Could you send me a link to this post/comments I can’t see any staff response in regards to this, thanks.
Well that is slightly debatable. If 2FA is still enforced then realistically as long as the authentication is done via an auth app which Roblox recommends there is not a major security reduction with this because you still have the authentication app. I mean it is still better to have password only to have better security but your email itself has a password and the only issue is phishing attacks but this could happen anyways.
There are plenty of people that don’t even use 2FA at all, especially younger audiences who don’t even know about account security that much, this would just open up an entirely new door to them.
We’re all here complaining because we understand the risks, most people here on the platform don’t.
In fact, I’d assume the majority of people on Roblox don’t even read the devforum all that much, if any, so they’re not even aware this is becoming a new way of entry into your account by bad actors.
This feels like a massive security flaw… Someone just needs my email to have complete access to my house. I know password resets exist, but a password reset notification is much more obvious than something like that which can be set off by a number of factors. Correct me if I’m wrong here.
Can this be disabled? Great if you want to actually use it, but needlessly opens another avenue of attack for everyone else and I would feel safer if this was opt in
What is the issue?
It’s a pretty quick way to log-in (i used this in studio where there’s no google auto-fill cough)
I don’t see it as a big security flaw either, if they have access to your email and authenticator (if you use it) they can easily steal your account nonetheless.
Yeah social engineering is a thing but I think that if someone actually gives a stranger a code that literally says that it is a log in code then they would’ve got phished a different method anyway.
(and god this update received a lot of criticism, i feel bad for the staff)
Are there any talks or plans about an account manager/switcher? A perfect example is the account switcher discord has.
What I am talking about is being logged into multiple accounts at once, and once I’d like to, I could switch accounts in one click (without any authenticator codes or email codes, as I am already logged into both accounts).
This would be one of the last popups a users sees before sending their email + code to a potential attacker so it seems fitting that we should let people know they should treat this code discreetly.
I think they meant specifically if it also circumvented 2FA (which it apparently still requires 2FA so their email would be shot, but their Roblox account would be fine assuming password resets still require 2FA as well)
Forgot about that detail. Hmmm.
My main point was about this paired with 2FA. For email 2FA, I guess this just shows how weak email-based 2FA is. Not sure why I didn’t test before posting (will edit my post), but I can confirm that the email code does not bypass the authenticator app 2FA (this is intended).
