Honestly, I don’t like this update. I cannot post my work in this format - [Group Name] + [Role] and you cannot post images of your work so if you are willing to hire someone you can’t see their work and verify if they are legit or not. I use my Dev Forum Portfolio to get into so many positions and I don’t want that gone as I have saved screenshots in different places.
I would like to verify certain things. WIll the new Hub rolling out will existing Dev Forum Portfolios be deleted? What will happen to the current Dev Forum? WIll it be only for posting work?
In the settings of Talent Hub, I can’t change to view content posted by all creators. To do so it says I need to turn off account pin… does ROBLOX really want us to disable security features or something?
Once again, as it’s been stated by Roblox staff themselves, Account PIN is a parental setting, not a security option and it provides as much security as jumping off a plane without a parachute.
I mean… if someone cookie logs me, an account pin can protect me from the cookie logger changing any of the important details and won’t be able to steal the account.
They only need to make ~5k random guesses to get your PIN on average, this is easily automatable.
PIN is a parental safety feature and not a proper security feature. Roblox is working on TOTP 2FA (e.g. Google Authenticator app or other TOTP-enabled app) instead which you’ll want to use instead of PIN. PIN only has 4 digits of entropy which is nothing.
They should release proper 2fa and the ability to at least lock certain account actions (like a pin) behind it before deleting collaboration then. 2fa or not, if it doesn’t prevent damage from cookie logging in some way it’s still useless. Security is only as strong as your weakest link. The weakest link right now is cookies. Currently in order be me to sign in I use a long password, and I must verify a code that I get from my email. My email is locked behind 2fa directly to my phone. My phone also is locked behind a pin number that has a rate limit on it. This is the strongest way to get in. But you can bypass all of that by using their cookie. If their 2fa is just another face at the front and doesn’t even protect the back, then adding it is pointless. If roblox can add 2fa and fix their session data to better prevent cookie logging then I’m all for removing my pin and using 2fa instead.
But roblox’s security is probably the worst I’ve ever seen. Fixing a cookie logging issue could be as simple as when the player first logs in and generates this cookie, store their ip they generated it from on the server. Then check against this ip when they do certain actions and prevent them from doing them when it’s different and sign them out. Is this a perfect solution? No. If they don’t add proper multi-session support, logging in from multiple places could be annoying. They really need to fix their security problems though. I mean to access the api you need to use this cookie. API keys have been a standard since before I can remember… They have their own rate limits and if they’re breached resetting them is incredibly easy (on most sites that offer an api). But most of the time the only way they can be breached is if you accidentally leak it yourself.
Basically 2fa won’t matter until that problem is fixed because if you can bypass it then what’s the point. Currently signing in or cookie logging looks like this. If all 2fa does is add another point along the main path and does nothing about their cookie logging problem then adding it won’t really help because the weakest link is still weak.
There’s only one path that will log you in if you don’t cookie log, and that already has an amazing amount of steps for security. The problem is cookie logging is just a bypass to all of this. I’m not saying 2fa is bad, I’m saying roblox’s security sucks. I support them adding proper 2fa. I also support them fixing their awful sessions.
They use the same algorithms/principles probably (TOTP). Very strange statement for that reason, you’ll have to elaborate what you mean, but my suspicion is you don’t fully understand what you’re talking about. I hope you don’t think google authenticator stores the keys/tokens on the cloud, they’re only on your local device.
This is what I’m already saying in my post – not sure if this needed such an elaborate reply. You’ll probably want to post all that security feedback on a more appropriate topic where it has more visibility.
A more sensible estimation for a web request is <500ms btw.
