I think there should be an option to enable 2FA to be used on every purchase (It’s easy to use an authenticator than to type the user’s password on every purchase).
Some users don’t buy in bulk and might want to have it enabled for every purchase and or trade.
I have only had to use use the 2FA login once, it should be forced to do it once every 24 hours.
That way you maximize the security on computers.
In case you use a public laptop (that you should not have done).
I haven’t seen it used on other services than on the login for Roblox once.
Update: 04.09.21
2FA should also be used on selling, either it’s Robux or Assets.
If you add 2fa for publishing and saving games, that would prevent a lot of damage done by the hackers in case they get into your account, so that they cant really do anything with your games, if you ever decide to add a delete game function then 2fa NEEDS to be required for that.
I don’t think that’s a huge deal, you can always restore your game’s older versions.
If they add a “Delete game” function, 2FA should be required for that but that function is a bit useless as you can just put your game private.
In my opinion, 2FA should be required to accept and send trades, sell limiteds, group payouts and as @HawDevelopment said, for devex and shutdown all servers.
You can’t undo people stealing game contents by editing the game and then copy-pasting / saving to a local file. It makes perfect sense to me to have an option to prompt 2FA for team members before they can edit a game.
2FA requirement for all game publishes and saves would be a pain honestly. Most people constantly save/publish their work after each session and the need to check your phone and enter a verification code every time would be a hassle.
Use authy on your pc, no need for a phone then.
Also, you might not always need to have it on game save.
But game publish should be under 2FA (in my opinion).
At least if you are in a team editing session.
This is easily solved by only prompting a code if that IP/session/account/(whatever identifier) hasn’t used the action or been prompted a code for at least X minutes. They don’t need to make it prompt every time, it can be smarter like that for frequent (but sensitive) actions such as game open/publish without compromising on security for people that want that option.
Or have a checkbox regarding this feature? If I know I’m going to publish my game multiple times within 30 minutes, I want to make sure I only have to enter my code once, but if I’m not going to, I want it to prompt my 2FA every time until I specifiy otherwise.
Oh boy, I know this may come out of nowhere but Roblox desperately needs to add 2-step to selling any limited item. Since they added 2-step for trading, people who now get cookielogged will just lose their items through catalog transferring (AKA LPPing), which is now a major issue.