You have to consider developer created systems, backwards compatibility, developer reaction, and the cost of it. The analysis has to give a considerable benefit to tell the engineering team to proceed with implementation. When we consider the variables above, there isn’t any.
1 Like
That’s so dissapointing, most web developers and project planners would jump with joy being able to use a feature for multiple purposes with little effort. Why purposefully lock out access to a feature from most users for no reason?
Wouldn’t it be cool if you could select only specific experiences as allowed?
My brother once installed Roblox for my nephew, but there were so many random games that he can’t block them all and he didn’t want my nephew even discovering them in the first place.
So why not let parents manually add the games that are allowed, and hide everything else?
You’d probably gain at least one new Roblox player from this, my nephew!
3 Likes
yes very good update! Roblox doesn’t want to get around responsibility, rather add an additional layer of protection for the child… a parent is a child’s first level of defense, they should be on the platform the same way they would be on a bike ride with their child. furthermore, once parents start playing Roblox, it brings even more revenue to our platform. 
2 Likes
Yes, I agree, I think it would be very helpful to have another category for parents to decide when their child can access certain things. The doors should not be wide open at 13, they aren’t adults yet and every child develops differently & different families have different values. Maybe in the future there could be an additional layer of rules that helps parents decide, even after 13, what kids can/can’t do. 
Thank you for bringing this point up!
2 Likes
Amen to this! Thank you for your passion for family values & children’s safety!
they should then talk to their children to explain that they don’t want them to play a certain game
2 Likes
That’s a ridiculous argument - not every family functions that way.
1 Like
Sure they aren’t but Roblox should have these type of features regardless - a lot of games have these and aren’t limited to 13+
it’s not really about if the family functions that way or not but rather that at over 13 years of age the kid will be smart enough to simply create a new account
Still a ridiculous argument. even at 13 years of age, they haven’t fully matured and their brain is still growing.
Parental Pins are not a sufficient line of defence against token logging. In general, these tokens are grabbed through phishing links and malicious content that the individual interacts with, which is outside ROBLOX’s scope of security. As you know, the biggest vulnerability to any system is humans. This is why companies normally perform regular phishing tests on their employees to reduce any risks of a successful phishing attack, which puts the responsibility on the employee (an individual in general).
Financial institutions and companies in general auto-sign you out after a session timer or inactivity, which revokes your token to access the account. This is commonly seen in banks, or ThinClient devices, which support the network’s security. However, this is impractical for most Roblox users as this level of security is not necessary, as they are extremely unlikely to be targeted for a phishing attack.
It is your responsibility to employ your security policies for protecting your account. ROBLOX already employs industry standard security measures, and provides security controls for users, which you can read here: https://en.help.roblox.com/hc/en-us/articles/18765146769812-Account-Session-Protection
ROBLOX is a leading platform in the multiverse and it is increasing in creators and daily users. Hiring moderators is an extremely ineffective solution and will fail. In 2023, ROBLOX evaluated over 300 million assets (2. Roblox Combo Book (002)) were uploaded by creators and went through automation and manual checks, which is something humans alone cannot moderate.
As mentioned in their 2024 Shareholder Letter (available at corp.roblox.com, 1. Quarter 4 Shareholder Letter 2024), it has mentioned they are planning to introduce more safety products and policies. This means that more machine learning and automation moderation systems must come into place due to the increasing demand for data being processed and stored.
For example, automation is used in voice chat, where there are extreme level of data collection and processing in place. ROBLOX uses their systems in place to understand if the users are breaking the Terms of Service, which, once it has been processed, they swiftly delete the data due to COPPA and local data protection regulations. They may store it short-term, but we don’t fully know that since I haven’t read their Privacy Policy in a bit of time.
ROBLOX has teams around the world that act as moderators on the platform and go through reports submitted by players or government organisations. By regulation, ROBLOX is required to submit audited information of high-level reports to the European Union under their Digital Services Act. This includes information about the notices submitted, and as indicated by reference 3, many reports have to be manually checked and passed through local government agencies.
Not only do they have to raise these reports, but they have to contact partnering agencies for safeguarding, investigating, and ensuring that the victims are protected. These types of reports are what ROBLOX needs to prioritise, otherwise they may not be able to continue providing their services in the European Union. Additionally, they take a lot of time, and no amount of moderators being hired will solve any issue.
[1] Roblox, Quarter 4 Shareholder Letter 2024
[2] Roblox, Combo Book (002)
[3] Roblox DSA Transparency Report Data 2024
[4] Roblox DSA Transparency Report Data 2024 - Types of content categorised
2 Likes
This is less of a developer thing and more of a player thing. I think point is that parents can block specific people and experiences they don’t want their child on. I know for sure this would’ve helped for some of my relatives banning a certain game for their children on the platform. If parents see that they have these controls, they might allow their child to play Roblox.
Basically, I don’t think this is trying to solve moderation issues.
1 Like
blaming the user for something that isn’t their fault nor easily defended against (nor at all, zero day attacks exist) to excuse a needless removal of a protective measure (while not actually specifying why you think its not a sufficient defence, a hollow argument) is inhumane to put it lightly.
The pin was the only way to change account settings, regardless of a token being hijacked you could NOT update the settings to lock the true owner out without the pin. They are not a direct defence against token hijacking but a defence against a token hijacking being a game over scenario as the pin prevents the hijacker from changing your account username, password, or anything else. It was a very simple yet extremely effective solution for improving security, and why it was removed is beyond me.
I find your reply to be extremely dissapointing and very blind-sided and victim-blame-y, please reconsider replying in such a manner to people.
Never blame the user, blame the system for not adequately protecting them against mistakes (or influencing / causing them outright).
I do apologise for my manner, and I understand your frustration.
While a 4-digit PIN is some form of security for accounts, it is not. As you know, human minds think in patterns and memorable information - this means that a 4-digit pin that you set with no time constraints can easily be guessed through social engineering. Research from the University of Cambridge has constructed data models that demonstrate this.[1]
I’m slightly confused at your initial argument, as you know ROBLOX adopted an industry standard security measure known as 2 Step Authentication. This is far superior to a user-chosen 4-digit pin. The general idea behind 2 Step Authentication is that it provides a truly random-generated 6-digit code that is reset every 10-30 seconds. This is very much more secure and extremely difficult to near impossible to crack. An example of this is with Cloudflare, they have a truly random key generation made out of lava lamps (which is amazing!), which their service is critical in the internet infrastructure, and they are a high-level target for attacks from foreign governments and hackers. However, due to a truly random key, most attacks don’t make it past the first wall of protection.
Two-step authentication protects your account entirely; you cannot, for example, change your email, username, transfer ownership, spend community funds, or any high-level action without being prompted to type in a code that only your user devices have.
Roblox has also adopted passkeys recently, which means you can insert a physical USB or have your keys saved on your device to log in. Your argument lacks research, as it is evident ROBLOX has replaced a failing and insecure system with modern-day security implementations.
Your mention of zero-day attacks is correct. However, zero-day attacks occur when there is some sort of vulnerability that the ROBLOX engineers missed out on, which is extremely unlikely. As you know, ROBLOX is a multi-billion-dollar company that is on the public market. They have the resources to hire external white hackers to test their systems and infrastructures, and have their own Hackerone page (a site dedicated for white hackers to find vulnerabilities in exchange for cash)[2]. It has been successful, and many vulnerabilities have been patched with this program.
It is impossible for a large-scale zero-day attack, due to modern-day datacentre technology and policies by data regulators on how they should store data. If an account is affected by a zero-day account, ROBLOX will revert any actions made and recover the account, hence why they have a pending transaction period if an unauthorised individual makes purchases from your account. It is also highly illegal to conduct zero-day attacks, and most of the people who conduct these will get caught due to the sensitivity of ROBLOX’s data, where government agencies will be involved.[3]
Never blame the user, blame the system for not adequately protecting them against mistakes (or influencing / causing them outright).
With the points mentioned above, ROBLOX has adequate protection. Anything outside their scope does not fall under ROBLOX’s responsibility, and they have implemented a protection that is appropriate for their business model.
[1] Cambridge University, The Security of customer-chosen banking PINs
[2] Roblox Hackerone Bounty Page
[3] BBC Article, GTA 6 Hacker
1 Like
Don’t worry about it, it happens.
While yes 2fa is a thing on Roblox and is immensely necessary, token hijacks still bypass it (atleast when I last heard about it), but provided you do not share or reuse it elsewhere, a pin that is required to change user settings is still very valuable, although in reality it should’ve supported the same length and characters as actual passwords to last a meaningful amount of time against brute-force attacks.
The point that I am trying to make is that no level of conscious effort to improve security can stop zero day attacks and unknown atttack vectors like that. Viruses and scams do not only affect the stupid, everyone will fall for one eventually. But provided you do not share the pin, it ensures your account is secure.
Also, zero-days are not exclusive to Roblox, a zero day in a program or the OS that users use can result in a virus getting onto the system and getting the login token (and its far from unheard of), which is primarily what I was referring to. Also, hijacking of other services, such as the creator of a mod for a game that allows mods to run scripts can result in malware on a system (something completely unavoidable and near impossible to be aware of in advance of the attack doing its job).
Roblox is not known for its ease of communication with a real human, so while yes roblox could rollback any problems from a hijacker, the ability of an account owner to contact a human at Roblox let alone convince them to help them is much much lower than the chance of an attack itself. (Note every instance of people only getting their accounts back after contacting a popular roblox developer or content creator.)
I don’t disagree with the points you make, but expecting the minimum or industry standard when those are often flawed or not sufficient for many users (such as developers or other high-profile users) doesn’t help anyone, especially as the industry standard will only be raised when better methods are actually adopted despite their non-standardness.
2 Likes
While yes 2fa is a thing on Roblox and is immensely necessary, token hijacks still bypass it (at least when I last heard about it),
Two-step authentication is not bypassable. A token grants you authentication to ‘act’ as the account; however, with high-level action, it requires you to enter a code, which is used to authenticate the request. Think of it as your house, where your token is the house key. You can enter and leave your house with the key, but if you wish to sell your house, you need to provide identity documents and other materials that someone else cannot provide physically (unless they’ve dedicated years to forge your identity)
I believe someone was providing you with false information regarding it.
The point that I am trying to make is that no level of conscious effort to improve security can stop zero day attacks and unknown atttack vectors like that. Viruses and scams do not only affect the stupid, everyone will fall for one eventually. But provided you do not share the pin, it ensures your account is secure.
Also, zero-days are not exclusive to Roblox, a zero day in a program or the OS that users use can result in a virus getting onto the system and getting the login token (and its far from unheard of), which is primarily what I was referring to. Also, hijacking of other services, such as the creator of a mod for a game that allows mods to run scripts can result in malware on a system (something completely unavoidable and near impossible to be aware of in advance of the attack doing its job).
Understandable, however, this is outside the scope of ROBLOX. Legally, ROBLOX has no responsibility to provide security measures that it cannot directly prevent. The blame is put on the company responsible for allowing the vulnerability. However, ROBLOX have provided guidance and information on account safety, provided with prompts and general leaflets that are available online.
I can assure you ROBLOX is a safe platform. As you know, it is a platform filled with minors where data protection is critical, and unauthorised access can be catastrophic to the company.
I would also like to share why ROBLOX is doing so much about parental controls and safety. In Octoboer, a research report was made by Hindenburg (Roblox stock drops after Hindenburg Research short report) which dropped their stocks significantly and investors were selling. One of their points was how unsafe ROLOX was to children and the level of child exploitation there was on the platform.
As any company would do, they rushed to engineer products to ensure they have proportional protection in place, such as parental controls, for damage control. They’ve successfully done this, and have been able to increase their market value - otherwise, the ROBLOX board of directors might have voted in a new Chief Executive Officer.
industry standard when those are often flawed or not sufficient for many users (such as developers or other high-profile users) doesn’t help anyone,
In theory, these implementations are perfect and are appropriate for ROBLOX’s business model. As you know, Roblox has millions and millions of daily users a day and designing a convenient security system that is effective for every age group and demographic is important. We could apply certain identity checks, such as letters addressed in your name, to prove your identity (which financial institutions are required to check before opening an account) - however, that’s an inconvenience for the players.
Social engineering is unfortunately the most significant way unauthorised individuals access accounts, and this can only be prevented with education and general awareness. This affects every age group, and even businesses. These methods get smarter and smarter each day, and there isn’t much that we can do about it.
Roblox is not known for its ease of communication with a real human, so while yes, roblox could rollback any problems from a hijacker, the ability of an account owner to contact a human at Roblox let alone convince them to help them is much, much lower than the chance of an attack itself. (Note every instance of people only getting their accounts back after contacting a popular Roblox developer or content creator.
If you have a verified email on your account, and your email was changed, you can revert it with their page easily. However, it is up to individuals to have phone numbers, emails, and the necessary information on their account (excluding PII like billing information) to make a swift recovery. Sadly, ROBLOX isn’t required to investigate accounts without verifiable information to verify the creator, as anyone can make a request, and socially engineer their way in as discussed above.
2 Likes
we can only hope this is the case, there is no garuntee. All companies are hopping on the AI hype train.
1 Like
Yeah, i suggested this idea in another topic, cuz the woman chest accesories can be innapropriate
1 Like
Are you sure? Because if it did, then why are there still extremely innapropriate users, avatar items and games?
1 Like