This is a module for generating and verifying time-based one-time passwords (TOTP) in Roblox games. Fully compatible with standard authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator.
⚠️ Place the TOTP module script in ServerScriptService and wait until it parents itself to ReplicatedStorage before using it.
Use this code to validate TOTP codes on the server.
-- Server
local ReplicatedStorage = game:GetService('ReplicatedStorage')
local TOTP = require(ReplicatedStorage:WaitForChild('TOTP'))
ReplicatedStorage.AcceptTrade.OnServerInvoke = function(Player: Player, TradeID: string, TOTPCode: string)
-- Validate TOTP
if (not TOTP:Validate(Player, TOTPCode)) then
return false, 'Invalid TOTP'
end
-- Process trade
-- TradeModule:ProcessTrade(TradeID)
return true
end
Use this code to generate a new QR code for a player to scan. Once the player scans the QR code and confirms the 6 digit TOTP, the QR code will never be exposed to the player again.
-- Client
local ReplicatedStorage = game:GetService('ReplicatedStorage')
local TOTP = require(ReplicatedStorage:WaitForChild('TOTP'))
local QRFrame = script.Parent.QR
local ResetButton = script.Parent.Reset
local IsResetBusy = false
ResetButton.Activated:Connect(function()
if (IsResetBusy) then return end
IsResetBusy = true
-- Attempt reset
local Success, Response = TOTP:Reset()
if (Success) then
-- Show new QR code
local URI = Response
TOTP:GenerateQR(URI, QRFrame)
else
warn(`Failed to reset TOTP, {Response}`)
end
IsResetBusy = false
end)
Use this code to show the built-in UI
-- Client
local ReplicatedStorage = game:GetService('ReplicatedStorage')
local TOTP = require(ReplicatedStorage:WaitForChild('TOTP'))
local TOTPButton = script.Parent.TOTP
TOTPButton.Activated:Connect(function()
TOTP:ToggleGenerator()
end)
Based on my warning from a barcode on an image, this is probably going to get banned for off-site links. And no it does not matter if it’s fake since I used a fake barcode and they rejected my warning appeal.
QR codes are just matrix of bits, which can represent pretty much any datatype, number, string, url, even a full on game, if you compress it enough (there is youtube video about writing game source code so small that it fits inside biggest QR code standard).
Bits and binary overall is not made to be human readable, thus humans cannot say if QR code is a url, number, or anything else. That would allow inserting malicious content into QR code, such as a link and well, doing malicious things to end users device.
Right, not all QR codes are links. But this one is! It’s a URI that starts with otpauth://totp/. There’s also a pretty well known protocol called https:// and both of these are the beginning of links, hence why the model got taken down.
Admins for games could be forced to register 2FA so that if their account gets stolen from them the bad actor can’t do anything within the experience itself so long as they haven’t got site-wide edit access.
Congratulations, you have made a rather unique project. I won’t comment on the TOS aspect of this since it doesn’t concern me, neither do I know the answer without scanning documents. Since you did the work, I’m sure you researched policy guidelines beforehand.
I wouldn’t say this would be that useful for games, however I think it’s a cool project to showcase. Not every resource needs to be widely used; I enjoy the art of unique creations. Great job!
