Thoughts on 2-Step Verification?

I think the main question is what authentication types would most people use?

SMS?
Email?
Google Authenticator?

I think it would be some combination of all, but to start any of them are better than none. And since some of our users are international and some don’t have phones, email is likely the place to start and build out from there.

With what I would call a phishing epidemic (seriously, nowadays every popular game/item comments/group wall is filled with people reposting these scam links), ROBLOX definitely needs to create this feature and push lots of people to use it.

Email will be a good place to start for this, it’s probably what most players will use.

My ROBLOX forum thread with hundreds of vocal supporters for this feature

I agree, I feel like this feature is getting a lot of support but this thread kind of died awhile ago. Email is definitely the place to start then we can move on to SMS and Google Auth. Any method of 2 step verification is better than none in my opinion.

Two step verification is on our roadmap. We’re hoping to have it out for users in the coming year.

11 Likes

Thank you for this status update! I’ll be looking out for this feature :wink: It’s something that is being requested more frequently. Can’t wait!

I’d go for SMS or Google Authenticator since I feel they are more secure than email because someone could hijack that as well. But support for all 3 would be good too.

I agree with @Merely that it only makes sense to have two-step verification after having HTTPS available and enforced on the entire website. I consider that more important than any other account security measure for now.

Regarding two-factor authentication itself, please don’t try to support specifically email, SMS or Google Authenticator. A lot of work has gone into standardizing what is called TOTP, which is what is used by almost all implementations of two-factor authentication (including Google Authenticator). If you support that, any of the applications for mobile or personal computers should be easy to support, and one-time passwords can also be sent by email or SMS (though sending one-time passwords by SMS is absolutely not secure, which is why mobile applications are used instead most of the time). There are many server implementations, and using TOTP is required if there are plans to ever support Google Authenticator or any other of the client implementations.

Multi-factor authentication was the whole of my Nationwide internship over the summer. I’ve gained a strange love for it from that. And I totally agree with ColorfulBody on using OTPs for this. That makes it quite easy. I would be totally into having this here. (Shout-out to Nationwide for getting MFA live a few weeks ago)

Allow me to link up ROBLOX with my google account and we are in business. Only thing I would say is make sure it is not as irritating as Steam Guard, I literally have to wait on an SMS from them every couple of weeks before I am allowed to play my games.

Steam Guard allows you to use the Steam app now to see the code live (Much like Google Authenticator). They recently added this.

Yes, I am quite aware. But I should not need to enter it every month on the same computer that I use for Steam every single day.

Yes, but support for TOTP is definitely preferred.

Weird, I have Steam guard and I haven’t had to do that at all after the first time I did it for my main system.

Yes. Yes. Yes. Please, yes. Especially if you’re able to integrate with Google Authenticater, which you can do!

1 Like

In my opinion Google Authenticator is a must! Many other companies support TOTP and Google Authentication. I pretty much have everything on Google Authenticator (except steam). Adding ROBLOX to Google Authenticator would be super convenient!

1 Like

I’d like to see SMS verification, I find it the least tedious to use because my phone is always one me. Maybe even lock the account after a password change until you can enter an SMS code.

Yes. I use 2-factor verification with every account it’s available with. SMS would be fine for me, the only foreseeable problem is people without phones, but I don’t think that’s too big of a problem.

I would 100% use. I want my money as safe as possible.

SMS verification would be fantastic

I’d want a ‘Unknown login’ has your account been logged in from Norway? Send an email/text asking if this was them and prevent that Norway guy from logging in until you’ve verified it. Similar to how steam works with trusting computers to use your steam account, if you get a new machine it’ll want you to verify it and ‘name it a friendly name’.

Why not in-cooperate some kind of 2 factor auth with the existing ROBLOX app? That way you know only the person currently holding that device can authorize new machines or an unexpected login from Norway or to be extra secure, authorize purchases over 1000R$. A machine cap that you can set so the maximum times you can be logged in at once (e.g. be logged in on your phone, tablet and computer) that way there’s no possible way of logging in to your account from a new machine (unless you de-authorize one from your existing machines).

Of course everything is optional but I’d personally want all of these on


Currently, I hate how insecure our accounts are, if someone has our password that’s it. They’re on and you’re screwed.

2 Likes