Stop Compromising Developer Security with Phone Numbers

As a Roblox developer, it is currently too hard to keep my account secure while still using all of Roblox’s features.

Phone number verification is a blight on technology and should be abolished entirely. They were never designed with any kind of security in mind and can be stolen with a simple phone call to the user’s mobile carrier.

Especially considering most Roblox developers have been doxxed following the RDC data breach, it’s irresponsible and dangerous to continue pushing phone number verification on users. Despite universal agreement about the dangers of phone numbers, today this un-dismissable banner has appeared on the home page of Roblox, presumably indefinitely.

Why is Roblox actively encouraging developers to compromise the security of their own accounts? This banner should be removed, and all features locked behind phone number verification should be made available though a different avenue.

88 Likes

Ikr, I mean, at least it’s not an ID verification system. I wish it was like a email system

7 Likes

full support!

(genuinely have zero idea what phone numbers are even meant for nowadays other than old people and extremely flawed 2fa lol)

6 Likes

Phone numbers aren’t bad if the site has good security, multiple forms of authentication at once, and a well staffed support team that’s happy to help not only protect users security but also in the (ideally rare) cases they need to recover an account that they can get it back quickly and easily.

But of course, this is Roblox. Why would anyone expect any of the above with all things considered.

3 Likes

please read the post before immediately trying to blame it on roblox’s support team

7 Likes

The only reason I ever gave roblox my phone number was to get voice chat access in september 2021, but even still I don’t think we should have to give our number for voice access let alone anything. I don’t see applications like Discord demanding your number for access to voice chat. It just seems entirely useless

6 Likes

Full support. In the same way that SSNs are commonly used to verify identity (a system which was not meant to be used for identification) is a bad idea, text messaging services should not utilized in any way for account security.

5 Likes

Please remove this from my screen, I have made a conscious decision not to add my phone number because I know better.

Further, phone numbers are not people identifiers. Phone numbers are not a way to verify you are human. Phone numbers are identifiers for phone lines. Pretending they mean anything else can, will, and has lead to an incredible number of security incidents for individuals since internet services have started doing this. It is irresponsible for Roblox to push on trying to collect them, because I know what support has done with them for bad actors in the past, numerous times. They make your account less secure, particularly more open to social engineering attacks. The only thing they actually do is make a couple of features more convenient.

15 Likes

Ironic they start shoving this in our faces again after that huge data breach occurred.
Phone Number verification is literally the worst thing you can possibly ever do to keep your account “secure.”

Does no on remember high-level YouTubers being compromised years ago because of stuff like this?

Phone Number verification as a concept is idiotic and should be abolished.

10 Likes

To be honest I never quite realised the dangers of adding phone numbers (especially in the case of verification rather than where required for contact or payment purposes), it’s just that I’ve grown accustomed to adding a phone number depending on if a service requires it for whatever reason.

I’ve just removed my phone number from my Roblox account - not sure what implications that’ll have for now, but I’ll sort that out when I cross that bridge. Despite being fairly security conscious, there’s still a number of new things that I’m learning about security and the RDC data breach has left me particularly squeamish about trusting Roblox with any PII considering how a scary amount of data went out. I’m fortunate enough for now that nothing’s happened but that could change any day.

Account security has been a problem for Roblox for an ample amount of time and now when developers’ livelihoods depend on the security, stability and services of the platform (whether to supplement or as a full-time job), it’s time to take these matters more seriously.

EDIT: Results of removing my phone number: I am now also receiving an undismissable banner to add my phone number to my account. I am both ID verified and have 2FA enabled.

5 Likes

This is even more stupid when you realise they are also prompting ID verified players to add their phone numbers. There’s no advantage to adding my phone number when I’m already verified through my government issued ID, I already have access to all features and don’t need a flawed and prone to social engineering attacks method of verification on my account.

12 Likes

Thanks for raising awareness about this. I didn’t realize I had a phone number on my account. Immediately removed it.

In my opinion the banner should give a warning to remove your phone number, not add it…
But having a “Don’t show again” prompt we can click would be good enough.

2 Likes

I’m pretty sure phone numbers are already being phased out. I don’t have the phone number option at all in account settings:


nor do I have it on a fresh account:

1 Like

You really should be able to just dismiss the banner, but for those of you who are on desktop you can zap the phone verification pop-up with UBlock Origin (or another adblocker of your choice) as an alternative for now.

5 Likes

Remember the SIM SWAPandemic that plagued Roblox back in 2021? Btw that was also the same year my account got compromised and I lost 150k of limiteds which I had to buy back on my own. Also I’m stuck with this same notification on my Roblox homepage. After the chaos we saw unfold, if Roblox is just going to forget it happened and actually think we are gonna willfully put our accounts in jeopardy then they have another thing coming! I personally wouldn’t verify a phone number even if they gave us unlimited rollbacks.

2 Likes

I said this about their push to ‘get heckin verified!’. It’s disgusting that this company continues to push for children to upload their photo IDs and other identifying info for it to get sent around to whatever shady middleman data processors Roblox uses that totally don’t save your photos (just trust us guys!) and stored in insecure databases for years on end that inevitably get leaked all while pushing the idea that uploading this data will make your account somehow more secure and unlock new features and cool badges. The people responsible for the absolutely awful data management surrounding RDC should be publicly named and shamed because clearly the developers at Roblox don’t feel the repercussions of their own actions. Who is behind this, who keeps pushing for this? It’s clearly not about account security or else they’d be pushing better options like authentication apps

3 Likes

Phone and email verification is by far the most useless form of verification ever. I would know this as I’ve done countless amounts of security work. Email verification will very easily go stale if someone manages to access your email.

And as stated in the main post, Phone Numbers are BY FAR the most vulnerable targets for hacking. All it would take for a malicious actor to get access to your phone number is to either call up your phone provider and social engineer them, or have another malicious actor who has access to your phone provider’s customer support panel do it for you.

I think Roblox should be pushing the security features that ACTUALLY work, like the Authenticator or Hardware Authenticators (like YubiKey).

2 Likes

If someone is able to impersonate your identity, a Roblox account is by far the least of your worries. I believe my argument still stands.

2 Likes

What do you suggest for verification?

The primary form of verification I would suggest is authenticator or a biometric hardware key.

Authenticator is a very very hard method to crack, but when you use a biometric hardware key it basically makes you unhackable. The only way to unlock your account would be to have the exact key that you have, which is impossible to replicate.

These methods of security will therefore give you the best possible protection that Roblox can offer.

3 Likes