2FA via Security Keys - Now Available on Web Browsers

Hey developers!

We are pleased to announce that 2FA via Security Keys is now available as a 2-Step Verification method on Web browsers. Security keys are some of the most secure second-factor methods. To start using Security Keys, you’ll need to enable Authenticator 2FA.

This feature adds an additional layer of protection to your account which will better protect it from unauthorized access even when someone knows your password. When you attempt to log in, you’ll have the option to verify your login via a physical security key or any FIDO2-compliant method (like FaceID or fingerprint scanners).

What are Security Keys?

A Security Key is any authentication device that implements the FIDO2 standard. This can be a physical, USB-based key such as a YubiKey or a system managed by your device hardware like biometric authentication. The types of security keys available to you will depend on your Web browser and operating system.

Why do I need to enable Authenticator to use Security Keys?

Security keys are currently only supported on Web browsers. Additionally, the type of Security Key that you choose to set up on one device or browser may not be supported on every device that you try to log in with. Because of this, security keys are presented as a secondary method so that you always have the ability to pass 2FA on a broader set of platforms.

When will Security Keys be available on all platforms?

We plan to provide support for all platforms aside from Xbox during 2023. Xbox will not directly support Security Keys, but you will be able to use Cross-Device Login to access your account from Xbox if the 2-Step Verification is required.

How to enable Security Keys

1. Log into your Roblox account.

2. Enable Authenticator 2FA if you haven’t already.

   Please note: Deactivating Authenticator 2FA or enabling another 2SV method will also deactivate the Security Key 2FA.

3. Go to Account Settings → Security and toggle on Security Keys

   

   1017×693 61.7 KB

4. Choose the security method you would like to use from the interface your web browser provides.

   The method you choose may be specific to your browser or operating system. The following examples use Google Chrome on Windows 10.

   

   1064×1041 154 KB

5. Follow the prompts provided by your browser to verify the Security Key.

   

   752×408 31.9 KB
   

   695×393 24.8 KB

6. Provide a nickname for your key that will allow you to remember which key you used (in case you have multiple keys).

   

   788×268 29.6 KB

7. Security Key 2FA is now enabled. You may choose to add another key or close the window.

   

   799×402 40.7 KB

8. The next time you log in, you’ll be able to use your Security Key to pass 2-Step Verification.

How to Log In with 2FA Security Keys

1. Log into your account with your email/phone number/username and password.

2. Click the Verify button to open your web browser’s Security Key interface.

3. Choose the method that you used to set up your Security Key.

   

   815×559 25.3 KB

4. Follow the instructions provided by your browser to verify the Security Key.

   

   766×647 38 KB

5. If you don’t have your Security Key with you or would like to use another method, click Use another verification method.

   You can then use your Authenticator app instead, or use your recovery codes to log in if you have lost access to your Authenticator app.

Please let us know if you have any questions or concerns.

Thank you.

This topic was automatically opened after 10 minutes.

I’m really looking forward to this!

I was about to bump an old topic on this, and to my absolute surprise it turned out this post has been published just minutes ago. Thank you for giving us another layer of security, really looking forward to this!

Great to see you guys work on more security methods for accounts. Hope to see the account stealing get to a end soon.

As long as this is just a layer of security and is not a way to use your security 2FA this will be a great security update.

I’m not sure of the details security wise how this compares to authenticator, as I’m able to use my phone as a built-in security key, like if this is specifically not tied to my phone number so sim swapping isn’t likely an issue? Tried it, it works nicely (no more numbers each time!) and I can use my authenticator as a side option too which is nice in the event I have issues with this.

This is an awesome security update. I just used mine and it works perfectly. Are there plans add support for other devices (with the security key)?

Yes there is other methods if you don’t have your key, says it right here.

If you mean using it on other platforms then right here should answer it.

(post deleted by author​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​)

I am so happy about this update, by a coincidence I ordered two new security keys for other projects a few days ago, I can now add another site!!!

Thanks Roblox

Your phone’s security key shouldn’t be associated with your phone’s SIM. However, I do suggest you look up how your phone works with the Webauthn standard.

I absolutely love this, it’s something should have been here ages ago but I’m glad it here now. If you have the ability to use it, you absolutely should.

However I do have some concerns over wording:

Classifying both auth app and U2F as “very secure” doesn’t feel like the right wording. They are both secure but U2F is an entirely different level of security. Defining email as secure is also very interesting.

I would had personally gone with:

• Email: Good
• App: Better
• U2F: Best

I’ve waitet for this so long and I’m glad that you finally support security keys!
Still hope that other platforms follow…

It is good that ROBLOX is taking developer security more seriously, an excellent addition which will prevent a much wider range of attacks that covers regular app 2FA’s shortfalls. Thanks ROBLOX!

Awesome! I honestly can’t believe how on this large of a platform this wasn’t added sooner, but hey it’s here now so I can’t really complain. Nice job

Awesome update, by a security one of the very secure, like Authenticator those are new security keys and other things devices as such will be great update of layer security.

I know that a few developers have been asking for this for some time and I’ve been wanting to try it out as well. I didn’t really understand how a hardware key could work but it sounds more simple and convenient than I thought, plus I’m really liking the sound of it being more secure than current options. Just better hope that I don’t damage that key and keep it real safe…

Any recommendations on which Yubikey to get?

Physical keys are better since you physically have to have it to log in. Only way to get past it would be the Roblox support social engineering method