To also add on this, I think the same should be done for when a user wants to delete any item from their inventory, ive also seen situations where hackers threaten their victims, by saying theyll delete their gamepasses, badges, etc.
I’m suprised these weren’t features already in parental controls to begin with given how many gaming/technology companies implement systems to prevent children from buying things unintentionally or without permission first.
Removing this feature is a awful idea, and there’s really no reason to remove it at all. The account pin has saved many of my friend’s accounts before, I believe it should stay as a feature or get reworked instead. Saying to turn on 2FA isn’t sufficient, if you get cookie logged, it will now just be game over for you.
Personally a 2FA check for sensitive settings (username, display name, email, password, passkeys, etc.) being changed would be great but in addition to that potential support to use passkeys instead of 2FA of these things as an option to pick between.
Not having anything to secure this type of data in event of potential compromise is a bad idea personally.
I don’t get why they’re removing the PIN to begin with. With all the mess that’s been going around not so long ago, you’d think they’d add a new security feature, not replace it with an arguably worse one. Why not just have both?
I had my session stolen about a year ago. I had trading disabled, but without a PIN. They just turned it back on, moved all my items to some other account and Roblox somehow thinks there is nothing suspicious about the 10 1000 robux worth of items for crazy glasses deals (which is why my avatar is like this now). Nobody steals passwords these days because those that don’t have 2FA often have nothing worth stealing.
Presumably account session protection has been enabled given that the timeline for it being released has already elapsed so cookie theft shouldn’t really be a main concern the majority of the most vulnerable endpoints (like changing passwords, sending trades or changing the main account settings); the main vulnerability that I’m aware of here would be if someone already has access to run code on your device and can bypass account session protection in-which at that point, I think you may have bigger worries to think about.
Of course, there are many endpoints that are covered by PIN but not session protection, but many of these require other security verification methods (like 2FA). Again, I do wish to re-iterate that having a PIN-like 2FA prompt would improve security regardless of the above fact and assuming that the PIN feature is made more secure (like my aforementioned suggestion), it should be restored as a feature.
That still doesn’t cover the fact that they can’t do much without a PIN or a password. At worst they can steal my 100 abandoned projects, or the 100GB black hole that’s the Download folder.
Agree this update is terrible, instead of removing it how about you simply move it to the security tab, what’s wrong with PIN + 2SV? Also maybe allow for an optional amount of digits, or at least 4 as a minimum.
I see absolutely no benefit in removing this.
EDIT: You should also take into account people who don’t have phones and don’t want to provide email addresses, I know many privacy cautious people who aren’t comfortable with providing Roblox (Or any other big corporation) with that information, and fair enough.