Iconic "Are you a real person" verification for when you're using the recovery code method

So, everybody that’s using this system has 10 recovery codes by default. When I use a recovery code to log in, it doesn’t ask me to verify myself in any way and it doesn’t have a cooldown.

My concern is about pass-guessing. It is nearly impossible for someone to guess a password that has 9 characters and that has the potential of containing any random letter or number. But, since there’s no cooldown or verification to this system, people can use bots to make them do this for them.

Is it impossible for someone to guess a recovery code? Probably, yeah.
Are there any people that would have multiple systems running day and night just to pass-guess? Probably, yeah.

If it’s not a pain to add, just go for it in my opinion. Or, I can see a good amount of people complaining about this when the update is released . As I said though, it’s not really that big of a deal. I just wanted to point it out and maybe people simply wouldn’t care since it’s nearly impossible to guess a code like this.

The odds of guessing one of the 10 recovery codes are 1 in 10,155,995,666,841.6.

It would be far easier to guess the actual current authentication key (1 in a 1,000,000, give or take a few zeros since it rotates).

That being said, I’m not opposed to this - backup codes will be used rarely, so there’s no harm in adding a verification step to it.

People would probably already have bots on day one of public release, so that’s a good idea…

Do you mean one of those “FunCaptcha” verifications that are on the rest of the website, or something like Google’s reCAPTCHA?

Hi Butter,
Thanks for bringing this up. We recognize the importance of protecting this authentication method even if it’s very hard to guess a recovery code. The mitigation won’t necessarily be FunCaptcha but we do already have some code in place to prevent excess guessing.

I’m talking about the “FunCaptcha”.

Oh nice! An account with 2FA Authenticator is going to be as strong as a castle I guess!

Maybe put the backup codes under the pin (even if the pin is easy to guess).
Or when the user clicks “download codes”, and the pin is unlocked it sends the codes in an e-mail to the registered e-mail instead of downloading as a file.
You could also force the user to type their password in order to download the codes.

Roblox has many options for verification, but pin, password and 2FA will confuse users on what service they really cover.

I know for example that pin only serves the settings menu.

Roblox password serves the login on roblox’s services.
And 2FA does the same.

And you can also use Facebook login without ANY 2FA, that’s conserning.
I have used Facebook login when i forget the password once in a while.
And i find it easier to get into someones roblox by using facebook as a relay.

Master3395, thanks for the feedback. These are interesting ideas that we’ll consider moving forward.