Well there’s now a “Sign out of all other Sessions” button under account settings. That should help.
[quote] Well there’s now a “Sign out of all other Sessions” button under account settings. That should help.
[/quote]
Are you sure that’s not for beta only? I don’t see it.
Has to be some Alpha/beta testing on some accounts, i don’t have it.
The “Sign out of all Sessions” will be enabled for all users shortly. That feature is currently in beta to ensure that we don’t accidentally log off all of our users and of course for scaling concerns.
Uh, what if the person who got into your account without permission clicks that button first?
Is this password protected?
Is this password protected?[/quote]
Presuming the user who got in your account knows the password, it would be trivial for this to happen.
I propose that it should send an E-Mail to the account holder with a link to get back into their account in case this happens. Of course, if the E-Mail was stolen too, that wouldn’t be useful, but this should at least hold off password guessers.
[quote]
I could be wrong, but I’d think the scenario of a shared IP is fairly rare?
Is there any other hardware/client information the browser can read that could be tracked in this way?
Honestly, I’d be fine with this being some sort of optional feature that requires a chrome extension or something to use. [/quote]
Members that use a VPN might have a shared IP address, as will multiple users at a school for example.
I wonder if the roblox browser plug-in could be modified to retrieve some sort of HWID?
We’re working on other ways to protect your account access, and protect your Inventory/Funds.
The feature for signing out of other sessions is now live for everyone. Let me know if you guys run into any issues!
@RobloxSai. What about clicking the sign out other sessions, if a exploiter allready has acess to your account, and just keeps clearing it so you can’t get in.
It should ask for password when signing out other sessions (making it one more step safer)
Also clicking reset password should “lock” your account if you click “confirm password reset” from your mail.
Like this.
- clicks reset password on site (opens to everyone and many will proabebly try to reset famouse people’s accounts.)
- There comes a “confirm” link to your E-mail were it says "dissable account until new password is in place.
- After clicking the link, you get a new E-mail that has a temp password.
- After adding the temp password you will be able to create a new password.
- After creating a new password you may log in on the site, and it activates your account again.
It also signs you out as well, so they can’t do that.
A real quick fix would be to introduce a second cookie that works just like ROBLOSECURITY but isn’t based off of it in any way. It will take a considerable amount of time for phishers to figure out the second cookie as long as its name is disguised.
Yes, that is true. If the exploiter has access to your account, then this will be abused.
The verification step you are mentioning is called 2-Step verification which is common across many sites these days. We do have plans on improving our web security to make accounts more secure.
Regarding the locking out step - don’t we already have something similar in place for resetting passwords. Why do you need to lock the account until the password is manually reset. If the user needs to manually click on a link to lock the account, shouldn’t he just go a step further to actually reset the password instead of leaving his account frozen?
[quote] @RobloxSai. What about clicking the sign out other sessions, if a exploiter allready has acess to your account, and just keeps clearing it so you can’t get in.
It should ask for password when signing out other sessions (making it one more step safer)
Also clicking reset password should “lock” your account if you click “confirm password reset” from your mail.
Like this.
- clicks reset password on site (opens to everyone and many will proabebly try to reset famouse people’s accounts.)
- There comes a “confirm” link to your E-mail were it says "dissable account until new password is in place.
- After clicking the link, you get a new E-mail that has a temp password.
- After adding the temp password you will be able to create a new password.
- After creating a new password you may log in on the site, and it activates your account again. [/quote]
Yes, that is true. If the exploiter has access to your account, then this will be abused.
The verification step you are mentioning is called 2-Step verification which is common across many sites these days. We do have plans on improving our web security to make accounts more secure.
Regarding the locking out step - don’t we already have something similar in place for resetting passwords. Why do you need to lock the account until the password is manually reset. If the user needs to manually click on a link to lock the account, shouldn’t he just go a step further to actually reset the password instead of leaving his account frozen?
Allow us to use Google, FaceBook, Twitter, GitHub etc for an additional layer of security?
Like link the ID to our account and when we try to login, we also need to login through the service that we linked to our account.
And also if you get and ID, use it to encrypt and decrypt the cookie?
If your account has been compromised, you should immediately reset your password. But let’s say you logged in at the library and forgot to log out. Then you can use the “Sign out of all other Sessions” button.
Could this feature by taken one step ‘further’. On other websites you can log off each single session out by clicking a ‘cross’ next to it. That way I don’t get logged out on all my devices. (PC, Tablet (2x) and Phone)
I know Facebook has two step authentication if you log in from a country for the first time. This might not be a perfect fix but could go a long way to adding extra security.
Please tell me your going to finally use my idea of using an authenticator like the game World of Warcraft uses to protect player accounts. This would literally stop people from stealing accounts. Fingers crossed pls say yes :D!!!