2FA via Security Keys - Now Available on Web Browsers

If I’m reading the details of the security key option, does that mean we can pass with a simple Face ID/Touch ID?

If so, that is great!!!

1 Like

Yes. You can use Apple’s passkeys as a second factor.

3 Likes

If you’re opening it on Android and clicking the last option, use your phone as a security key, that also works, or I believe you can scan a QR code but that’s annoying since in my experience for having that for Google, it requires you to scan it every time.

1 Like

True, but that doesn’t mean you can’t improve account security with more options available. :man_shrugging:

1 Like

If I sign up with this for Face ID on my phone can I also use a key on my computer?

You can have up to 5 keys on your account, so as long as you don’t have 5 phones with faceID attached.

2 Likes

Isn’t this change completely useless if someone has your ROBLO_SECURITY token?
If someone logs into an account by using a cookie on a new IP address it should prompt the user to verify. This would resolve the vast majority of account compromises.

2 Likes

ROBLOSECUURITYs are IP region based. If you try to use a ROBLOSECURITY token in a different region it’ll automatically invalidate the ROBLOSECURITY, even if you don’t have 2FA enabled. Which is a great update for most of the player base, but annoying for people who use vpns (ik they aren’t supported on roblox) and some developers using the old apis.

You can read more about that annoucement here:

2 Likes

Can you explain how the security USB thing works please? I dont understand how it works

Plug in your Yubikey, press the button, done.

1 Like

Then I would really, really love an explanation as to how people still get their accounts “beamed” by people tricking them into giving their auth tokens away. Doesn’t seem to be doing anything.
If that worked as intended, it would still not prevent people using your token in the same region as you which seems very counter-intuitive.

1 Like

Well this shouldn’t be the case,

1 Like

If someone where to click a link on discord, it would look like this. So I doubt you’d fall for it
image

Amazing work by Roblox again!

This probably could stop most of the intruders. The evolution of Roblox account security of the last 5 years has been tremendous. Thanks again!

1 Like

More important than which YubiKey you get (for which you should definitely see railworks2’s reply), make sure you get two of them. Use one as your daily driver, and keep another at a safe location.

I often recommend you get two different ones, for both increased hardware compatibility (such as an USB-A + a USB-C one). Make sure you don’t forget to add them both to whatever website / app you’re signing up for!

9 Likes

This is amazing! Glad to see that there’s more secure options now. :heart:

1 Like

Finally something that will protect accounts.

It’s a nice security system ngl, but the cookie called .ROBLOSECURITY still existing, while that exists it’s kinda impossible to get the account safer…

1 Like

It sort of has to exist, otherwise you’d get logged out clicking nearly anything on the Roblox website.

thats not enough with a key even if someone knows your password they cant login oh and you can still be hacked with the authenticator

1 Like