

3 Likes

Great work rolling this out rather quickly. :slight_smile:

4 Likes

Use a proper app to backup your 2FA codes.

Authy works also in desktop, though all apps from Authy look bad and don’t work the best.

I’m currently using 2FAS. Doesn’t have a desktop app but didn’t miss it.
You can move to it from GAuthenticator pretty nicely.

Microsoft Authenticator doesn’t backup your 2FA codes fyi.

Of course, there’s the backup codes, but realistically you should be using an app that does proper backing to your cloud service anyway so that isn’t an issue. (iCloud, Drive)

2 Likes

You do know how authentication works with these, right? With this type of system you must have the code on your authentication app to log in all the time, even if you have a password. If you lose the authenticator app, then you can use the 10 backup codes given to you when you set it up. Usually you store these in a private place, so that no one can access them.

3 Likes

Thank you for this update!! Ever since like 2019 I’ve been wanting you guys to push out this update and you guys did! :smiley:

2 Likes

Umm… what? Everyone I know has had this feature for as long as I can remember.

2 Likes

Thank you for sharing the necessary information on the recent update, however, I have a question regarding this topic.

  • Is it safe to turn on both 2FA and 2SV?

Since Roblox told me a warning that I should not use 2SV while enabling 2FA, I was confused.

3 Likes