The Account Security team at Roblox recently launched Security Keys on Web and iOS and is hard at work on additional features and tools which will help to protect your account.
In the meantime, we want to remind you to enable 2-Step Verification (2SV) via an authenticator app. This is the most secure way to keep your Roblox account safe. This feature adds an extra layer of security to your account even if your email or password is stolen. This requires a second form of verification in addition to your password, by requiring a unique code generated through your chosen authenticator app.
In addition to enabling these important features, it is crucial that you are aware of and responsible for the actions you take towards your account. Roblox’s security features paired with your actions will help to protect your accounts from compromise.
In case your account is compromised, and you seek assistance, you must contact Roblox within 30 days of compromise. Only in very limited circumstances, Roblox may be able to offer compromised account owners the ability to recover lost inventory or the approximate value of that inventory. For more information, please visit our Help page.
In addition to that, is there any plan to add a way to have a parental account pin, but for security purposes, (Enabling the parental account pin limits functions on the Talent Hub ) so that we have a 3rd layer of security so people can’t change our email or password. Thanks, though.
So, just to be completely clear, there are no more “1 time restoration” rollbacks, except for “in very limited circumstances”? Is there any way we could get clarification on what these circumstances could be?
They are physical keys that are used by applications to authenticate you. They are given a challenge every time you try to authenticate and they will cryptographically sign it, their signatures are unique so they can guarantee that the person who is trying to login has permissions.
Parental pin is completely moot for security purposes because it is a fixed value with only 4 digits of entropy. It is not a security feature, it’s a parental safety feature.
I think what you want to ask for instead is this: having Roblox prompt 2FA gates for sensitive actions around the site. This would increase security a lot for cases where your cookie is exfiltrated (browser extension, running a malicious script that pulls your cookie, etc).
As far as I know, there are physical keys you can use, but many modern phones should come with one built in as well to use over Bluetooth (such as fingerprint or a passkey). Currently, it seems to not really help security-wise since you’re still required to have an Authenticator app on top of it, but it definitely has made signing in faster for me, compared to having to enter a code.
Only issue I’ve had so far with it is at times it’ll reject the device and won’t even send the notification on Web when I try to sign in, after having it synced for some time. Signing out and back into my web browser (Chrome) on both Mobile & PC, and making sure sync is on, has fixed this problem for me so far. Make sure you always keep your backup codes in a safe & accessible place in the event you lose your authenticator or your security key (in this case, your phone).
I am quite happy to see that proper two factor authentication has been added. I actually setup my Yubikey with my account a week or two ago. While this helps protect accounts, I would be nice to see this feature added to sensitive actions such as confirming a trade or even making a purchase with Robux. Either forced or an option that can be enabled to prompt. Similar to how Steam prompts for verification when doing trades and such. This could help in cases where the account is compromised by cookie/token being stolen as these are the most common ways accounts are stolen now days opposed to stealing passwords.
Iirc there was a plan to release IP-locked cookies in quarter 1 of this year, is that released yet? If not (which I assume it’s not due to no announcement) then all the below issues apply:
Most security breaches no longer occur via password guessing but rather cookie logging, no added 2FA possibilities will ever solve this unless the cookie logging problem is finally destroyed, which has not happened yet. On top of this, security keys are still not available on android!? Why is such a major device marketshare being left out of the equation with such a dramatic policy change?
The previous one-rollback policy is now practically officially gone yet with very little added security since the old policy (except the addition of 2FA which I already mentioned can be bypassed), this doesn’t sound correct at all. I’m expected to handle the security of my own account with the same system that Roblox previously required a rollback system for due to security issues?
Speaking of which, has anyone been having trouble with 2 factor authentication via google authenticator? All of my codes won’t work even after creating new ones.
2FA gates on key site actions will solve this problem. Cookie logging doesn’t grant access to a victim’s mobile device, meaning that whenever an attacker goes to do something particularly harmful (i.e. group payouts, downloading experience information) they will be stopped by requiring a 2FA code. I’m sure Roblox will expand the amount of actions that require a code in the future.
Roblox has a rollback system as a courtesy, because they know mistakes happen. At the end of the day, a majority of compromises happen because of user error. Whether it be you download a malicious extension, or fall victim to a scam, it comes back to you. Roblox did not offer a rollback system because they viewed their own systems as subpar!
This feature is great for many users who are advancing their security! However, could it also be possible to send emails regarding account logins? This would be very helpful to those who want to opt-in for authentication logs similar to Google’s method of reporting account login attempts after granting access to the person who successfully logged in.
This was posted before RDC 2022 in where IP address-based cookies were announced, unless there was a communication error on it’s status? Also if this is the case that it is enabled, it doesn’t appear to be functioning very well, there have still been multiple cases of cookie logging in the past year. There is some vulnerability still there somehow, or it was seemingly disabled later in the year (using a VPN allows me to remain logged-in).
While this can solve the problem, until more of these gates are added, I will not feel secure of this system, especially with Roblox’s unfortunate past of promising updates and actually releasing them years later.
Fair point, however the lack of this previous ‘safety net’ is definently concerning especially when the only words given to us are ‘enable 2FA’
It is pointless to continue using parental pin considering 2FA with TOTP exists. One-time passwords have much higher entropy than a static 4-digit pin and are a true factor of security. A pin is trivially circumvented by an attacking party.