The problem with the way things are now
Unfortunately, Roblox hasn’t provided us with an actual single sign-on API, so I along with many other users with similar services must resort to verifying users in the following ways:
The user places a code that we generate in their profile, and we check for it. Previously, this worked flawlessly (however was typically a major inconvenience for the user). However, with Roblox’s new filter updates, most users can’t reliably use this method anymore. I’ve even changed my systems to use strings of normal words (like “dog, cat, panda, tiger, cat” etc) but even that gets filtered sometimes. Additionally, this makes the codes very long which in turn makes users have to delete their actual Bio to put this code in. Very user unfriendly.
The user joins a game and enters a code or clicks a button. This presents a major security risk because with every new Roblox place leak, it presents the opportunity for your web APIs and endpoints to be leaked to the public, essentially rendering your verification system pointless since anyone could verify as anyone. It’s possible to make this method more secure by actually checking if the given user is in the game, but it’s still not fool-proof.
The developer creates a bot account that does some action on the Roblox website, typically dealing with PMs, friend requests, or assets. This method is flawed because it runs the risk of the bot getting rate limited by Roblox itself, the bot getting banned by Roblox for being a bot or spamming, etc. Additionally, this method can be insecure because the user might interact with the bot without even knowing they are a bot. For example, some bots will send a friend request to the user to verify them if they accept it. This is bad, because some users might just accept all friend requests they get.
So, we’re left here, with no good way to actually know who somebody is without using the absolute worst method possible: Asking for their username and password. Some websites actually do this. This is terrible for obvious reasons.
What Roblox can do to fix it
So, what can Roblox do? Well, I’m sure everyone has used single sign-on before. Ever seen anything that says “Sign in with Facebook”, “Sign in with Twitter”, “Sign in with Discord”, etc? It’s standardized, trusted, and secure. All of these big websites provide this service because it creates a win-win-win situation: the user’s account and information is safe, the website gains publicity and more users, and reduces the amount of accounts stolen or phished, and the developer gets to use the website and account details on their own application.
What’s more? There’s already a protocol in place for this: OAuth 2.0. It’s not hard to implement, and users have asked for this feature in the past, but there hasn’t been much feedback or support whatsoever.
It is in Roblox’s best interest, and their users’ best interest, to implement this feature as soon as possible. If this feature was implemented, it would be used by thousands of users every day. It would be amazing for myself and other creators of third-party tools, and it would protect users from account scams, and it would strengthen Roblox as a whole. This is a very important feature that the website is missing!
Thank you for your time.