2FA via Hardware Security Keys - Available on Android

Hi Creators,

We are excited to announce a major security enhancement for our platform: Hardware Security Key support is now officially available on Android devices.

Previously, users were limited in how they could secure their accounts on mobile, as hardware security keys (like YubiKeys or Titan keys) were not supported on our Android app. With this update, we are closing that gap and providing you with the highest level of account protection available. This also brings our Android experience in line with our Web browser and iOS offerings, ensuring a seamless security workflow across all devices.

What’s New?

• FIDO2/WebAuthn Support: Users can now use USB-C or NFC-enabled hardware security keys to sign in to their accounts via Android.
• Reduced Phishing Risk: By enabling hardware-backed authentication, we are protecting you from sophisticated phishing attacks.

Why This Matters for Creators

As a creator on our platform, account security is paramount. This update allows you to:

1. Secure your own credentials using industry-standard hardware.
2. Recommend better security hygiene to your collaborators and team members who work on the go.

How to Get Started

To use a hardware security key, ensure your app is updated to the latest version. Users can manage their keys under Account Settings > Security > Two-Factor Authentication.

For more information or tips on how to keep your account safe, visit our Help Center.

We’re committed to making our platform the most secure place for creators to build. Let us know if you have any questions or feedback in the comments below!

This topic was automatically opened after 9 minutes.

I finally have an excuse to open my USB-C key!

image496×881 94.5 KB

@chunkobowser Out of curiosity, why is there a limit of 5 security keys allowed per account? I don’t see myself hitting this limit for practicality reasons, but I am a bit curious about the reasoning behind that limit.

good update, if only you made more updates like this

ahem ahem..
Age Check Requirement to Chat Now Live Globally - Updates / Announcements - Developer Forum | Roblox

cool update, it’s always nice to provide users with better 2fa methods

We started with 5 security keys based on the needs of our initial test users and the user overhead to keep track of many security keys, but it’s a number we’re open to revisit based on feedback!

good update, better avatar

With this new change, will Authenticator App-based 2FA still be required to use keys? Right now, keys seem to only be supported for convenience instead of security reasons.

I asked the account security team about this at RDC, really cool that this is out now!! Great work on this!

As of now, authenticator will still be required to set up security keys in case you lose access to your security key.

“As of now”? You added keys to Web in Oct 2022. It is now 2026.

We’ve been waiting over 3 years to actually secure our accounts. At this rate, is it going to take another 3 years before we can finally disable the App?

Until we can turn it off, this update is purely for convenience, not security. It saves us from typing a code, but it doesn’t stop us from getting phished.

CISA explicitly classifies Authenticator Apps as “Vulnerable to phishing” (Page 2, Table 1): https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

By forcing us to keep the vulnerable method active for 3+ years, you’re just giving us a false sense of security.

Thanks, I really hope we can see more updates like this.

The risk is no different when you lose access to your authenticator app. For this exact reason you get yourself a second security key.

This is cool will PIN support ever be brought back? For instance PIN support used to be a family thing, but was used as another security feature as if Robux is used a PIN confirmation is required. Or if Settings are changed a PIN confirmation is also required, it was very useful.

Freedom and Safety coherently is not possible. We either have restrictions to secure the platform MORE (Not entirely, because nothing is perfect), or we have safety risks with more freedom.

I’m tired of people finding reasons to complain about everything. Just accept that Roblox is trying and give more helpful feedback elsewhere.

People will always find a way to do wrong… It’s inevitable

(And yes I’m aware that this made it easier for older men/women to talk to minors… But with all honesty, what is Roblox supposed to do? Give pedophiles chatting permissions back, and say “at least we tried”?)

When you give up privacy for safety, you ultimately end up having neither of them. Tethering online accounts to a real identity does NOTHING to protect anyone. It does not prove they are not a threat, nor does it stop the people it is actually supposed to stop. It only harms honest people while giving dishonest people and predators a menu to select from of what age ranges they want.

Roblox is supposed to actually invest in significantly improving the very systems that can actually make a difference: their automated systems for real-time detection of predators and bad actors as well as making their reporting systems actually effective so that the aftermath can be properly handled.

That entire age verification update still depends on the same laughably bad moderation systems that got Roblox in this entire predicament to begin with to detect when someone has faked their age, and by the time it does detect that, the predator will have already groomed their targets and led them off platform thereby defeating the entire point.

Finally a good update. Now I can secure my account on my Android tablet!