Thoughts on 2-Step Verification?

In my opinion Google Authenticator is a must! Many other companies support TOTP and Google Authentication. I pretty much have everything on Google Authenticator (except steam). Adding ROBLOX to Google Authenticator would be super convenient!

1 Like

I’d like to see SMS verification, I find it the least tedious to use because my phone is always one me. Maybe even lock the account after a password change until you can enter an SMS code.

Yes. I use 2-factor verification with every account it’s available with. SMS would be fine for me, the only foreseeable problem is people without phones, but I don’t think that’s too big of a problem.

I would 100% use. I want my money as safe as possible.

SMS verification would be fantastic

I’d want a ‘Unknown login’ has your account been logged in from Norway? Send an email/text asking if this was them and prevent that Norway guy from logging in until you’ve verified it. Similar to how steam works with trusting computers to use your steam account, if you get a new machine it’ll want you to verify it and ‘name it a friendly name’.

Why not in-cooperate some kind of 2 factor auth with the existing ROBLOX app? That way you know only the person currently holding that device can authorize new machines or an unexpected login from Norway or to be extra secure, authorize purchases over 1000R$. A machine cap that you can set so the maximum times you can be logged in at once (e.g. be logged in on your phone, tablet and computer) that way there’s no possible way of logging in to your account from a new machine (unless you de-authorize one from your existing machines).

Of course everything is optional but I’d personally want all of these on


Currently, I hate how insecure our accounts are, if someone has our password that’s it. They’re on and you’re screwed.

2 Likes

I totally agree with @anon80475429 as I have no phone to use for SMS / other types of authentification, so if we got an email when someone logs in from an unknown location and the account gets locked until confirmed via email that would be great!

2 Likes

Yes, @anon80475429 is right, we need something like facebook that allows you to see the sessions and an estimate at least of where people are logged in from. I was thinking you could show the IP on each session, however that could cause issues, so at least location would be nice.

This is still true.

5 Likes

I would use this.
SMS will work for me.

I wouldn’t use this as I don’t own a phone.

Same here.

I don’t have a phone either so I would prefer an alternative method.

Could you guys tell us what for a method you would prefer. If they create an feature like Steam Steamguard I would also say that perhaps E-mail is better. Or for phone users they can use the App

  1. Limiting max devices logged in at one time (I’m not logged on than more than 2 devices my iPad and Computer) and if someone tried to log in it would just error saying ‘Please deactivate one of your current devices or increase your device limit’ this should be optional but I would certainly use it
  2. This but instead of IP show a ‘rough location’
  3. If a buy a limited ‘escrow’ similar to steam so it can’t be traded or sold for 3 days or a week (or an custom amount of time)
  4. When making large purchases over a certain amount (that you can edit yourself) you’ll have to confirm it via ROBLOX mobile app or email
  5. If I have the 2 step on when editing any of my account features (like password or email) require confirmation on the app

All these are optional features but of course having them all on makes your account much more secure

2 Likes

This could be good for limited trading as well. If you’re trading something that has a high RAP value for something with a low RAP value, or selling for a really cheap price, it will ask to confirm it. This way, people stealing accounts cannot give limiteds to their main accounts.

1 Like

Authentication with TOTP can be used without a phone, all you need is an application capable of generating one-time passwords from the shared secret (in base32, hexadecimal, or as a QR code; most websites I’ve seen provide the base32 secret and a QR code, but I’ve never seen one provide the secret as hexadecimal).

I don’t think SMS should be supported because the SMS system was not designed with security in mind. If it is supported, it should at the very least not be possible to reset the password with just a SMS (i.e. the previous password should be required as well).

1 Like

Neither was the internet but here we are using its flawed designs and protocols. Email isn’t secure either, but here we are clicking ROBLOX password reset links through our email. This is not a valid argument.

I think the majority of people would want to have 2-step verification based on phone number and many big websites offer this option as well, it would be extremely silly not to support this as an option. Then you’re making it unnecessarily complicated for non-technical people to secure their account.

2 Likes

I think you meant to phrase this differently, otherwise it means someone is screwed when they lose their password.

The idea of 2-step is to verify that you are the owner, it shouldn’t be used for password reset links. It is meant to be as you log in that the attacker is stopped as they don’t have access to your phone. Outlook ask for the last 4 digits of your phone number too for even better security so you don’t get bombarded with texts