Roblox currently has a huge social engineering issue, anybody with any of your old emails or billing information can contact roblox support under your name and use that as an attack vector to compromise your accounts multiple times, and there’s nothing you can do about it unless you have a direct relationship with roblox staff.
This has the potential to be a huge problem on roblox, we’ve seen developers and star creators get targeted and compromised through this method before (I’m a current victim of this method and luckily have a direct line with roblox staff to help me with this issue, others are not so fortunate however), and there’s no way you would have any idea what happened to your account as its all done completely silently with no notifications sent to you.
My proposal as a potential solution to this major security issue is to allow devex portal members and star creators to set up a roblox support passcode. This passcode would be required to be given to roblox support to verify your identity, along with the usual details needed to provide verification. Roblox support would not be able to modify or view any of your account details unless you provide them this passcode. Ideally support members would not be able to see the passcode either to prevent them from giving any hints to someone fraudulently attempting to verify your identity via guessing the passcode, removing any possible human error.
The only way you would be able to create, modify, or remove a roblox support passcode is if you supply roblox with your government issued ID and selfie. This would prevent any compromiser from getting into your account via other means and setting up a passcode themselves, and the reason why I said for devex portal members/star creators, they already have our ID on file.
As much as I like roblox pushing for proper 2 factor authentication, it ultimately won’t matter if someone can go through support and disable it altogether silently. Implementing a support passcode or something similar for high value targets would be a step in the right direction to proper account security and close off a very viable attack vector that bypasses any form of 2 factor authentication