Although I have brought this up in conversation before, considering the impending sunset of user account pins (currently the ONLY layer of defense against a stolen authentication cookie), I feel that it is necessary to post this here now so as to hopefully reduce the risk that we will be facing as a result of this change.

That being said:

As a Roblox user and developer, it is currently too hard to protect our accounts against targeted attacks by malicious actors.

Background Information (“The Problem”):

As anyone who has used the platform for an appreciable amount of time is doubtless aware, there has always been a number of malicious actors who target Roblox users with malware, phishing, and social engineering attacks in an effort to gain full access to user accounts.

Such attackers typically act through one of two vectors - either, as is most commonly the case, obtaining the user’s .ROBLOSECURITY cookie through deception and/or malware - or, in some cases, utilizing a Remote-Access Trojan (RAT) or other significantly more damaging malware to gain access to the user’s computer on which their account is logged in.

Upon gaining access to an account through illicit means, attackers typically first take a few particularly damaging actions - starting by changing the user’s email and password to lock the original account owner out of their account. I myself experienced this years ago on my old main account - @GreenKeldeo - and, from that experience, am aware that these changes often completely lock out any way to recover most accounts, even with intervention from Roblox Support.

After removing access to the user account, attackers then go through their assets and permissions - sabotaging groups/experiences, holding them for ransom, and stealing account balances and avatar items to sell via illicit marketplaces. This has long been an issue - and has necessitated a system of poisioning certain items to try to combat these illicit activities.

The Account PIN was, regardless of its original intent, a small way to combat these threat vectors - requiring an additional factor of authentication to modify certain user account settings beyond the main session security token. Unfortunately, it has never been ideal for this purpose, as it was never engineered for it - hence the lack of support for truly secure passcode/passwords for the feature.

With its removal, an open hole is left in its wake - one that should be filled as soon as possible.

Suggested Solutions

Although, for obvious reasons, I will not go into specific implementation recommendations here, I feel that at least an additional full 2-factor check should be imposed on certain ‘destructive’ actions, including (but not limited to):

• Account security settings
• Destructive goup role permissions (e.g. edit access, kick members, change ranks)
• Accept/Deny All functions for legacy group ranks
• Experience deletion
• DevEx Requests
• Transfer Group Ownership
• Item trading
• Studio Log-in (ideally, as an option - especially if it’d allow for a third factor of authentication (i.e. app based 2FA and a passkey) to be checked)
• Changing username/display name
• Accessing the Advertising Portal
• Accessing API keys
• Accessing and/or deleting Secrets
• Deleting a package (ideally, optional)

These checks would not eliminate all risk to user account security from malicious actors, but would buy valuable time for a user to realize what is going on and take corrective action before support intervention is required - and completely protect against basic cookie hijacking. Considering the blood, sweat, and tears we as creators put into the platform, I feel that such checks are sorely necessary to protect our work, our time investments, and avoid unnecessary work for Roblox support staff.

Although I have specific implementation suggestions and recommendations, I will not be posting them publicly out of an abundance of caution. If any staff would like me to provide them, feel free to shoot me a message either here or on Guilded and I’d be happy to provide my input.

Would you care to elaborate on specifics of why? This is the type of change where it’s definitely best to actually hear everyone’s reasoning so that any solution to the issue can take it into account.

I agree with the intent here, getting compromised these days is very easy and with more power (api keys, secrets, etc.) comes great responsibility on the users’ behalf. I think this is a good step in the right direction.

One concern is the lack of feasibility that will arise from forcing 2FA on everything. While I do agree that 2FA should always be enforced for things like group transferring, DevEx requests, experience deletion, etc.; I believe for some of the other options it will become annoying quick.

This could be fixed by having settings in user settings to disable 2FA verification for those features (you’ll need 2FA to change the settings ofc) OR having a 5+ minute grace period (similar to the pin) after you 2FA verify before you have to do it again.

I think this is a good idea, as someone who recently dealt with a computer virus, you can never go wrong with more security options.

Bumping this as I was planning on writing my own thread and noticed this. So I will post what I planned to post in my own thread, as it relates to this:

Roblox has significantly improved their security measures over the years in the realm of account safety, giving us developers various tools to protect ourselves in the event of a malicious attack.

A few years back, Roblox introduced another layer of safety in the form of 2-factor authentication for high-value transactions (group payouts, large purchases, etc.). This is fantastic step forward, however I do believe there is a vulnerability still persistent that can benefit significantly from 2FA.

Experiences on the platform continue to drive up in value, and as more development teams are established, I personally find there to be potential vulnerabilities in regard to experience editing. If a developer of a large studio is compromised, the experience itself, and therefore intellectual property of these studios could be at risk by malicious attackers.

My feature request is incorporating an optional safeguard that developers can enable to lock edit mode to an experience via 2FA or a pin. This lock feature would be enabled by the developer of a sole experience, or the owner of a group experience. Any attempted access to edit this experience from any developer account would be prompted with 2FA or a universal passcode prompt shared by developers of that experience.

While no safeguard is fullproof, this would be an added measure of safety to protect our experiences from malicious attacks, as I find protecting experiences to be just as important as the revenue generated from said experiences (which is also protected via high-value transaction 2FA).