Recently, my account got compromised and I had a limited stolen from me. Now, sure it sucked, but it got me thinking that there are many possible solutions that could probably of been implemented to avoid me and many others from being compromised, and here is my personal favorite solution.
What I am thinking of is that, if an account is accessed from a long distance than it was originally logged in to, and the user has 2-Step Verification enabled, then it will prompt all sessions to verify themselves. Now, I know 2-Step Verification helps when they log in to your account, but in my case and many others, they get in to your account with a method known as Cookie Logging. This is sadly a very common practice, but I think with my method it could be avoided. If Roblox were to add this feature, it would help many users from being compromised and will possibly end most of the account theft that goes on in the Roblox Community. I think it should be a setting that requires 2-Step Verification to be enabled in order to enable it.
Leave your thoughts and opinions below, because I am sure that I can expand on this idea.
Update: Now that I reread this, I realised that it might be a bit hard to understand. I plan to revise this post and organize it a lot better, but here is the idea on a sum: IF a user’s account is accessed from an area that is far from their current area of last online, then they should log out every session, or another method would to be that IF they have 2-step authentication enabled, then it prompts all devices logged in to have to reauthenticate the account via 2-step.
While I definitely don’t think this is the cure-all, and i’m sure a lot of people will pick apart your suggestion using that mindset as the reasoning, this is definitely a step in the right direction if this was implemented.
If a geo-location changes under a single session token, that session should be invalidated.
My idea definetly can be grown upon, and I’m sure it has flaws, but I think this will actively stop scammers who use basic tools and tutorials found on back alley website’s from a cookie logging. A lot of the cookie logging methods are just tutorials and pre-written scripts that people follow, with little to no understanding of in-depth attacks, so this definitely will stop those from occuring. I would also think this would put a major halt on the more in-depth methods, and could probably be a good way to stop cookie logging altogether. My only worry is that the exploiters will move to attacking emails, so that when they get in and get the email, they can verify easily. Although most email services are heavily protected and a lot of people wouldn’t go that far down the rabbit hole for a virtual currency.
