Ability to limit login session location

As a Roblox developer, it is currently too hard ( actually impossible) to place limits on the location of a login session.

Recently I fell victim to social engineering resulting in a bad actor gaining unauthorized access to my Roblox account, bypassing authenticator app-based 2FA as well as Account Session Protection. How they accomplished this exactly is unknown to me however, so I am quite bewildered by the incident. You can read more about my incident and painpoint at this topic: Is it possible to limit sessions to your own country? - Help and Feedback / Platform Usage Support - Developer Forum | Roblox.

Regardless of their method, this could have been easily avoided. How? By limiting the location of where a Roblox account can be accessed. However, Roblox does not offer such a feature.

As such, today I am writing to propose a new layer of security on Roblox: The feature to limit the location which a Roblox account can be accessed. Imagine through your security settings, you now have a setting which can be optionally enabled, allowing you to limit where your Roblox account can be accessed. It can be based on city, country or just country. I am aware that Roblox cannot always be accurate at recognizing locations on a micro scale, so perhaps country-based whitelisting would be more optimal. Just country-based would also be better as a lot of people travel around inside the same country.

Like with any 2FA, this comes with risk a feature enabler has to accept. Consider the case where the feature enabler travels to a location that they did not whitelist. This is the risk (in other words, a 2FA lockout), and the feature enabler should have accepted this risk. To circumvent this issue, whitelisting should occur before travelling. This case should not be considered a valid issue affecting feature implementation consideration, however, as I can argue that you can be SMS-based 2FA locked out from changing a phone number or be locked out from auth-app-based authentication by getting a new smartphone or by deleting your authenticator app without syncing codes to a new location. The risk should be warned to the user before they are able to enable it. As always though, in the case things go wrong, backup codes could save the day.

If this issue were to be addressed, it would significantly decrease the risk of my Roblox account being compromised. In my experience, I recently had bad actors breach my account from Moscow, Russia as well as a town in North Carolina, USA. I do not live nor remotely access my Roblox account anywhere near such locations.

It is trivial to spoof/change location with the ubiquity of VPN’s these days. I don’t think this would have prevented your account from being accessed.

Yes, unfortunately that is true. You would have to rely on the chance the bad actor does not use a VPN or if they do, the chance that they do not use an IP from your country. Valid and good arguement.

I heard that Account Session Protection isn’t in effect yet and that it’s overdue on my other topic. If that’s the case, I believe it would have definitely protected me and would have prevented this from completely happening (it would have been stronger than what I’m suggesting as that’s device-based authentication), but, I still can’t wrap my head around how my 2FA was bypassed (I can only assume cookies are involved in my case), so I am going to still keep the topic up in the case that ASP can somehow be bypassed as well. Extra security is extra security; the more security risk decreases, the less your account is at risk of being breached into.

I think the only way this would be realistic would be IP whitelisting, similar to what is done with the Open Cloud APIs.