Introducing Login with a One-Time Code

Hey Developers,

Great news - You no longer need to remember lengthy passwords!

Starting today, we are rolling out Login with a One-Time Code on the web, an easy and secure way to sign in to Roblox.

We have been working on various ways to help Roblox users log in with simpler and safer alternatives to passwords. While passwords have been the main way to secure a Roblox account for a long time, they are difficult to remember and easy to be phished via social engineering.

In addition to quick login, we are excited to announce the Email me a One-Time Code feature to provide you with more passwordless login options.

Click Email Me a One-Time Code to enter a verified email and receive a one-time code. Once you enter the correct code, you are in!

Note: This feature is currently only available on We are working on releasing this feature to the mobile and desktop apps shortly.

We hope this feature will simplify your login to Roblox and make your accounts more secure.


Click here to view the FAQ!

What is a verified email?

  • You can check if you have a verified email on Account info → Email Address. Look for the Verified check mark. If you don’t have a Verified Email, you can follow the steps in this help article to add a verified email.

What if someone else has my one-time code?

  • One-time code expires after 15 min. Never share this one-time code with another person as they can compromise your account.

I don’t see this feature on my login page.

  • This feature is currently only available on We are working on releasing this feature to the mobile and desktop apps shortly.

Can I use a verified parental email address to log in?

  • This feature currently works for non-parental email addresses only. We will have an update about parental emails at a later date.

    Feel free to leave a comment below with questions/thoughts. We will continue to iterate to make logging into Roblox more simple and secure.

Thank you!


This topic was automatically opened after 10 minutes.

Can this be extended to support authenticator codes, if I have the key used to generate the TOTP codes, surely thats good enough verification of who I say I am (and probably stronger than a password). I dont think anyone’s going to be able to get to my phone without going through me first.

Also anyone who’s using 2FA authenticator (is probably) smart enough to not give it to random people though I wouldn’t put it past people to still give it out.


This is worrying. How is this better than email-based 2FA when it seems to work the exact same way except with fewer steps - email-based 1FA?

This doesn’t make it harder to social engineer your way into someone’s account, this simply provides a new option that makes it even easier to do exactly that. Not to mention that email-based 2FA isn’t even necessarily the most secure form of 2FA to begin with.

I also have to add that it’s not very reassuring that the FAQ doesn’t exactly include the sorts of questions an announcement like this would raise. I don’t think many of us here are asking what a verified email address is. What I want to know is how this is secure when it seems to just be a less secure version of login options that already existed.


Yay! Just noticed this feature appeared when I try to log into an account. :+1: I have a few questions though. What is the difference between this method of logging in, compared to logging in through an email if you can’t remember your password and then having it resetted? Does this new method just shorten the process?

Was also wondering how this would work, with two factor authentication. Would you have to use two different codes, when logging into the same account? :thinking:

What is the point in having a password that won’t be used, if it is too long and instead people would be using this method of logging in? In addition, why wouldn’t passwords be removed entirely, if they can be “difficult to remember and easy to be phished via social engineering” and just have some email attached to your account instead?

In theory, you could be giving more players more of an opportunity, of logging into somebody else’s account. :exploding_head:


Cool update, I have it and I tried it and I got sent my own IP, that’s the only thing I don’t really like


I hope this can be disabled for an account. I don’t want to have my password bypassed from a potential security breach to my email. Additionally, how does this work with 2FA? Does this bypass that?

Edit: It does not bypass authenticator app 2FA at least. That is good but not clear from the original post’s wording.

My guess is that looking up an account given an arbitrary one-time pin is not an option. They are meant to be nearly random after all.


I’m going to agree with vanilla_wizard here. A while back a great step was made with the introduction of authenticator apps for OTP code generation as opposed to e-mail and SMS, the methods which are known to generally be less secure.

Why did you think it was a good idea to re-introduce a known less-secure method of OTP, along with bypassing passwords entirely.

If the goal is making login even easier then I’d highly recommend removing this feature and instead look at something recently introduced into the market. Passkeys.


Would be nice if this could be disabled as I have 2fa (mobile auth & security keys) for a reason… not for them to be bypassed just from entering an email and a code


Ahh, didn’t realise it didn’t attach a username, oops lol


It’s a little bit concerning if it does bypass the 2FA…
I hope it doesn’t because that would make our accounts less secured than before. I think that the best way to implement this is to let the user choose if he wants to be able to login only with an email code or not.

UPDATE : I just tried this new feature and it does actually seem to still ask for a 2FA code, that’s great news and I guess this new feature would be helpful for people who does not want to always remember their passwords.


HORRIBLE IDEA? You guys are actually dumb. This is an easy way for compromisers to get in your account. Can’t believe y’all even think this is a good idea.


I don’t see the difference between this and 2FA… Plus it even asks you to use your 2FA code right after putting in the email one time code?


This seems like it will be better since sometimes my Roblox account gets logged out. This allows for faster log ins. However, I do question how you all are going to stop people from entering other people’s accounts if their email is compromised. Seems like a security risk.


What will be easier and more secure will probably be Passkeys.

Will we ever get Passkeys?


great update, looks glitched in Spanish lang


My main question is will this bypass any authentication apps we have? I am a bit concerned with this update with emails not always being the most secure with lots of phishing attacks being based via emails this could open a can of worms with people getting there accounts hacked.

I really think we need further information on preventative methods put in place to reduce this and also is there any way we could turn this off in settings or will this just be something everyone has to use.


wouldn’t this be better using authentication apps instead? and will we be able to disallow one-time codes for our accounts?


Someone already said earlier in the thread 2FA is not bypassed. So your security key or authenticator app you use are still required to fill in afterwards.
However that doesn’t make this feature any better…


Just tested this and it doesn’t bypass 2FA, both for email and app 2FA.

That said though, I still don’t fully get the use case for this. Ideally you’d use a password manager to not have to remember lengthy passwords

so in a way, it feels like it’s just encouraging bad account safety practices.