Verify client identity with RoPIN. Users can create a numeric PIN and then use it to verify their identity whenever making high-value transactions in an experience. For example, a high-value trade in a simulator game could require PIN verification to ensure that the users participating in the trade are who they say they are.
Video Example
HOW IT WORKS
Developers can integrate the RoPIN API into their experiences. They can create a custom UI for verification and allow users to create their own numeric PINs which can then be used in the future to verify their identity during high-value transactions. A client can send a verification request to the server which can verify their identity and call a callback function (such as completing the trade) if verification is successful.
SECURITY
All PIN information is held securely on the server and persists between sessions. Clients cannot access PIN information unless explicitly allowed by the experience developer(s).
CUSTOMIZATION
RoPIN only provides an API, allowing the developer to customize almost any aspect of RoPIN, including the UI, length of the PIN, callback functions, and more.
GET IT
RoPIN is available for free on GitHub and the Roblox Marketplace. You can also view the documentation and API reference on GitHub.
I think you should add a way for players to be able to reset their pins. Although I already know how like using the datastore editor and etc, some people may not know how to reset pins themselves. I’m talking about developers so I think you should just add a way to reset pins into your API.
Perhaps you could make it so that there’s one place to go to where you can set your pin, have that place save it to an external database, then have the places that use ropin read from the external database so that the player’s pin persists throughout all games that use ropin.
Whether you do that or not, though, this is still a good idea. Keep it up!
Wouldn’t this kind of cancel the entire purpose of having a pin in the first place?
Realstically there is no way to “verify” ownership of the client aside from knowing the pin. If you know the pin, you are theoretically the owner of the account even if you do not own the account (say the pin was stolen.)
There’s a good reply to one of my threads about this topic that sums it up pretty accurately:
I expected this to be another crappy “anti bot” measure that could be easily bypassed, but this is genuinely a really cool idea. Although remembering a PIN for a lot of casual games is not something I would want to do, this could still be useful for high value Robux purchases or trades. Nice job!
As an opt-in, this acts as a really good multi-factor authentication method. Some other options to consider as well:
For trading high-value items, add an “escrow” for 24-48 hours where the items aren’t yet transferred. This allows players who are compromised to get access to their account and cancel the transaction
Perhaps only require the PIN when trading to people who are new to the game, have low value etc. (i.e. someone’s bot account)
Don’t allow the same item to be traded multiple times within a short period
Instead of just listing the items each player has (i.e. DataStore where a player has “itemA,itemB,itemC”) instead make a new datastore entry for every unique item and attach a transaction history to it so you can track the exact item that is being traded and revert it if needed without losing track.
No one ever said to use the account pin. It’s simply a four digit combination, Roblox account pin doesn’t own that idea.
And security breaches is an interesting thing, these codes don’t even need to be stored cryptographically: they’re just client-side pins with extra steps (server-side saving.) A developer with the unsecured pin doesn’t allow them access to anything.
This doesn’t seem like a very good idea to verify user-identity (Roblox PIN is already not recommended), a malicious user could simply guess the PIN after enough time and if the real-user forgets their PIN, there is no valid way for the developer to verify their identity.
