Roblox has a severely flawed 2-Factor Authentication System

As a Roblox developer, it is currently impossible to feel safe on the platform with my assets with the current lacking security methods. Roblox has made strides in terms of account security, but when we are talking about IP and assets worth thousands and even hundreds of thousands of USD for some users, the fact that it is so easy to fool people into bypassing 2FA is indicative of the problem that Roblox needs a proper, industry standard solution like every other major company (A solution like Duo, for example)

Personally, today, someone managed to gain access to my accounts for less than 2 minutes, regardless of 3 fail-safe systems preventing access, because the 2 factor authentication system has vulnerabilities. There is no way to verify quickly that Roblox is the authority with the 2 factor authentication page, so attacks where the attacker blind-MITMs the code is possible (and just occurred). Another example is the incident at RDC Amsterdam. The 2-Factor system was totally bypassed by alleged attackers, who may have been able to intercept cookies that were travelling plaintext across the venue.

Even if this did not occur, the fact remains that it could have and hundreds of developers could have had their accounts compromised and all their assets downloaded and sold, or worse.

I hope that Roblox decides to take a firm step into ensuring developer security. Despite the current system being technically sound, and still requiring a human error, it is too easy for attackers to use the methods described to trick people into bypassing 2FA security. There is only so much I can do as a developer to feel safe on the platform and frankly, I do not feel safe like I would on most other platforms.

129 Likes

I feel the exact same way.

We need better security for developers.

Much Support

16 Likes

Even if current security isn’t improved I would like us to be able to be sent notifications of users logging into our accounts, ie an email saying my account was logged into from a new session. Someone managed to get into my accounts and I had absolutely no idea it had even happened! I’ve noticed Google is very good at this, providing security alerts whenever I log into my Google account from new places/computers which is very reassuring.

Also the ability to IP lock our cookies would be amazing so then even if our cookies were stolen they would be unusable.

31 Likes

Alternate 2FA and even 3FA methods would be great.

Stuff like Token based 2FA (Authy, Google Auth) and physical keys like Yubikey and U2F

21 Likes

Thanks for posting this. I want to assure you that we do take account security seriously at Roblox and are working behind the scenes to make sure your accounts are as safe as possible.

For example, we recently added login location to verification code emails. If you ever see an incorrect location, double check to make sure the page you are logging in to is roblox.com. This should help prevent phishing attacks like the one you described.

Going back to your original point, I am not sure that our 2SV system is “severely flawed”. The implementation is industry standard and is subject to the same sort of phishing attacks that companies like Google face. Providing alternate verification options like Authy or Duo wouldn’t provide any additional protection from those sort of phishing attacks over what we have today. I still think it would be good to provide those options for other reasons.

Regarding the suspected security incident at RDC Amsterdam, I’ve looked into it and I don’t see any compelling evidence that it was an attack. The two symptoms things which led people to jump to that conclusion were:

  1. Developers reported getting randomly logged out. This appears to be happening to developers who did not attend RDC, so I suspect it is a platform-wide bug. I’ve passed this information along to the right people so it can be investigated further.
  2. Developers saw “Not Secure” when browsing roblox.com during the event. There are bugs which may cause this to happen, e.g. joining a game from the website incorrectly marks the page as insecure because it is using a custom protocol to launch the client. If you ever see “Not Secure” when using our website please file a bug so we can fix it.
21 Likes

I am going to bump this, simply because this is important. Developers who are in charge of huge organizations, holding millions of Robux, having access to many games and what not, are relying on 2FA through email or phone. Both, which are proven to be the least secure option out there.

The reason why it’s not “severely flawed” is because using a poor 2FA method is better than no 2FA, but it gives a false sense of being secure, which is not good

I’m going to second that the current system isn’t “severely flawed”, but I do vouch for it being flawed. Game developers are risking all their income on “insecure” options to authenticate themselves, and it certainly does not make them comfortable. There are so many reasons the current options are insecure, that a simple search online will give you more than enough information, hence why I’m not going to post it in here :slight_smile:

We need better alternatives, if not now, then very soon. It’s not that there is an ongoing crisis, but the current flow just doesn’t fit for those more concerned about security.

Google even managed to reduce all phishing reports / confirmations to 0 - zero(!) - after enforcing all employees to use physical keys for authentication, which shows how effective these methods are. It’s not even that difficult to implement either, and in return you get a huge security bonus.

10 Likes

I do want to join the conversation about that and I agree with OP. Let me list few problems and optional solutions.

  1. The 2 factor authentication DOES NOT make people safe. People can still log in using .ROBLOSECURITY token.
  • a solution would be making 2 factor authentication separate from .ROBLOSECURITY token. Solving the 2 factor auth challenge could be bound to both IP and separate cookie. Roblox could also store the solver’s user agent header.
  1. Make accounts not vulnerable for cracking passwords.
  • The perfect solution would be adding a field into the log in form, which would show only when Roblox account uses 2 factor authentication (to prevent user’s confusion). This would require implementing TOTP. This could also:

always show “Wrong 2 factor code” when using wrong code
show “wrong credentials” error only when using right 2 factor code and wrong password

  1. Implementing additional security solutions such as restricting IPs which can access (not log in as bypassing it with manually using .ROBLOSECURITY token would still work).

  2. As suggested so many times. Add PIN code to more functions such as group management. At the moment I feel like PIN code is the safest solution protecting us from having our accounts lost. We still can lose all the groups, games, items and currencies. I believe Roblox could easily add PIN even into the in-game purchase dialogs which would make it much safer.

Personally. As developers me and my friend use separate PCs to use for Roblox management only. Yes that’s right. No other software. Only VPN, standard secure browser, the newest OS. This still did not secure us from being hacked twice (and no. We did not share our tokens anywhere…)

First time Roblox admins managed to react quick and we could resume work a week after the incident. We got all the items back (though we had to mail Roblox few more times, because they forgot to restore certain revenue). After some research (contacting people who received our funds), we figured out they were sold for real life currency.

Second time hacker has only played our game when he had full access to group and group funds.

We are worried that another attack might make us lose everything. Our game has been on top revenue list few times and we can’t say it doesn’t raise much. Worth noting we spend back over 50% of revenue back on Roblox tools. We are worried that next time admins will refuse to help us (restoration is offered only once) or hackers gets banned with no appeal possibility. We are worried one time it will take too long to lock the account and we will lose everything we achieved. We are afraid that once Roblox ignores us or makes our case lower priority, because we are not as popular as Adopt me’s / Jailbreak’s or 1 bilion visits game. There should be a way to react faster in those situations.

We REALLY want to do everything to stay safe.
Just give us a chance…

26 Likes

It is obvious that 2FA does not offer absolute security. Nothing does, and most likely never will. However, it’s more likely that your service or account that got the account(s) compromised, must be for another reason than Roblox getting bruteforced.

I would recommend you (not as a security expert) to be extra cautious who has access to the tokens, because it seems like the most probable reasons for your compromised account(s) are someone giving them away.

Nobody with their minds in the correct place would be “smart” enough to try to bruteforce online endpoints, as it’s simply not feasible. If they get a hash of your password, then they will do the bruteforcing locally and millions of attempts will be made every second. This is not possible with an online endpoint. If your password got cracked, you probably have a weak password. I suggest you check the password strength here: https://howsecureismypassword.net/ or check if your password is found in another breach here: https://haveibeenpwned.com/

Roblox’s security at the moment is not on the stage of “everyone can get compromised within a couple of weeks”, far from it. Their authentication / authorization cookie is over 300 characters in length, which is a lot.

Another option which, based on what you have said, is the VPN leaking your data. Even though this is possible, I’d say it’s more likely that you have an internal leak, rather than a VPN provider selling your data to some user who wants to get unauthorized access to your account.

However, I agree with you that we should be allowed to filter incoming authentication requests. For example, 1Password lets you blacklist/whitelist IPs, countries and more, which is a huge bonus.

7 Likes

I don’t really want to touch how the tokens were compromised. It is unlikely VPN’s fault as its one of the most popular one and paid. Same with the tokens. We always log off. Never really use tokens nor share it anywhere. Not opening any foreign links and so. Please don’t guide me about that, cause it kinda misses the point. I don’t pretend that accounts were accessed by a bruteforce attack nor that it was Roblox’s fault. We probably won’t ever know what caused that.

My point was to say that Roblox’s security is not the bast and could be improved in many ways. Attacks happen even to big / medium developers and sometimes you don’t even know why and how.

3 Likes

I understand, however you brought it up kind of like it was Roblox’s fault, with no evidence to back it up with, hence why I responded to it with proper solutions to your problem. But, I do agree with your other points :+1:

2 Likes

I’m bumping this topic to give notice that this feature request is being dealt with. This has been recently mentioned by top Roblox engineers @ RDC 2020.

While there is no date for release, speaking with @Seranok on the issue; for more advanced features like Yubikey, it’s a matter of resources. It’s something he is driving for internally.


Official RDC Video w/ relevant timestamp for this question

12 Likes

This has been brought up too many times and I sincerely hope that this will be the last.

Recently there has been multiple occurrences of people getting their Roblox account hacked, and honestly this terrifies me and it makes me feel uneasy and unsure of my accounts safety.

We can all agree that we’d really hate to see our friends account get compromised


I want to raise awareness and ask for Roblox to do something about this issue, we don’t even know if you guys are aware, and please don’t wait for someone like NewFissy, asimo3089, mrflimflam to get their account compromise it will be too late.

Multiple youtubers have been compromise and 1 Million R$ has been stolen from our fellow developer, that is a lot of cash and serious damage!

I’m just a guy whos concern and worried that more accounts will be stolen by random malicious people, I don’t want the situation to get any worse than it already is.

Please communicate with us, tell us what’s going on and if you guys are even aware of the situation, how it will be solved. We generally want to be reassured that Roblox is handling the situation.

We deserve better than this, please treat us better


Feature Requests:

I found multiple threads from 2015 - 2018 asking for better security measures like using Google Authenticator, we all know that 2FA using Email is the weakest 2FA you can possibly have.

We need more website security
More security when sending password reset email
Account Security
Increase password/email change security
Thoughts on 2-Step Verification?
Roblox has a severely flawed 2-Factor Authentication System
2-factor Roblox Account Action Confirmations

42 Likes

I got to add something on to this, hopefully it’s not too late:

Dear engineers working on TOTP:

If you are going to take the route of using a proprietary algorithm and/or force us to use a completely different app from what we already have (like Valve and their Steam Guard app) - you’re all just wasting both your and our time, and making stuff harder for everyone really. 2FA in it’s “standard” form (a short digest of six-digits) is already widely documented, and it works.

RFC 6238 exists (not a standard per se, but accepted as such), and it lets us decide which app we will use to store the 2FA tokens: GA, Authy, KeePass, you name it.

Don’t be like Valve.
Thanks.

10 Likes

Fellow Roblox developers,

Your prayers have been heard. I see Roblox added a new endpoint for 2FA here: TwoStepVerification Api in which you can see they will add support for TOTP, specifically:

20 Likes

Old news but 2FA via Auth has been added. Stupidly Roblox made it so it’s one or the other, so you really have to choose. That’s the only thing keeping me from turning it on for good, the face that I cant use it AND email.

2 Likes

Using two methods that fall within the same factor does not significantly improve security, so this is pointless to implement.

Ref: Multi-factor authentication - Wikipedia

Security only improves meaningfully when you add a truly different factor into the mix. 2FA via email falls into “Knowledge” if you don’t have a 2FA set on your email (it just requires knowing your email password), and if you do also have 2FA on your email, then that adds nothing still because the 2FA via authenticator app is already in the “Posession” category. So having Roblox password + email 2FA + app 2FA is just “Knowledge” and “Posession”, still two factors.

The only way to increase security meaningfully further is if Roblox allows using biometric data input (“Inherent”), such as using iOS fingerprint scanning or iris scanning as an additional factor to log in. There are not really any good solutions for location-based access yet, that’s mostly for corporate use cases where you can use the network as a factor.

3 Likes

The only issue is Roblox says you cant get rollbacks without 2FA enabled now. My 2FA was linked to my PC, and I cant bring a heavy desktop wherever I go. So, it’s either having my account everywhere or risk getting hacked. My password is incredibly strong, I have 2FA via Email and Account PIN enabled though. I’m planning on using 2FA again soon, it’s just incredibly annoying for the time being I will be ineligible for a rollback if anything ever happens to me because I chose to have the ability to log into my account in places other than my own house.

Android and iOS both have multiple good TOTP apps that you can install for free. You don’t need to have the TOTP details just on your desktop device, and you can have the same details on multiple devices if needed.

5 Likes

The same thing happened to me a few days ago. I have the authenticator app for Google Duo on my main, where you have to type in a number before you get access to login to a account. And I have email notifications on for my alt account. I didn’t get notified at all and a person was able to hack me and spend 300 of my Robux. I didn’t find out until I tried buying something and it didn’t go through, then I had to go to the website and go to Transactions then sign out of all sessions, then re-sign in on my phone and computer then change my password, then re-sign in again.