Haven’t tested it, but it’s kinda funny that they forgot about 2FA through emails yes.
1 Like
That’s not a vulnerability. If you send your login code to someone or don’t protect your email, that’s your problem.
His account did not get “hacked” someone logged in because he isn’t careful.
3 Likes
In my opinion, this update is one of the most unsatisfactory ones to date. It introduces a vulnerability whereby hacking accounts becomes significantly easier, as individuals can now access their accounts by simply entering an email code, without the prior requirement of a password. Instead, I propose that an alternative option be implemented, wherein users can opt for an authenticator code, which would greatly enhance the overall security measures in place.
oh my god, this thread is literally a children playground
eitherway, i don’t see this being a really big security risk.
just don’t download suspicious stuff! its that easy to avoid if you have common sense.
This feature doesnt bypass 2FA, so if he got his account hacked thats his own fault
2 Likes
How is this stopping account hackers? This is only adding a new way to login. It may as well be another way for hackers to get into accounts.
3 Likes
This will be useful to alot of people. Good job roblox!
Users with e-mail 2FA get both the login one-time code and the 2FA one-time code. This means that the Roblox account’s password is not needed to log in at all, only access to the e-mail inbox.
Of course, this changes nothing for the worse because you could just request a password reset to get into the account without the password, so e-mail 2FA has been 1FA all along.
If you’re the type-a’ guy who already does that every time[1], then you have it better now and it’s not easier nor harder to beam your account.
As pointed out above in the thread, if you have actual 2FA, such as with an authenticator app, you can access your e-mail through your phone and log into a library computer that might have a general-purpose keylogger (but not a cookie logger, let’s assume) on it without writing your password. A burglar still needs both your 2FA app and access to your e-mail and not your password because of the password reset functionality.
(I just realized that, in the above case, all you need to log in to a Roblox account is your phone: request a password reset or OTC login, get email, use authenticator app, you’re in. This is assuming your phone is already logged into the e-mail account/has the credentials, which it often is.)
Of course, said library computer keylogger might harvest your e-mail address and give an attacker something to break into, and boy are some of these easy to break into.
In conclusion, do not allow any application to remember your e-mail account’s password and never use one e-mail account to register with more than 3-4 services.
[1] YES, some people really do just ignore their passwords and use a password reset to log in every time, in fact this is MORE secure than a password.
3 Likes
this login method does not bypass 2FA
If you have email 2SV enabled and use email OTP to log in, you should not be prompted to enter two separate codes from your email twice. If you are encountering a bug, please reach out.
Funny enough, this isn’t true. Even though, it appears it should be. It’s only easy to crack if you have associating information about someone or you have a brute algorithm strong enough.
Secondly, using a mix of upper case, lowercase, special characters, etc would make it almost infeasible to cram by design.
Since most people usually speak on this topic without providing any proof, allow me to break down the math for you:
Let’s just say, you had a password that was 6 characters in length and only had lower case characters. There would be 26 possibilities per character. e.g 26^6 = 308,915,776 possibilities.
Let’s say, you wanted to test 1 million passwords a second:
It would take about 308,915,776 / 1,000,000 = 309 seconds / 60 = ~5.1 minutes. Which is reasonable on a fairly powerful, modern machine.
Now, if we take the same amount of digits but, add in special character cases, uppercase letters and numbers, there would be 94 possible characters. e.g the sum of 26 lowercase letters, 26 uppercase letters, 10 digits, and 32 special characters.
If we apply the same math rules to a 6 character password, we’ll get 94^6 = 689,869,781,056 possibilities.
If you wanted to try 1,000,000 passwords a second: 689,869,781,056 / 1,000,000 = ~689,869 seconds = ~11,497 minutes = ~7.98 days.
It would take longer to crack because, you’d have to solve capatcha constantly, and probably flag the account tries as suspicious. Practicality of this wouldn’t make any real sense. Increasing the character limit would dramatically and exponentially lessen the odds of someone cracking it.
If you tie everything to your email, all someone has to do is crack your email and they have everything already.
Unfortunately, even with all this, the root of the problem is and will always be stupid people that trust malicious, seemingly too-good-to-be-true intentions. You can mitigate risk but, you can’t stop a person who willingly gives their info to the wrong person.
5 Likes
Shorter passwords is a generalization.
Of course password length and character difference matters, but you should know before-hand not to use easy passwords but to mix characters.
Lastly, like you’ve mentioned, websites have captchas and IP ratelimiters / account. Still, just like in any, for example, developing context, you should strive to protect your password as much as you can, as if the captcha and ratelimiter wasn’t present even though it is, think of it as developing a game with Hyperion anticheat present, it will lessen the odds of exploiters, but that doesn’t mean you shouldn’t be careful.
In conclusion, a shorter password with a mix of special characters would be 99% of the times less secure than a long password with a similar mix of special characters.
2 Likes
The reason for my post is to tell people to protect their emails since it’s becoming the tool used for any website (i mentioned natural selection as a joke, adaptation).
1 Like
This feature does not bypass 2SV by Authenticator App. You will still be required to input your code after the email OTP code if you have 2SV by Authenticator App enabled. If you are concerned about the security of your email provider, we suggest you review your security settings and adhere to their recommendations.
4 Likes
Thanks. This is an extension of our previous account recovery flows. Instead of having the user reset and remember a novel password, they can login and play with their friends.
2 Likes
If you have enabled 2SV by Authenticator App, then you will need to enter 2 different codes: 1) Email Login OTP Code 2) 2SV by Authenticator App Code.
If you have enabled 2SV by Email, then you will not need to enter 2 different codes. Your Email Login OTP Code is sufficient.
2 Likes
Roblox has multiple kinds of communications with users via email. You may have received an email notification for your login with IP information. To learn more, refer to the security email notification Dev Forum post here: Session Management & Security Email Notifications [Account Security]
2 Likes
I do not care if it still asks for 2FA, give us the option to opt out.
2 Likes
This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.