Thanks for posting this. I want to assure you that we do take account security seriously at Roblox and are working behind the scenes to make sure your accounts are as safe as possible.
For example, we recently added login location to verification code emails. If you ever see an incorrect location, double check to make sure the page you are logging in to is roblox.com. This should help prevent phishing attacks like the one you described.
Going back to your original point, I am not sure that our 2SV system is “severely flawed”. The implementation is industry standard and is subject to the same sort of phishing attacks that companies like Google face. Providing alternate verification options like Authy or Duo wouldn’t provide any additional protection from those sort of phishing attacks over what we have today. I still think it would be good to provide those options for other reasons.
Regarding the suspected security incident at RDC Amsterdam, I’ve looked into it and I don’t see any compelling evidence that it was an attack. The two symptoms things which led people to jump to that conclusion were:
- Developers reported getting randomly logged out. This appears to be happening to developers who did not attend RDC, so I suspect it is a platform-wide bug. I’ve passed this information along to the right people so it can be investigated further.
- Developers saw “Not Secure” when browsing roblox.com during the event. There are bugs which may cause this to happen, e.g. joining a game from the website incorrectly marks the page as insecure because it is using a custom protocol to launch the client. If you ever see “Not Secure” when using our website please file a bug so we can fix it.