We have been working on various ways to help Roblox users log in with simpler and safer alternatives to passwords. While passwords have been the main way to secure a Roblox account for a long time, they are difficult to remember and easy to be phished via social engineering.
In addition to quick login, we are excited to announce the Email me a One-Time Code feature to provide you with more passwordless login options.
Click Email Me a One-Time Code to enter a verified email and receive a one-time code. Once you enter the correct code, you are in!
Note: This feature is currently only available on www.roblox.com/login. We are working on releasing this feature to the mobile and desktop apps shortly.
We hope this feature will simplify your login to Roblox and make your accounts more secure.
FAQs
Click here to view the FAQ!
What is a verified email?
You can check if you have a verified email on Account info → Email Address. Look for the Verified check mark. If you don’t have a Verified Email, you can follow the steps in this help article to add a verified email.
Can this be extended to support authenticator codes, if I have the key used to generate the TOTP codes, surely thats good enough verification of who I say I am (and probably stronger than a password). I dont think anyone’s going to be able to get to my phone without going through me first.
Also anyone who’s using 2FA authenticator (is probably) smart enough to not give it to random people though I wouldn’t put it past people to still give it out.
This is worrying. How is this better than email-based 2FA when it seems to work the exact same way except with fewer steps - email-based 1FA?
This doesn’t make it harder to social engineer your way into someone’s account, this simply provides a new option that makes it even easier to do exactly that. Not to mention that email-based 2FA isn’t even necessarily the most secure form of 2FA to begin with.
I also have to add that it’s not very reassuring that the FAQ doesn’t exactly include the sorts of questions an announcement like this would raise. I don’t think many of us here are asking what a verified email address is. What I want to know is how this is secure when it seems to just be a less secure version of login options that already existed.
Yay! Just noticed this feature appeared when I try to log into an account. I have a few questions though. What is the difference between this method of logging in, compared to logging in through an email if you can’t remember your password and then having it resetted? Does this new method just shorten the process?
Was also wondering how this would work, with two factor authentication. Would you have to use two different codes, when logging into the same account?
What is the point in having a password that won’t be used, if it is too long and instead people would be using this method of logging in? In addition, why wouldn’t passwords be removed entirely, if they can be “difficult to remember and easy to be phished via social engineering” and just have some email attached to your account instead?
In theory, you could be giving more players more of an opportunity, of logging into somebody else’s account.
I hope this can be disabled for an account. I don’t want to have my password bypassed from a potential security breach to my email. Additionally, how does this work with 2FA? Does this bypass that?
Edit: It does not bypass authenticator app 2FA at least. That is good but not clear from the original post’s wording.
I’m going to agree with vanilla_wizard here. A while back a great step was made with the introduction of authenticator apps for OTP code generation as opposed to e-mail and SMS, the methods which are known to generally be less secure.
Why did you think it was a good idea to re-introduce a known less-secure method of OTP, along with bypassing passwords entirely.
If the goal is making login even easier then I’d highly recommend removing this feature and instead look at something recently introduced into the market. Passkeys.
Would be nice if this could be disabled as I have 2fa (mobile auth & security keys) for a reason… not for them to be bypassed just from entering an email and a code
It’s a little bit concerning if it does bypass the 2FA…
I hope it doesn’t because that would make our accounts less secured than before. I think that the best way to implement this is to let the user choose if he wants to be able to login only with an email code or not.
UPDATE : I just tried this new feature and it does actually seem to still ask for a 2FA code, that’s great news and I guess this new feature would be helpful for people who does not want to always remember their passwords.
HORRIBLE IDEA? You guys are actually dumb. This is an easy way for compromisers to get in your account. Can’t believe y’all even think this is a good idea.
This seems like it will be better since sometimes my Roblox account gets logged out. This allows for faster log ins. However, I do question how you all are going to stop people from entering other people’s accounts if their email is compromised. Seems like a security risk.
My main question is will this bypass any authentication apps we have? I am a bit concerned with this update with emails not always being the most secure with lots of phishing attacks being based via emails this could open a can of worms with people getting there accounts hacked.
I really think we need further information on preventative methods put in place to reduce this and also is there any way we could turn this off in settings or will this just be something everyone has to use.
Someone already said earlier in the thread 2FA is not bypassed. So your security key or authenticator app you use are still required to fill in afterwards.
However that doesn’t make this feature any better…
I have a few questions though. What is the difference between this method of logging in, compared to logging in through an email if you can’t remember your password and then having it resetted? Does this new method just shorten the process?
