Please Don't Use Phone Numbers for Anything

As a Roblox developer, it is currently too hard to keep my account secure.

Over time Roblox has been implementing more and more features utilizing or being locked behind phone numbers. Signing in via phone number was shown in today’s RDC keynote as the next feature to do so.

Phone numbers are an insecure method of authentication because they were never designed for that purpose. The SIM cards that control access to these phone numbers can be cloned or swapped to remotely steal a user’s phone number.

Service providers have been doing their best to patch these security flaws, but a SIM swap can still be outsourced for just a couple thousand dollars. This is absolutely worth the price to a bad actor in exchange for gaining access to any developer’s account worth potentially millions. SIM swaps are not going anywhere anytime soon and we should not be placing the security of our accounts on them.

Please stop developing features that utilize phone numbers.

If Roblox is able to address this issue, it would improve my development experience because my account would have fewer attack vectors.

108 Likes

Wholeheartedly agree. I am welcoming to any changes that can help us secure accounts even more but I don’t think that having a phone number be the safety guard is not it. Why has Roblox not learned from the Sim Swapping of 2020?

12 Likes

I do not feel comfortable using my phone number to secure my account, I don’t even like providing it in my account. Phone numbers get recycled all the time. Sim swapping is a thing. Phone numbers are NOT and by design are never going to be suitable for this purpose. :confused:

28 Likes

I’d like to verify my account fully, but the problem is…

  1. I don’t want to give a third party or Roblox any personal identification as I am immensely uncomfortable with that.
  2. I don’t want to tie a phone number to my account just to be able to access more features, at the cost of putting my account further at risk due to malicious actors.

Uploading audios is a thing I do often, and if it weren’t for the 2000 audio limit I received as a developer, I would be in a very frustrating and tiring spot.

8 Likes

100% agree. I say this as someone that has a hardware security key. Phone number verification is not secure.

6 Likes

Fully agree. Phone numbers should never be used for authentication.

5 Likes

Phone Numbers were designed to identify phones and then ring them or send messages. Nothing else.

There’s no cryptographic authenticity in them, since the SIM holding the phone number can easily be swapped to another one by social engineering the SIM provider.

Instead of developing phone-based authentication, why not support HOTP 2FA?

11 Likes

Please stick to 2FA authentication instead of mobile phone number authentication. You are not understanding the risks of adding this, it’s a complete downgrade to Roblox security.

3 Likes

A big “work around” is to use virtual phone numbers, but, even this is makeshift.

I forgot I was using Google Voice, and in a few month they recycled my number before needing it again, to my surprise. Big security risk. Same with my best friend.

3 Likes