Enhanced Account Verification to Combat Exploitation on Roblox

I’m not sure what your proposal is then, you first suggested I use this feature to catch these farmed accounts but are suggesting that I don’t use it as well? I’m confused. There are no competitive game modes, I have a open world ant survival game.

If roblox has the ability to and refuses to do anything in order to look better to shareholders, this is unethical and a big issue to me as they are purposefully sabotaging their player experiences for the sake of a higher account number.

I’m struggling to see how sustaining a game on Roblox is feasible. Here’s the dilemma:

Players discover a game they enjoy and think, “I want to exploit this to gain currency” or whatever their motivation might be.

The anti-cheat system detects this behavior and bans the player. Normally, they would move on and find a new game. However, that’s not the case here because they can simply create/obtain a new account and repeatedly test the anti-cheat system until they find a way to bypass it.

In my case, it becomes an even greater issue when they decide to freely outsource their cheat, this happens in every single roblox game.

1 Like

I don’t think the answer to fixing this issue is preventing people who cannot verify from accessing the entire platform and playing their favorite games. Exploiters will just buy alts with pre-verified emails.

Just curious, what is your game about and how are these exploiters ruining the experience for other players? About how many exploiters/alts do you notice a day?

I’ve spent the past year learning how to prevent exploits. I have implemented a robust anti-cheat system and a dedicated staff team to manually ban exploiters. The issue is what I have mentioned, they are able to easily get past roblox bans and find new accounts to test any anticheat updates on. However, if there’s something more that can be done, I’d love to know, as I still don’t see a way to sustain a Roblox game.

My game is an open-world ant survival game, where players manage ant colonies and control special insects to fight each other. The game has large servers, which have attracted significant popularity, especially among exploiters who enjoy feeling overpowered and in control. The main issue has been players teleporting around and killing everyone instantly. Although I’ve added multiple layers of protection, completely detecting and preventing this behavior is challenging. Exploiters can always move their characters slower to avoid detection. Server-sided detection for teleporting and speeding also doesn’t work well due to latency issues, leading to numerous false positives. There is really no way of detecting if a player teleports up to someone, bites them, teleports out of distance, and repeats until the kill entire servers for hours all out of fun.

2 Likes

To make my stance abundantly clear, my fellow developers and I feel very let down by Roblox. We shouldn’t have to learn all these technicalities just to make games. While I understand that a free-to-play platform attracts more players and makes security harder, Roblox really needs to step up their game and provide better support for developers. It’s very discouraging I feel like I can’t make anything on this platform.

I know a lot of this discussion is going on in these two threads:

Introducing the Ban API and Alt Accounts

Preventing Account Farming and Exploits

Roblox has taken two stabs at this to no avail. Hopefully the third time is a charm, especially with investor pressure on their daily account user metrics. A lot of analysts feel like Roblox’s measure of how they count active users is 20-30% inflated because of how many exploiters and botters play the game.

You’re not alone in this, OP. Something has to change.

2 Likes

The alt ban api would be amazing if it wasn’t so easily bypassed.

ROBLOX is just a small start-up, maybe we should take it easier on them.

It’s not like they’re a billion dollar company that has had 10+ years to crack down on this or anything…

1 Like

Just check if the player owns the verified plaidified hat or whatever it was. That’s the bare minimum for authentication/verification, anyone who’s intending to use their account for more than 5 minutes would have it.

1 Like

The problem isn’t with people creating new accounts, as I have a minimum account age requirement of one month. The issue lies with account farming services. These services allow users to click a button and receive login information for unprotected accounts. There is no way for me to detect this, as these accounts are usually a few years old, have been played on, but were subsequently abandoned. The issue is that these accounts lack security, making it easy for users to log in, obtain new accounts, and repeat the process in a matter of seconds.

This may be useful to you in the meantime: Chickynoid, server authoritative character replacement

Exploiters have been a major problem on Roblox for so long. Games like Natural Disaster Survival have sometimes become unplayable due to the abundance of exploiters. I made a game with friends when streaming to them on Discord where we try to last in a server for 10 minutes without an exploiter and see who can do it first. Going through ~10 servers before I see a server without an exploiter is genuinely baffling.

The problem that I see is not that people can just easily create new accounts, but the lack of prevention in the first place. I do think that Roblox should require a verified email by default, but I don’t think we need anything further than that. Heavy restrictions to the average user are not the best way of handling it even if it will help. It’s a double-edged sword solution. Instead, Roblox should be focusing a lot more on ensuring there is more prevention to combat exploits instead of focusing on account creation.

I also see that it is sad that we have to rely on something like Chickynoid, even if it’s a well-made system to combat it that I do recommend using for the time being. Roblox needs to focus on working with first-party solutions like native server-authority characters instead of relying on third-party solutions. I do know Roblox has it on the roadmap, but I see Roblox focusing more on other things.

The ban API is a good step in the right direction, but it requires the developer to actively add bad actors to the ban list. Preventing exploits is more important than stopping exploits already happening. Once your experience is ruined by exploiters, there is no way to get it back. The best thing we can do for now is create your own anti-cheat systems.

Also, I hate people saying to not bother with making your own client-sided anti-cheats. It’s okay to have a client-sided anti-cheat in your game as it can deter most exploiters as they most likely just got the script off a random website. A server-sided anti-cheat should be mainly used for picking up the pieces that the client-sided anti-cheat misses in case the client-sided anti-cheat is bypassed or if something isn’t detected. Client-sided anti-cheats are like locks; we use them for security despite them being able to be lockpicked, but not everyone knows how to do that or will try to learn how to. Having no lock at all or having your door wide open is inviting people to just come right inside.

It is impossible to stop exploits permanently. It’s a constant cat-and-mouse game. The only thing we can do is ensure there is a way to stop most of them and then try to get rid of the rest through bans or other punishments

1 Like

They’ve really been dropping the ball, in my opinion.

One thing they should consider is integrating Guilded into Roblox, so each group can function as a community directly within Roblox, complete with ranks, chats, privileges, and so on, rather than depending on a separate app. This would make identities directly linked to roblox accounts which would be nice for moderation. It’s promising that they plan to let certain ranks use the ban panel, would be a help to have mods not have to enter servers just to ban people, but that’s still months away. Time and again, I’m left bewildered by their focus on aspects like character customization and manipulations, when there are clearly more pressing improvements needed. With such a big team and resources, I’m often left wondering “what in the world are they doing” the simplest things take way too long.

1 Like

Where did you get insight that they’re allowing different ranks access to Ban API?

I feel like we haven’t heard a word regarding this effort other than a few words to appease shareholders skeptical about Roblox’s DAU number.

The main issue is that they are not being banned swiftly enough by Roblox and the rare bans they do get don’t even apply to main/alt accounts. Roblox is deliberately choosing not to ban exploiters, even the ones they detect.

3 Likes

We covered it in our creator AMA and the granular permissions for the Moderation tab in Creator Hub are currently being developed.

Absolutely. These quarterly banwaves aren’t cutting it and exploiters know it.

1 Like

Quarterly (at best) banwaves that only ban for 1 day, strategically timed to line up with their punishment-reset window so that they don’t have to actually terminate any accounts (aka damage their DAU metrics)

Hyperion might be a competent system but if Roblox doesn’t ban anyone and doesn’t provide developers with detections, it’s effectively nonexistent. How many topics about ‘combatting unfair play’ are they going to make before they actually do something about the issue? They lay out these elaborate policies just to avoid banning offenders because exploit bots make up at least 20% of the userbase.

If Roblox isn’t going to ban them, then the best solution to OP’s problem would be a much stronger BanAPI alt-detection, which should hopefully be coming sometime this year.

I can confidently say that this is not a scare tactic. If these issues aren’t resolved, I will seriously consider switching to other platforms like Steam. As a Roblox player since 2009, when I became a developer years ago, I never anticipated having to deal with such rampant cheating and the worst part is Roblox could do something about it their engineers admitted that they can accurately detect it though they choose not to.

1 Like

I can’t believe that this was the only message we received a response to.

The comment about the ban API is ill-referenced. ROBLOX engineers have admitted that they can identify these exploiters and botters. However, they deliberately choose not to take action because the additional accounts make the platform’s user numbers appear more appealing to shareholders, even though it negatively impacts the quality of all the games on the platform.

I understand it’s a tough task, but these ban waves are not cutting it, like at all.

3 Likes