Yes it does. The mail with the code might include “do not share”, apart from being clearly obvious that “Login with a one time code” is exactly to log in, not the typical phishing of password to verify, etc. This is pretty obvious.
Well imagine you’re in someone else’s house or at a school pc, etc, and you gotta log in. Even though there’s the option to “do not save” the password upon logging in, cookies are there and well there’s ways of actually finding the password even though you clicked not to.
Due to this, making it a secure process of encryption with a one use only password (OTP) makes it easy and secure to log in someone else pc using the OTP. Just bring your phone to receive it.
1 Like
Uhhh… No thanks?
Our accounts are now vulnerable to trollers because of this.
EDIT:
This is available for all accounts now.
2 Likes
99% of devforummers don’t read posts, including you (sadly this forum and talent hub are full of children, not going towards you though). This algorithm creates a one-time password and doesn’t give any vulnerability. In fact, it’s helpful so you don’t type your password in unknown computers, because that password is kept forever and there might be a key logger (keep in mind they could simply store your cookie, but that’s your fault since you should know which computer to access and have common sense).
The only real security risk is if you are showing your inbox to other people while the one-time password is still active (hasn’t been used and the time limit isn’t reached). This, however, doesn’t have anything to do with the algorithm, simply Roblox’s fault for not hiding the code a little bit better in your inbox.
Password managers, at least application ones, could be malware. Not only that, but everybody should be saving passwords and that typical information in the cloud (such as Google autofill).
Also,
please use connectors, my brain had mental damage ngl.
Shorter passwords are less secure and easier to crack / guess. Email is getting more important over the time and passwords are slowly getting deprecated. Email methods are faster and safer, without the need of remembering a password. It also globalises all your accounts of all websites which means you can simply access any of your accounts with an email (OAuth2) “Email is the new meta”
Protect your emails if you don’t like the new natural selection.
1 Like
i never said anything about vulnerabilities
why would you login to your roblox account on an unknown computer?
I clearly said you should be catious of logging in with your roblox account in other computers. Still, my point was NOT whether you should do it or not. My point was that IF YOU WERE TO DO SO, it’s safer to use a one-time password than your actual password.
Also,
when was I talking about just you?
I definitely stated:
In conclusion, most of the replies here talk about vulnerabilities, when there’s none. A minority talks about the feature being useless and just being a junk addition, they have a point and their opinion should be respected, but it’s a fact that this feature is good for those who want to avoid the things I mentioned, such as keyloggers or remembering passwords while having long ones (even though you could use google autofill), and some other things I might have not mentioned.
What? How are they vulnerable?
1 Like
If you have email verification enabled, you have to get two codes from it. I think that should get fixed.
1 Like
Haven’t tested it, but it’s kinda funny that they forgot about 2FA through emails yes.
1 Like
That’s not a vulnerability. If you send your login code to someone or don’t protect your email, that’s your problem.
His account did not get “hacked” someone logged in because he isn’t careful.
3 Likes
In my opinion, this update is one of the most unsatisfactory ones to date. It introduces a vulnerability whereby hacking accounts becomes significantly easier, as individuals can now access their accounts by simply entering an email code, without the prior requirement of a password. Instead, I propose that an alternative option be implemented, wherein users can opt for an authenticator code, which would greatly enhance the overall security measures in place.
oh my god, this thread is literally a children playground
eitherway, i don’t see this being a really big security risk.
just don’t download suspicious stuff! its that easy to avoid if you have common sense.
This feature doesnt bypass 2FA, so if he got his account hacked thats his own fault
2 Likes
How is this stopping account hackers? This is only adding a new way to login. It may as well be another way for hackers to get into accounts.
3 Likes
This will be useful to alot of people. Good job roblox!
Users with e-mail 2FA get both the login one-time code and the 2FA one-time code. This means that the Roblox account’s password is not needed to log in at all, only access to the e-mail inbox.
Of course, this changes nothing for the worse because you could just request a password reset to get into the account without the password, so e-mail 2FA has been 1FA all along.
If you’re the type-a’ guy who already does that every time[1], then you have it better now and it’s not easier nor harder to beam your account.
As pointed out above in the thread, if you have actual 2FA, such as with an authenticator app, you can access your e-mail through your phone and log into a library computer that might have a general-purpose keylogger (but not a cookie logger, let’s assume) on it without writing your password. A burglar still needs both your 2FA app and access to your e-mail and not your password because of the password reset functionality.
(I just realized that, in the above case, all you need to log in to a Roblox account is your phone: request a password reset or OTC login, get email, use authenticator app, you’re in. This is assuming your phone is already logged into the e-mail account/has the credentials, which it often is.)
Of course, said library computer keylogger might harvest your e-mail address and give an attacker something to break into, and boy are some of these easy to break into.
In conclusion, do not allow any application to remember your e-mail account’s password and never use one e-mail account to register with more than 3-4 services.
[1] YES, some people really do just ignore their passwords and use a password reset to log in every time, in fact this is MORE secure than a password.
3 Likes
this login method does not bypass 2FA