Allow the Titan key for logins

Intro

Hello everyone, if you’re not aware of what the Titan Key is I’ve linked a video explaining it in a bit more detail. But pretty much to sum it up it’s a USB key that makes it so if you have the key you can insert it and log in and if you don’t you won’t be able to log in. But if you’re on something like mobile where you don’t have a USB port you can use Bluetooth. Now I’m here to request this become a feature seeing as it adds and extra layer of security and Roblox already has a partnership with google which this one could further their friendship per-say.


How I’d be used for Roblox

Activation

Now seeing as this key costs around 50 USD from Google and Roblox is a free website it will be an option to make it required. How ever I believe this should be something where you can pair it with two step verification, account pins and other account safety methods.

Protection

Now protecting your account has something over looked 9/10 times. Which is how does a hacker can protector your account and prevent you from recovering it. I believe to prevent a hacker making a key system on your account in order to set up your account you will have to do the following.

  • Username & Password.
  • Capta or Puzzel
  • Account Pin.
  • Email Verification.
  • Phone Verification if your phone is verified.

Summary

Pretty much this physical key will allow you to login into your Roblox account there for preventing hackers for the most part. There’s not much more to it!..

36 Likes

Multi-Factor Authentication is always something companies should strive for. Titan Key suffices the authentication type “Something you have”.

The current method of email 2FA, which is also a Something You Have authentication method falls short when you realise emails can be breached.

Titan Key requires you to have a PHYSICAL key to log into your account, which is a much more secure something you have authentication method over email. The only way they’d obtain this key is to steal it from you, and then they’d still need to know your password.

ps:

SMS verification is not safe, there are many reports where a cyber criminal has been able to route message traffic to their phone and not yours

9 Likes

This may be one of the best ideas posted to this forum. Think of all the problems that could have been prevented if this was implemented years ago.

7 Likes

FIDO U2F keys are pretty new and not very widely adopted - sure, it’s a great feature, but for Roblox’s specific security levels a TOTP based system (such as Authy, Google Authenticator) should definitely be sought over (if not alongside) this sort of feature, as it has far wider adoption and ease of use.

8 Likes

Using a $50 to secure a Roblox account seems pretty excessive, especially when a strong password and a TOTP system would be plenty sufficient. Having both produces diminishing returns, as does using an account PIN to log in (for the same reason).

This video by Tom Scott is a good kicking off point for learning more about multi-factor authentication.

2 Likes

So pretty much it’s optional as I stated but it’s there for anyone such as high profile Devs and YouTubers who get targeted a lot more.

You have to remember we’re in a age where cookie loggers and things like that exist but they can’t exactly write some code and have a physical key appear. In theory they could duplicate it but that’d be very hard seeing how Google encrypts their code as well as other security measures.

4 Likes

Yeah, we also live in an age where I can post my password on the Scripting Help category. The trick is to have some common sense and not be stupid with security

This whole reply just convinces me you don’t know what you’re talking about when it comes to web security

2 Likes

As @plasmascreen said, $50 isn’t worth a thing that you can only use on Google’s website (AFAIK I have found no other website that uses authentication with FIDO keys).
Not to mention that when you lose the key, you permanently lose your account and the $50 used to buy the key. If more sites use it other than Google and it becomes cheaper than $50, Roblox would look into adding a FIDO key authentication system.

1 Like

You only need to make a $300 a month (a pretty low-end income that even mid-tier contractors can make) for that $50 key to be worth it to protect your $300 a month from being breached.

The technology is very new and created by Google, it can be used on other websites, it’s just not a lot of them have gotten around to it.

No you don’t, there are recovery methods but they are designed specially to prevent cybercriminals and social engineering attacks. Please do not speak on topics you have no merit discussing.

9 Likes

A temporary workaround for Roblox’s lackluster MFA system is to keep your Roblox account on a seperate (say) GMail account, and use Google’s ‘high security’ (or whatever they call it) system on that account; this means you’ll use a physical key, strong (hopefully managed) password, and on top of it, 3rd party apps won’t be able to steal the 2SV code Roblox emails you.

2 Likes

So pretty much that’s why this is in #platform-feedback:website-features because I’m requesting to have it become a thing. Also as I said before it’s optional. Just for those of us who want to go a step further in protecting our security. Also not really I believe google has a way to recover data from the old key and you either contact them about it or possibly Roblox. Seeing as Roblox and google are close they could easily transfer a report if they worked together on this.

2 Likes

Hi there,

I’m going to cut this early. This is already in the pipeline (in some form) and we already have an engineer answer for TOTP and U2F (the standard behind Yubikey and Titan keys)

6 Likes