Hello everyone, if you’re not aware of what the Titan Key is I’ve linked a video explaining it in a bit more detail. But pretty much to sum it up it’s a USB key that makes it so if you have the key you can insert it and log in and if you don’t you won’t be able to log in. But if you’re on something like mobile where you don’t have a USB port you can use Bluetooth. Now I’m here to request this become a feature seeing as it adds and extra layer of security and Roblox already has a partnership with google which this one could further their friendship per-say.
How I’d be used for Roblox
Now seeing as this key costs around 50 USD from Google and Roblox is a free website it will be an option to make it required. How ever I believe this should be something where you can pair it with two step verification, account pins and other account safety methods.
Now protecting your account has something over looked 9/10 times. Which is how does a hacker can protector your account and prevent you from recovering it. I believe to prevent a hacker making a key system on your account in order to set up your account you will have to do the following.
Username & Password.
Capta or Puzzel
Phone Verification if your phone is verified.
Pretty much this physical key will allow you to login into your Roblox account there for preventing hackers for the most part. There’s not much more to it!..
Multi-Factor Authentication is always something companies should strive for. Titan Key suffices the authentication type “Something you have”.
The current method of email 2FA, which is also a Something You Have authentication method falls short when you realise emails can be breached.
Titan Key requires you to have a PHYSICAL key to log into your account, which is a much more secure something you have authentication method over email. The only way they’d obtain this key is to steal it from you, and then they’d still need to know your password.
SMS verification is not safe, there are many reports where a cyber criminal has been able to route message traffic to their phone and not yours
FIDO U2F keys are pretty new and not very widely adopted - sure, it’s a great feature, but for Roblox’s specific security levels a TOTP based system (such as Authy, Google Authenticator) should definitely be sought over (if not alongside) this sort of feature, as it has far wider adoption and ease of use.
Using a $50 to secure a Roblox account seems pretty excessive, especially when a strong password and a TOTP system would be plenty sufficient. Having both produces diminishing returns, as does using an account PIN to log in (for the same reason).
This video by Tom Scott is a good kicking off point for learning more about multi-factor authentication.
So pretty much it’s optional as I stated but it’s there for anyone such as high profile Devs and YouTubers who get targeted a lot more.
You have to remember we’re in a age where cookie loggers and things like that exist but they can’t exactly write some code and have a physical key appear. In theory they could duplicate it but that’d be very hard seeing how Google encrypts their code as well as other security measures.
As @plasmascreen said, $50 isn’t worth a thing that you can only use on Google’s website (AFAIK I have found no other website that uses authentication with FIDO keys).
Not to mention that when you lose the key, you permanently lose your account and the $50 used to buy the key. If more sites use it other than Google and it becomes cheaper than $50, Roblox would look into adding a FIDO key authentication system.
A temporary workaround for Roblox’s lackluster MFA system is to keep your Roblox account on a seperate (say) GMail account, and use Google’s ‘high security’ (or whatever they call it) system on that account; this means you’ll use a physical key, strong (hopefully managed) password, and on top of it, 3rd party apps won’t be able to steal the 2SV code Roblox emails you.
So pretty much that’s why this is in #platform-feedback:website-features because I’m requesting to have it become a thing. Also as I said before it’s optional. Just for those of us who want to go a step further in protecting our security. Also not really I believe google has a way to recover data from the old key and you either contact them about it or possibly Roblox. Seeing as Roblox and google are close they could easily transfer a report if they worked together on this.