I was considering adding a “Two Factor Authentication” option for game moderators, on top of an existing “magic word” system.
So to access an account, a hacker would need to…
- Get the Roblox Password
- Get the E-Mail password and access (bypassing things like multi-factor security there)
- Have the two-factor code from the moderator’s phone and input it in the game
- Know the passphrase/magic word
- Not trigger any other automated checks
Multi-factor authentication would be set up outside of Roblox.
This is a more “lite” version of Option 1- with verification being conducted via an external website. In the game, it would just say “Verification Required” and the moderator is expected to know what to do.
The passphrase system would also be used.
This is just the passphrase system
Brute Force Prevention
If you fail verification 3 times (passphrase/2FA key), it assumes that you’ve been hacked and just locks everything down, blocking both your in-game access and staff access on similar things (e.g. Discord, Web Portal) until an administrator manually resolves the situation.
Do you know if any of these are against the Terms? I’d preferably use Option 1, or Option 2, followed by Option 3.
If all of these are against the terms, looks like I’m doing things the old-fashioned way and trusting that no staff member is dumb with security.
Yes- we require staff to enable 2FA on everything already, this is just an extra line of security. After asking around internally, it doesn’t look like anyone has any major objections with this system, obviously, they think it’s slow- but they understand it’s necessary.
Thank you for your contributions in advance.