Iirc there was a plan to release IP-locked cookies in quarter 1 of this year, is that released yet? If not (which I assume it’s not due to no announcement) then all the below issues apply:
Most security breaches no longer occur via password guessing but rather cookie logging, no added 2FA possibilities will ever solve this unless the cookie logging problem is finally destroyed, which has not happened yet. On top of this, security keys are still not available on android!? Why is such a major device marketshare being left out of the equation with such a dramatic policy change?
The previous one-rollback policy is now practically officially gone yet with very little added security since the old policy (except the addition of 2FA which I already mentioned can be bypassed), this doesn’t sound correct at all. I’m expected to handle the security of my own account with the same system that Roblox previously required a rollback system for due to security issues?
Speaking of which, has anyone been having trouble with 2 factor authentication via google authenticator? All of my codes won’t work even after creating new ones.
2FA gates on key site actions will solve this problem. Cookie logging doesn’t grant access to a victim’s mobile device, meaning that whenever an attacker goes to do something particularly harmful (i.e. group payouts, downloading experience information) they will be stopped by requiring a 2FA code. I’m sure Roblox will expand the amount of actions that require a code in the future.
Roblox has a rollback system as a courtesy, because they know mistakes happen. At the end of the day, a majority of compromises happen because of user error. Whether it be you download a malicious extension, or fall victim to a scam, it comes back to you. Roblox did not offer a rollback system because they viewed their own systems as subpar!
This feature is great for many users who are advancing their security! However, could it also be possible to send emails regarding account logins? This would be very helpful to those who want to opt-in for authentication logs similar to Google’s method of reporting account login attempts after granting access to the person who successfully logged in.
This was posted before RDC 2022 in where IP address-based cookies were announced, unless there was a communication error on it’s status? Also if this is the case that it is enabled, it doesn’t appear to be functioning very well, there have still been multiple cases of cookie logging in the past year. There is some vulnerability still there somehow, or it was seemingly disabled later in the year (using a VPN allows me to remain logged-in).
While this can solve the problem, until more of these gates are added, I will not feel secure of this system, especially with Roblox’s unfortunate past of promising updates and actually releasing them years later.
Fair point, however the lack of this previous ‘safety net’ is definently concerning especially when the only words given to us are ‘enable 2FA’
It is pointless to continue using parental pin considering 2FA with TOTP exists. One-time passwords have much higher entropy than a static 4-digit pin and are a true factor of security. A pin is trivially circumvented by an attacking party.
What if an attacker uses your support to social engineer their way into your account? This is a major problem that has hacked multiple big devs and youtubers since around August 2020
Just double-checking, did you see the part in my post where I mention that a pin is trivially circumvented? It only takes 5000 web requests to bypass a parent pin on average. The attacker can do this asynchronously to you using the site (e.g. via a browser extension they can poll every so often until they find the pin) and then send the pin + cookie to an external location for malicious use.
Parental pin does absolutely nothing here in terms of true security factors.
Ask Roblox instead to make use of 2FA / physical key checkpoints more often across its services. For example, they could ask for 2FA before password/email changes, which would be miles better than the current pin guard.
Developer Forum now uses OAuth to authenticate to Roblox, I suppose a way to fix that is to enforce 2SV on the OAuth grant page before it actually grants the OAuth token
I got a banner notification telling me about this and a message telling me to enable it. Are these two meant for everyone or just people who haven’t enabled it? I’ve had the feature enabled ever since it became available, so I’m concerned that something may not be functioning as intended.
That’s your prerogative, but the PIN here prevents nothing that the security key doesn’t already prevent.
This is not something that should be incentivized by the product design; keep security features as security features, and parental safety as parental safety features.
Not mix them randomly because this confuses users into thinking there is actually a security gain here (as evident from the fact that I need to keep replying to people who insist it actually has security value).
