The beginning of our passwordless journey: passkeys login

For the love of God please stop trying to be hip and cool with the kids! EVERYONE and I mean EVERYONE has a password manager!

That being said I welcome this change and hope that the security on Roblox continues to grow as long as you never remove passwords.

7 Likes

I think that this is a great option for those that want their Roblox accounts to be immensely secured. However, I strongly disagree with replacing passwords with this system. This system has its own drawbacks, and I, personally, do not want to do a retina scan just get into my Roblox account.

Phrases like “passwordless journey” and “Roblox believes in a passwordless future for our community” imply that one day the ONLY option to log onto a Roblox account will be passkeys. Which is a terrible idea. Not everybody has access to a fingerprint reader or webcam or even a 2nd device to enter a passcode onto. Not to mention this level of protection is ridiculously excessive for most roblox accounts. In most cases, a normal password works just fine.

7 Likes

One thing to note is that password usage still opens you up to phishing. A malicious Roblox lookalike website could fool a user into giving away their password. We’re also seeing password managers introduce passkey support, and you’ll be able to keep your current set up and still use a passkey in the near future if you wish.

13 Likes

This is an excellent addition towards a passwordless and (potentially*) phishless future for Roblox. it is quite surprising that Roblox allows for higher security features than most financial/banking websites.

I just hope that there are no arkose labs captchas for passwordless login attempts since a physical device/separate account is required to log in. If this is the case it would be an added reason for users to adopt passwordless logins.

5 Likes

Or have them written down in a notebook at your desk or in your bedroom.

7 Likes

In my opinion, this is a huge mistake. 2FA/MFA needs to be supported by all login methods. Yes, hardware keys are more secure than passwords, but a password + a hardware key is more secure than a hardware key by itself.

I will not be enabling this feature as it would make my account less secure than my current password + hardware key, and hope that it never becomes mandatory like phone numbers did at one point.

4 Likes

No, it removes 2FA from your account, because you can sign in with ONLY the passkey (a single factor)

3 Likes

This statement is not entirely true. If you have a complex and secure password stored on an encrypted offline password manager, your account is sufficiently secured. But stating that passwords is significantly more secure than passkeys, means that an attacker would easily:

  • be able to know that you used your phone as your passkey,
  • be able to physically break into your phone and
  • had you physically authenticate using your fingerprint or face to unlock the passkey for your account.
8 Likes

Passkeys are actually both a first and a second factor for authentication if configured properly.

For FIDO2 Security Keys (if configured with a password) it is something you have (the physical key) and something you know (the FIDO2 Password).
For iCloud Keychain its something you have (your phone) and something you are (your FaceID or TouchID).
For Password Managers (Bitwarden or any other passkey supporting PM) its something you know (your PM’s password) and a second factor (if its enabled).

11 Likes

This is correct. A passkey itself is one factor of authentication (something you possess). In order to enable the passkey for sign-in (as opposed to being used as a secondary authentication factor), it needs to be protected by a FIDO2 password or a biometric credential.

This article explains it pretty well:

Passkeys are 2FA because they require two factors to authenticate a user:

  • Something you are OR something you know: In order to use a passkey for authentication, users must first provide their local device biometrics (FaceID, TouchID, Windows Hello) or their local device PIN. This proves the “inherence” factor.
  • Something you own: Once the user passes their inherence factor, the passkey on the user’s device authenticates the user with asymmetric cryptography and proves that they own the passkey. This fulfills the “possession” factor.
9 Likes

please make a passkey that you make a question and answer and next time you sign in then it a prompt shows the question and a typable box comes to type the answer since getting gmails and using authenticator app to login is pretty hard and annoying

3 Likes

I have that too for the important ones but I’ll be honest, manually entering 30+ characters is too much work for me unless it’s critically necessary.

3 Likes

While I obviously applaud every attempt to keep up with the latest security trends and love that Roblox has our account safety in mind, I’m also not eager to be forced into passkeys in the future. Will passwords be an option for logging in for the foreseeable future?

For context, I don’t currently use passkeys at all. I prefer to keep biometric data offline so I don’t have any fingerprints or face ID saved on my phone, so a passkey is basically just a hardware key to me so I just use one of those instead when it’s available. I don’t want to be forced into passkeys.

7 Likes

Where did you get this from? You do realise passkeys have been favoured over passwords for years due to their security?

Face ID is a better option. Nobody else besides YOU can access something with it. If you use an on-device passcode it’s still more secure. The only way your account could get hacked is if you’re using passcodes & your phone is stolen.

4 Likes

This exactly. Apple’s Face/Touch ID mechanisms are sophisticated, and even other Android phones are doing the same thing now. You can’t just hold up a picture of a face to gain access like this guy thinks.

3 Likes

Can we get a QR Code scan login? I want to log in fast, im tired using my authenticator. Im an Android user btw

3 Likes

They said that passkey support will be released on android soon so you could fast login ig

3 Likes

This probably should have been the first sentence of the OP.

3 Likes

Don’t know. To me those methods feel less secure and less reliable.
What if I lose the device? Can I just login normally and revoke the passkey?
And many devices, to this day, do not offer any kind of fingerprint and face id (mostly in less developed countries) so hopefully it does not become mandatory but opt-in.

4 Likes

interesting to see, ill try it soon

3 Likes