In-game dual security: Allowed?

Hi.

I was considering adding a “Two Factor Authentication” option for game moderators, on top of an existing “magic word” system.

Option 1

So to access an account, a hacker would need to…

  • Get the Roblox Password
  • Get the E-Mail password and access (bypassing things like multi-factor security there)
  • Have the two-factor code from the moderator’s phone and input it in the game
  • Know the passphrase/magic word
  • Not trigger any other automated checks

Multi-factor authentication would be set up outside of Roblox.

Option 2

This is a more “lite” version of Option 1- with verification being conducted via an external website. In the game, it would just say “Verification Required” and the moderator is expected to know what to do.

The passphrase system would also be used.

Option 3

This is just the passphrase system

Brute Force Prevention

If you fail verification 3 times (passphrase/2FA key), it assumes that you’ve been hacked and just locks everything down, blocking both your in-game access and staff access on similar things (e.g. Discord, Web Portal) until an administrator manually resolves the situation.

Summary

Do you know if any of these are against the Terms? I’d preferably use Option 1, or Option 2, followed by Option 3.

If all of these are against the terms, looks like I’m doing things the old-fashioned way and trusting that no staff member is dumb with security.

Yes- we require staff to enable 2FA on everything already, this is just an extra line of security. After asking around internally, it doesn’t look like anyone has any major objections with this system, obviously, they think it’s slow- but they understand it’s necessary.

Thank you for your contributions in advance.

1 Like

If you are absolutely wanting to give an in-game suite of administration tools, but are too afraid your admin accounts would be compromised giving unauthorized users access to these tools, that makes me extremely curious as to what sort of sensitive information these tools would be handling.

When you’re already talking about building an external website, why not offer all the tools on there instead of linking it to an in-game set of tools? That would allow you to implement your own verification methods.

Ultimately though, I think that relying on your admins to enable 2FA on their Roblox accounts is a very adequate security measure already. The chance that someone hacks into someone’s Email AND Roblox account AND uses it to mess with your system is smaller than the chance that one of your admins will abuse the system themselves.

As long as there are no references to a website or another form of authentication in-game, and it is only built upon your administrators getting the information from a third-party source (i.e. explaining it on your website of discord) it would be allowed to implement such a system. Never use password/authentication terminology to avoid confusion with Roblox login systems which could flag your game as an attempted scam.

3 Likes

There seems to be an absence of quite a bit of context for your title-question.
I’m going off the assumption that this feature is intended for the staff members of a team, group, or community that you are part of.

Current Two-Factor Authentication offered by Roblox is sound. When intelligent, unique passwords are setup separately for an email and Roblox account, pairing it with 2FA should be more than adequate protection.

If you’re considering adding additional security for the moderation/administration systems in your group places, it would be redundant, but a passphrase system seems to be the easiest solution. You can regularly cycle phrases at your discretion in order to reduce the likelihood of a breach. I’m unsure what features warrant such heavy security, but the measures in-place by Roblox should be more than sufficient as a starter.

3 Likes

It is easier to run a ban command in-game than opening a web form and typing it out, especially for single-monitor users.

As for sensitive information, it’s more about the risk of causing problems with user experience. I don’t want players to be false banned by a hacker.

I still don’t like to have that risk.

The OP should have more context. If there is something in particular that confuses you, I can explain further.

A “hacker” will never be able to ban another payer. What happens is that developers just leave remotes exposed alowing for exploits. Roblox includes the player as the first argument when firing the server so you can be 100% sure who the request came from.

If it was possible to fake this the whole security model Roblox runs on would be severely compromised.

In this position I would look at reducing human error. Include a confirmation before banning players and also log admin/mod activity.

In the worst case that a users account is compromised a simple pass phrase would be sufficient for blocking any malicious use. You would also look at locking a user out if they get the password incorrect for x amount of attempts.

Going back to your question I would ask what is really needed for security. More importantly factor in any other security models in place.

Please read the OP. My question is if my methods are allowed under the ToS. I’m aware of the caveats and so on.

This is not my point nor question.

I’m a bit confused here. What is that you’re worrying yourself about?
If you want to be safe, just make sure their Roblox and email account have 2FA enabled.
If you want to go overkill, use a 3rd party software for dealing with 2FA.

When it comes to if this is allowed, you should not face any problems when having an input box where the admins will have to enter a secret phrase, and then the verification code. Granted that you do not promote users going off-site (or out-game, heh.)

Although the ROBLOX account security should be sufficient, if you wish to continue with making a “passcode” system within your game, I don’t see why that would be against the terms of service. It’s just a code required to use the admin powers in your game, so it shouldn’t be a problem.

1 Like

My main question is if you can have 2 factor authentication in a game. (like 2FA apps)

This would be set up offsite and when you join it requires you to put the code into a box, the code is then sent to a HTTP Server.

Surely this is not against the Terms?

You have some nice ideas, and I’m sure it’s possible to implement - to a degree - but honestly, I do feel it’s not exactly needed.

Common sense can go along way in terms of security, making sure that you turn off third party cookies, disable JavaScript on websites automatically - allowing you to whitelist JavaScript from websites you trust, using containers such as the ones provided on Firefox to separate your work, personal and other types of online activities - therefore separating cookies, making sure you use different passwords on all different major services you use, etc.

All the above can do wonders for online security, reducing the possibility that someone will steal your session cookie for Roblox.

So honestly, as much as you have some interesting ideas, I feel teaching your moderation team about basic online security will majorly help prevent their Roblox account - as well as any other online account - from being compromised.

Edit: To answer your question - as also mentioned below - you should be allowed to do this, granted it does not involve any personal information about the user which needs to be collected in game (as it’s against the Terms of Service usually to collect personal information in-game about a user such as email, phone number, etc)

Objectively, there is nothing that contradicts the Roblox Terms of Use concerning what you have defined. This was stated in @Wsly’s post and should really have been solved originally. I see no reason why this thread has gone on so far.

These sorts of threads can be solved easily by reading the Terms of Use itself.

Good luck with your system.

1 Like