The beginning of our passwordless journey: passkeys login

This is a setting that you can turn on/off. In fact, you can register a passkey and still use your password to login if you wish. You don’t have to choose one or the other.

14 Likes

The wording of that title is worrying. My long, complex passwords stored in an encrypted offline password manager are significantly more secure than FaceID or a fingerprint. Password-based login should be a permanent fixture.

Edit: I did some research and apparently passkeys can also be stored offline in something like a Yubikey. I was under the impression that this feature was essentially just biometrics. My bad. I still want the retain the ability to use a password, though.

15 Likes

Great feature!

However I have one concern, will having active passkeys restrict the account from creator-facing features in a similar way that having a PIN connected to your account does?

Also will passkeys be for all ages or 17+ only?

5 Likes

I am glad the Roblox is taking the direction for more account protection and better security for Roblox accounts. My one concern is that I don’t want this to fully replace passwords and that this will be Optional. Otherwise I am fine with this.

9 Likes

I’ve been attempting to add a passkey using 1Password on Safari for Mac (macOS Sonoma), and whilst the passkey is added and functions successfully, it is not labelled correctly.

It automatically sets the name to “iCloud Keychain” with no way to change it nor any prompt, unlike when setting a Hardware Security Key.

Screenshot 2023-11-16 at 21.24.43

7 Likes

This is a security feature, therefore, no, it will not be restricted to any age, and it will not restrict your account by any means. PIN was originally designed as parental control feature to protect important settings from being changed by a child, but due to lack of security improvements in the past, people misused the feature to protect their accounts by making it harder to change account details.

6 Likes

For the love of God please stop trying to be hip and cool with the kids! EVERYONE and I mean EVERYONE has a password manager!

That being said I welcome this change and hope that the security on Roblox continues to grow as long as you never remove passwords.

7 Likes

I think that this is a great option for those that want their Roblox accounts to be immensely secured. However, I strongly disagree with replacing passwords with this system. This system has its own drawbacks, and I, personally, do not want to do a retina scan just get into my Roblox account.

Phrases like “passwordless journey” and “Roblox believes in a passwordless future for our community” imply that one day the ONLY option to log onto a Roblox account will be passkeys. Which is a terrible idea. Not everybody has access to a fingerprint reader or webcam or even a 2nd device to enter a passcode onto. Not to mention this level of protection is ridiculously excessive for most roblox accounts. In most cases, a normal password works just fine.

7 Likes

One thing to note is that password usage still opens you up to phishing. A malicious Roblox lookalike website could fool a user into giving away their password. We’re also seeing password managers introduce passkey support, and you’ll be able to keep your current set up and still use a passkey in the near future if you wish.

13 Likes

This is an excellent addition towards a passwordless and (potentially*) phishless future for Roblox. it is quite surprising that Roblox allows for higher security features than most financial/banking websites.

I just hope that there are no arkose labs captchas for passwordless login attempts since a physical device/separate account is required to log in. If this is the case it would be an added reason for users to adopt passwordless logins.

5 Likes

Or have them written down in a notebook at your desk or in your bedroom.

7 Likes

In my opinion, this is a huge mistake. 2FA/MFA needs to be supported by all login methods. Yes, hardware keys are more secure than passwords, but a password + a hardware key is more secure than a hardware key by itself.

I will not be enabling this feature as it would make my account less secure than my current password + hardware key, and hope that it never becomes mandatory like phone numbers did at one point.

4 Likes

No, it removes 2FA from your account, because you can sign in with ONLY the passkey (a single factor)

3 Likes

This statement is not entirely true. If you have a complex and secure password stored on an encrypted offline password manager, your account is sufficiently secured. But stating that passwords is significantly more secure than passkeys, means that an attacker would easily:

  • be able to know that you used your phone as your passkey,
  • be able to physically break into your phone and
  • had you physically authenticate using your fingerprint or face to unlock the passkey for your account.
8 Likes

Passkeys are actually both a first and a second factor for authentication if configured properly.

For FIDO2 Security Keys (if configured with a password) it is something you have (the physical key) and something you know (the FIDO2 Password).
For iCloud Keychain its something you have (your phone) and something you are (your FaceID or TouchID).
For Password Managers (Bitwarden or any other passkey supporting PM) its something you know (your PM’s password) and a second factor (if its enabled).

11 Likes

This is correct. A passkey itself is one factor of authentication (something you possess). In order to enable the passkey for sign-in (as opposed to being used as a secondary authentication factor), it needs to be protected by a FIDO2 password or a biometric credential.

This article explains it pretty well:

Passkeys are 2FA because they require two factors to authenticate a user:

  • Something you are OR something you know: In order to use a passkey for authentication, users must first provide their local device biometrics (FaceID, TouchID, Windows Hello) or their local device PIN. This proves the “inherence” factor.
  • Something you own: Once the user passes their inherence factor, the passkey on the user’s device authenticates the user with asymmetric cryptography and proves that they own the passkey. This fulfills the “possession” factor.
9 Likes

please make a passkey that you make a question and answer and next time you sign in then it a prompt shows the question and a typable box comes to type the answer since getting gmails and using authenticator app to login is pretty hard and annoying

3 Likes

I have that too for the important ones but I’ll be honest, manually entering 30+ characters is too much work for me unless it’s critically necessary.

3 Likes

While I obviously applaud every attempt to keep up with the latest security trends and love that Roblox has our account safety in mind, I’m also not eager to be forced into passkeys in the future. Will passwords be an option for logging in for the foreseeable future?

For context, I don’t currently use passkeys at all. I prefer to keep biometric data offline so I don’t have any fingerprints or face ID saved on my phone, so a passkey is basically just a hardware key to me so I just use one of those instead when it’s available. I don’t want to be forced into passkeys.

7 Likes

Where did you get this from? You do realise passkeys have been favoured over passwords for years due to their security?

Face ID is a better option. Nobody else besides YOU can access something with it. If you use an on-device passcode it’s still more secure. The only way your account could get hacked is if you’re using passcodes & your phone is stolen.

4 Likes