Forced 2FA on account with no email

Page URL: www.roblox.com/login
Impact: Very High
Frequency: Constantly
Date First Experienced: 2021-04-29 19:04:00 (-04:00)
Date Last Experienced:

Reproduction Steps:
Attempt to login to account with a different IP, you will then be brought to the 2fa page even if there is no email associated with the account thus creating lockout.

Expected Behavior:
Expected to not happen on accounts without an email associated

Actual Behavior:
System proceeds to force 2fa without email associated

Workaround:

12 Likes

This bug has been happening for a long time, sometimes accounts will get a forced 2fa login even if 2fa isn’t enabled. I’ve had this happen across multiple accounts of mine. The first time it happened I didn’t even get the 2fa emails and I assumed it was hacked (thankfully a quick login code and checking the settings confirmed that wasn’t the case)

I’m not entirely sure why this happens but I imagine it’s because roblox might be trying to fight password guessing of older accounts?

5 Likes

I encounter this bug when I try logging in through mobile with mobile data. I also encounter this in incognito tabs.

2 Likes

At first I thought this might be Roblox’s attempt to prevent hackers gaining access to accounts as @cpguy5089 has mentioned. However, if it’s occurring with account’s without emails it’s most likely a glitch.

1 Like

This is intentional:

Doesn’t seem like a bug to me, it should be the standard for people to enable 2SV/2FA/whatever other sites call it on platforms they sign up for anyway

1 Like

you did an oopsies sir, check the title :wink:

2 Likes

Yeah I somehow missed that :sweat_smile:

I still think it’s related though

1 Like

More than likely they thought they gave a good amount of time to place an email before they rolled out this push on everyone.

1 Like

Thanks for the report! We’ve filed a ticket to our internal database and we’ll follow up when we have an update for you.

3 Likes