2SV is bypassed with cookies because otherwise every time you loaded a page you’d have to log in again. Cookies are what keep you logged into the site. The problem is that ROBLOX doesn’t verify that it’s you who’s using the cookie. They could check IP, but that changes too frequently on mobile devices, so you’d end up with the same issue of having to log in whenever you loaded a page.
Though, something that could be done is giving the IP a little wiggle room, so even if it changes, as long as it’s sensible, the cookie isn’t invalidated. If my IP geolocation changes from Atlanta to Atlanta, there’s a good chance that’s still me. If it changes from Georgia to Nebraska, that’s a red flag. I don’t know how feasible this is though – you’d have to ask @Seranok or @TobotRobot.