Require a one-time auth code for leaving group ownerless or transferring groups to other users instead of unlocking your account

So there was a group I wanted to leave that I am the owner of. It wasn’t anything special; it just wasn’t used for anything. After pressing the “Leave Group” button and confirming the action, I got this:

This also happens with transferring group ownership to other users.
Naturally, I got confused because I never got an error when leaving groups ownerless, but then I read the text. I know that we all wanted more group security, but this is still pretty risque to do.

As someone who values their security, I became concerned that I need to unlock my account to do one thing that I can’t do quickly from the same page. How this currently works is that you need to:

  • Open settings
  • Put in your pin
  • Find the group again
  • Confirm action

In the case of transferring ownership, you basically have to do all of that and make sure the user is in the group and find them through a search bar that breaks often. With a stopwatch in hand, the first action takes 2-5 minutes depending on the internet connection, and the latter takes even more! In case of someone breaching into my account, they can easily change my email and password when I am done with either of the actions. As someone who also doesn’t have the best internet speeds, transferring groups to other people starts becoming a speed-run for me.

Now you may ask, what can we replace this with? Look no further because I have a solution for you!
Send us a one-time authentication code either to our emails or text message

As Roblox allows us to add our phone numbers to our accounts and they’re not being used, it could easily and securely be used to send us one-time authorization codes unless someone steals our phone. This could also be done by emailing the code to us. It’s not as secure as sending a text message, but it’s still way more secure than needing to unlock your account for a group transferrship.


I’d prefer that any pin-locked actions prompt the unlock modal on the page instead. A one-time authentication code isn’t really any different from opening your settings in a new tab, unlocking your pin and then confirming the action you wanted to perform beforehand.

I always lock my account immediately after performing any actions that require a pin, so for people like me who are extreme when it comes to account security I’d be loaded with a bunch of OTACs in my email and having to access them every time sounds silly and worse than the current flow for accessing pin-locked actions outside of the Settings page. Prompting the modal makes it more immediate.


Having PIN on group actions is a bit strange because I think PIN was originally meant as a parental control method to avoid kids changing their account settings and buying Robux. It seems like this mixes concerns on what the PIN was originally meant to do.

Roblox should probably not use the PIN for these things and instead have this be done with TOTP codes long-term, that doesn’t incur the same problem.

Both of these aren’t very secure (especially the latter), TOTP app is better. I recommend never feeding your phone number as a 2FA method on any other sites you use.