2FA via Security Keys - Now Available on Web Browsers

Hey developers!

We are pleased to announce that 2FA via Security Keys is now available as a 2-Step Verification method on Web browsers. Security keys are some of the most secure second-factor methods. To start using Security Keys, you’ll need to enable Authenticator 2FA.

This feature adds an additional layer of protection to your account which will better protect it from unauthorized access even when someone knows your password. When you attempt to log in, you’ll have the option to verify your login via a physical security key or any FIDO2-compliant method (like FaceID or fingerprint scanners).

What are Security Keys?

A Security Key is any authentication device that implements the FIDO2 standard. This can be a physical, USB-based key such as a YubiKey or a system managed by your device hardware like biometric authentication. The types of security keys available to you will depend on your Web browser and operating system.

Why do I need to enable Authenticator to use Security Keys?

Security keys are currently only supported on Web browsers. Additionally, the type of Security Key that you choose to set up on one device or browser may not be supported on every device that you try to log in with. Because of this, security keys are presented as a secondary method so that you always have the ability to pass 2FA on a broader set of platforms.

When will Security Keys be available on all platforms?

We plan to provide support for all platforms aside from Xbox during 2023. Xbox will not directly support Security Keys, but you will be able to use Cross-Device Login to access your account from Xbox if the 2-Step Verification is required.

How to enable Security Keys

  1. Log into your Roblox account.

  2. Enable Authenticator 2FA if you haven’t already.

    Please note: Deactivating Authenticator 2FA or enabling another 2SV method will also deactivate the Security Key 2FA.

  3. Go to Account SettingsSecurity and toggle on Security Keys

  4. Choose the security method you would like to use from the interface your web browser provides.

    The method you choose may be specific to your browser or operating system. The following examples use Google Chrome on Windows 10.

  5. Follow the prompts provided by your browser to verify the Security Key.

  6. Provide a nickname for your key that will allow you to remember which key you used (in case you have multiple keys).

  7. Security Key 2FA is now enabled. You may choose to add another key or close the window.

  8. The next time you log in, you’ll be able to use your Security Key to pass 2-Step Verification.

How to Log In with 2FA Security Keys

  1. Log into your account with your email/phone number/username and password.

  2. Click the Verify button to open your web browser’s Security Key interface.

  3. Choose the method that you used to set up your Security Key.

  4. Follow the instructions provided by your browser to verify the Security Key.

  5. If you don’t have your Security Key with you or would like to use another method, click Use another verification method.

    You can then use your Authenticator app instead, or use your recovery codes to log in if you have lost access to your Authenticator app.

Please let us know if you have any questions or concerns.

Thank you.

257 Likes

This topic was automatically opened after 10 minutes.

I’m really looking forward to this!

12 Likes

I was about to bump an old topic on this, and to my absolute surprise it turned out this post has been published just minutes ago. Thank you for giving us another layer of security, really looking forward to this!

12 Likes

Great to see you guys work on more security methods for accounts. Hope to see the account stealing get to a end soon.

6 Likes

As long as this is just a layer of security and is not a way to use your security 2FA this will be a great security update.

7 Likes

I’m not sure of the details security wise how this compares to authenticator, as I’m able to use my phone as a built-in security key, like if this is specifically not tied to my phone number so sim swapping isn’t likely an issue? Tried it, it works nicely (no more numbers each time!) and I can use my authenticator as a side option too which is nice in the event I have issues with this.

image

image

image

7 Likes

This is an awesome security update. I just used mine and it works perfectly. Are there plans add support for other devices (with the security key)?

8 Likes

Yes there is other methods if you don’t have your key, says it right here.

4 Likes

If you mean using it on other platforms then right here should answer it.

3 Likes

(post deleted by author​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​​)

2 Likes

I am so happy about this update, by a coincidence I ordered two new security keys for other projects a few days ago, I can now add another site!!!

Thanks Roblox :slight_smile:

3 Likes

Your phone’s security key shouldn’t be associated with your phone’s SIM. However, I do suggest you look up how your phone works with the Webauthn standard.

2 Likes

I absolutely love this, it’s something should have been here ages ago but I’m glad it here now. If you have the ability to use it, you absolutely should.


However I do have some concerns over wording:

Classifying both auth app and U2F as “very secure” doesn’t feel like the right wording. They are both secure but U2F is an entirely different level of security. Defining email as secure is also very interesting.

I would had personally gone with:

  • Email: Good
  • App: Better
  • U2F: Best

image

14 Likes

I’ve waitet for this so long and I’m glad that you finally support security keys!
Still hope that other platforms follow…

3 Likes

It is good that ROBLOX is taking developer security more seriously, an excellent addition which will prevent a much wider range of attacks that covers regular app 2FA’s shortfalls. Thanks ROBLOX!

2 Likes

Awesome! I honestly can’t believe how on this large of a platform this wasn’t added sooner, but hey it’s here now so I can’t really complain. Nice job :+1:

1 Like

Awesome update, by a security one of the very secure, like Authenticator those are new security keys and other things devices as such will be great update of layer security.

3 Likes

I know that a few developers have been asking for this for some time and I’ve been wanting to try it out as well. I didn’t really understand how a hardware key could work but it sounds more simple and convenient than I thought, plus I’m really liking the sound of it being more secure than current options. Just better hope that I don’t damage that key and keep it real safe…

Any recommendations on which Yubikey to get?

4 Likes

Physical keys are better since you physically have to have it to log in. Only way to get past it would be the Roblox support social engineering method

2 Likes