Prompt 2FA after Social Logins

When i tried to log into my account on a new machine.
I can choose between logging in using a username and password (With 2FA) or choose “Facebook”.
If I choose Facebook (being logged in), I bypass 2FA 100%.

I think this should be fixed, where you should be prompted with 2FA after signing in with Facebook also.
I get that many people use Facebook because it’s “Fast”, it should not compromise the security for “faster”.

3 Likes

This is likely an oversight as using quick login still prompts you for a 2FA code.

2 Likes

This is intentional. Authentication is off-loaded to the identity provider (facebook), not the service provider.

The attack surface is pretty small anyway.

1 Like

A lot of people think exploiters and other scammers won’t go to any length to get into someone’s account.
The fact is that people will use any method they can get hold of.
And if someone is remoting into a victim’s machine or similar, then Facebook is really vulnerable to use to log into Roblox.

Someone has for example made extensions for chrome, that steal Facebook and Roblox login data.
This way, they can safe them self login to roblox in a fast matter, by using the cookies from facebook and log into Roblox without even using the authentication to log into facebook (Bypassing “Your account has been used” on facebook, and boom your logged into someones roblox account using facebook third way authentication.

The way described over has happened to me once.
This is why I’m skeptical to not being prompted the authentication code after signing in.

Saying that it’s small, does not show a fact, the “small” base is bigger than you know.

This has been considered in threat models but determined to have no impact. It’s a very small attack surface. There are a lot of metrics that are not public.

You can enable 2FA on Facebook (the identity provider).

This isn’t a solution to those problems in my opinion. There’s more effective ways to mitigate these attack vectors.

If someone pwns your machine, then this won’t help.

If you use a malicious browser extension, then why would it target facebook instead of just generating a quick login code, stealing your cookies, etc when you go to roblox.com ? Also there’s a far greater return on investment to compromise their email account or bank account. Facebook is the identity provider, so even if that account is compromised then it’d be straight forward to reset the state on your Roblox account.

Nice job thinking about your security, but it’s also worth keeping in mind there’s teams of people employed who would create threat models for this stuff, especially authentication mechanisms.

If you focus on giving them an idea of the current issue you’re experiencing and your use-cases, then they can come up with a feature to solve that (since they have a lot of internal metrics, they’d be able to find a much better solution than we could recommend, so we shouldn’t focus on proposed solution but rather issue you’re experiencing).

Cheers

1 Like