To also add on this, I think the same should be done for when a user wants to delete any item from their inventory, ive also seen situations where hackers threaten their victims, by saying theyll delete their gamepasses, badges, etc.
I’m suprised these weren’t features already in parental controls to begin with given how many gaming/technology companies implement systems to prevent children from buying things unintentionally or without permission first.
Removing this feature is a awful idea, and there’s really no reason to remove it at all. The account pin has saved many of my friend’s accounts before, I believe it should stay as a feature or get reworked instead. Saying to turn on 2FA isn’t sufficient, if you get cookie logged, it will now just be game over for you.
Personally a 2FA check for sensitive settings (username, display name, email, password, passkeys, etc.) being changed would be great but in addition to that potential support to use passkeys instead of 2FA of these things as an option to pick between.
Not having anything to secure this type of data in event of potential compromise is a bad idea personally.
I don’t get why they’re removing the PIN to begin with. With all the mess that’s been going around not so long ago, you’d think they’d add a new security feature, not replace it with an arguably worse one. Why not just have both?
I had my session stolen about a year ago. I had trading disabled, but without a PIN. They just turned it back on, moved all my items to some other account and Roblox somehow thinks there is nothing suspicious about the 10 1000 robux worth of items for crazy glasses deals (which is why my avatar is like this now). Nobody steals passwords these days because those that don’t have 2FA often have nothing worth stealing.
Presumably account session protection has been enabled given that the timeline for it being released has already elapsed so cookie theft shouldn’t really be a main concern the majority of the most vulnerable endpoints (like changing passwords, sending trades or changing the main account settings); the main vulnerability that I’m aware of here would be if someone already has access to run code on your device and can bypass account session protection in-which at that point, I think you may have bigger worries to think about. 
Of course, there are many endpoints that are covered by PIN but not session protection, but many of these require other security verification methods (like 2FA). Again, I do wish to re-iterate that having a PIN-like 2FA prompt would improve security regardless of the above fact and assuming that the PIN feature is made more secure (like my aforementioned suggestion), it should be restored as a feature.
That still doesn’t cover the fact that they can’t do much without a PIN or a password. At worst they can steal my 100 abandoned projects, or the 100GB black hole that’s the Download folder.
Account pin can be removed by emailing Roblox Support
Agree this update is terrible, instead of removing it how about you simply move it to the security tab, what’s wrong with PIN + 2SV? Also maybe allow for an optional amount of digits, or at least 4 as a minimum.
I see absolutely no benefit in removing this.
EDIT: You should also take into account people who don’t have phones and don’t want to provide email addresses, I know many privacy cautious people who aren’t comfortable with providing Roblox (Or any other big corporation) with that information, and fair enough.
2step is a braindead solution to this
just add like a bios password but for settings
I seriously dislike the fact that @Roblox is removing the PIN feature when a majority of players have always used it for security purposes, the 2FA verification only accounts for when the attacker has your password, not when your token logged or anything else which most attackers are just token logging.
With the addition of PIN’s having 10,000 possible combinations and a rate limit making brute forcing difficult, this gives the original account holder who has access to the account and has to re-establish control precious time.
But in many cases, PIN’s would stop this as you cannot hack through a PIN, but with the removal of this feature @Roblox has once again made accounts more vulnerable to token logging and other forms of phishing.
Bravo Roblox, you truly power imagination, and make it easier for malicious users to hack accounts.
fyi this feature actually helped one of the users avoid getting completely compromised because the infiltrator managed to compromise account, but the account pin didnt let them take full control over it.
I can’t wait when someone’s account gets compromised and this time there’s no last safeguard because the account pin was removed.
I totally understand that the PIN feature was not intended to be a security measure for accounts against hackers, but rather for making sure little kids cannot change details/parental restrictions, but it prevented a lot of people from losing their accounts.
Although two-step technically helps, it doesn’t prevent people from fully changing your settings. I’ve noticed VERY recently that while trying to change your email/phone number you would get a 2-A prompt. However, you would not get a prompt for changing your password. Why is that? I thought two-step was supposed to prevent ALL sensitive information from being changed?
Having the Parental PIN was basically like a second/third step of verification; if for some reason you managed to get passed the 2-Step codes, you would still need to get a hold of the PIN in order to fully change the passwords/emails/phone numbers. Also, If the person hacking your account could NOT get the pin correct, and had to reset the PIN via email, they would more than likely not be able to get the pin reset in time before they’re kicked out, or they would simply be SOL (assuming they don’t have access to the email.)
I get the extra protection for the younger audience on Roblox, but there shouldn’t be a reason the PIN gets removed. If anything, that should still be an extra factor for linked parental accounts if for some reason the child got access to the parent account, or managed to change some restrictions/information through their account.
Fully agree removing pins was a dumb move from roblox when has having an extra layer of security ever been a bad thing?