2FA via Security Keys - Now Available on Web Browsers

Lol I feel so stupid, sometimes I think I’m blind honestly.

Yeah. I don’t forget my phone though.

Yeah, me neither but there is some people, you never know. And after all this update isn’t forced it’s just another feature to add onto the current security features.

Is it recommended to not use your Phone Number because of the whole Sim Swapping issue in fact I think that might be how I got hacked because when I got hacked I had a complex pass 2FA a Pin and Email verified and I never clicked on any links or anything I was just hacked just like that and all my group funds and items were gone within minutes…

In general a physical key is required to complete authentication. You may find it stupid but my threat model is not your threat model.

They represent a level of security above auth apps, primarily that there is reduced attack surface from an entire OS as well as not requring a battery to get codes from.

For those who are high risk, this is a vital tool in their security arsenal to minimise the risks assoated with these direct attacks against their accounts.

When Google gave U2F security keys to all their employees, phishing related attacks dropped to 0.

Even without that, I strongly urge you to read this paper from Google which showed the effectiveness of U2F, such as reduced auth time, reduced support tickets.

It is what I and much of the community has demanded, just because it’s not for you doesn’t make it a bad update.

If you’re not sure, complete this quiz from Yubico (the company behind Yubikey)

YubiKey 5 NFC or YubiKey 5C NFC are a general good first option depending on if you want USB A or USB C connectors.

If I’m reading the details of the security key option, does that mean we can pass with a simple Face ID/Touch ID?

If so, that is great!!!

Yes. You can use Apple’s passkeys as a second factor.

If you’re opening it on Android and clicking the last option, use your phone as a security key, that also works, or I believe you can scan a QR code but that’s annoying since in my experience for having that for Google, it requires you to scan it every time.

True, but that doesn’t mean you can’t improve account security with more options available.

If I sign up with this for Face ID on my phone can I also use a key on my computer?

You can have up to 5 keys on your account, so as long as you don’t have 5 phones with faceID attached.

Isn’t this change completely useless if someone has your ROBLO_SECURITY token?
If someone logs into an account by using a cookie on a new IP address it should prompt the user to verify. This would resolve the vast majority of account compromises.

ROBLOSECUURITYs are IP region based. If you try to use a ROBLOSECURITY token in a different region it’ll automatically invalidate the ROBLOSECURITY, even if you don’t have 2FA enabled. Which is a great update for most of the player base, but annoying for people who use vpns (ik they aren’t supported on roblox) and some developers using the old apis.

You can read more about that annoucement here:

Can you explain how the security USB thing works please? I dont understand how it works

Plug in your Yubikey, press the button, done.

Then I would really, really love an explanation as to how people still get their accounts “beamed” by people tricking them into giving their auth tokens away. Doesn’t seem to be doing anything.
If that worked as intended, it would still not prevent people using your token in the same region as you which seems very counter-intuitive.

Well this shouldn’t be the case,

If someone where to click a link on discord, it would look like this. So I doubt you’d fall for it

Amazing work by Roblox again!

This probably could stop most of the intruders. The evolution of Roblox account security of the last 5 years has been tremendous. Thanks again!