I totally agree with @anon80475429 as I have no phone to use for SMS / other types of authentification, so if we got an email when someone logs in from an unknown location and the account gets locked until confirmed via email that would be great!
2 Likes
Yes, @anon80475429 is right, we need something like facebook that allows you to see the sessions and an estimate at least of where people are logged in from. I was thinking you could show the IP on each session, however that could cause issues, so at least location would be nice.
This is still true.
5 Likes
I would use this.
SMS will work for me.
I wouldnât use this as I donât own a phone.
Same here.
I donât have a phone either so I would prefer an alternative method.
Could you guys tell us what for a method you would prefer. If they create an feature like Steam Steamguard I would also say that perhaps E-mail is better. Or for phone users they can use the App
- Limiting max devices logged in at one time (Iâm not logged on than more than 2 devices my iPad and Computer) and if someone tried to log in it would just error saying âPlease deactivate one of your current devices or increase your device limitâ this should be optional but I would certainly use it
- This but instead of IP show a ârough locationâ
- If a buy a limited âescrowâ similar to steam so it canât be traded or sold for 3 days or a week (or an custom amount of time)
- When making large purchases over a certain amount (that you can edit yourself) youâll have to confirm it via ROBLOX mobile app or email
- If I have the 2 step on when editing any of my account features (like password or email) require confirmation on the app
All these are optional features but of course having them all on makes your account much more secure
2 Likes
This could be good for limited trading as well. If youâre trading something that has a high RAP value for something with a low RAP value, or selling for a really cheap price, it will ask to confirm it. This way, people stealing accounts cannot give limiteds to their main accounts.
1 Like
Authentication with TOTP can be used without a phone, all you need is an application capable of generating one-time passwords from the shared secret (in base32, hexadecimal, or as a QR code; most websites Iâve seen provide the base32 secret and a QR code, but Iâve never seen one provide the secret as hexadecimal).
I donât think SMS should be supported because the SMS system was not designed with security in mind. If it is supported, it should at the very least not be possible to reset the password with just a SMS (i.e. the previous password should be required as well).
1 Like
Neither was the internet but here we are using its flawed designs and protocols. Email isnât secure either, but here we are clicking ROBLOX password reset links through our email. This is not a valid argument.
I think the majority of people would want to have 2-step verification based on phone number and many big websites offer this option as well, it would be extremely silly not to support this as an option. Then youâre making it unnecessarily complicated for non-technical people to secure their account.
2 Likes
I think you meant to phrase this differently, otherwise it means someone is screwed when they lose their password.
The idea of 2-step is to verify that you are the owner, it shouldnât be used for password reset links. It is meant to be as you log in that the attacker is stopped as they donât have access to your phone. Outlook ask for the last 4 digits of your phone number too for even better security so you donât get bombarded with texts
Two-Step verification would be great on Roblox. It would be very helpful if Roblox also would have re-authentication from each computer like Steam does so that every time you try to log in from somewhere else you need to be authenticated. This may seem tedious but will definitely be helpful with preventing account hijacking as the hijacker would need the authentication from the account owner.
1 Like
We donât need SMS to have two-step authentication with phones. In my experience, few of the websites with two-step authentication support SMS; usually websites just suggest you scan a QR code and use an application like Google Authenticator. The QR code is then decoded to an identifier for your account (typically your email address) and the shared secret.
SMS has multiple major issues that email and HTTPS do not have, The way cellular networks are designed makes SMS delivery unreliable (for example, only the cell cluster your phone is part of knows where your phone is, and as a result SMS delivery can take a long time just as it can be instantaneous, see ISO/IEC 21989). That can make two-step authentication with SMS frustrating, especially since text messages are considered as secondary traffic (voice calls are considered as time-critical and primary traffic, so they will get priority). Nobody wants to wait a long time for a temporary password to arrive. In a congested network, itâs possible the message wouldnât get delivered at all if the phone moves around (but the user can request another temporary password). Sending QR codes or character strings over HTTP so that an application like Google Authenticator on the phone can use them doesnât have these problems. The security problems are worse than the reliability problems though, since the latter are just an annoyance: text messages for two-step authentication should essentially be considered public. A secure protocol (called SSMS) for SMS was created in 2010 for mobile payment systems, because the SMS protocol has several security vulnerabilities that made it unsuitable (1002.3171 on arXiv).
No, they would use account recovery through email as they can now. What I said meant that SMS shouldnât be added as an alternative to email for password recovery.
One would think Google Authenticator is more convenient than SMS for non-technical people, if anything. You click on a button to enable two-step authentication and display the QR code, you scan it with your phone, Google Authenticator appears and asks you to confirm and then it handles everything else for you. Itâs faster, simpler, more reliable and actually secure. And it makes the people who donât have a phone or donât want to use one happy too, as well as those who are more technical.
2 Likes
Not everybody has a smartphone. SMS is fine â even Googleâs GMail uses it for 2factor authentication.
TOTP works for everyone, not just people who have a smartphone. SMS is what doesnât work for everyone, because it requires access to a cellular network and might imply messaging rates. Google uses TOTP with Google Authenticator. However I donât get how you can say âSMS is fineâ when Iâve just explained exactly the reasons it isnât, and not say anything to support that.
2 Likes
Sure, nothing wrong with supporting multiple options. Supporting SMS is an important factor in promoting the usage of this feature though, it does provide an extra authentication method that is much harder to intercept without the proper hardware compared to the email attacks weâve been seeing lately, and you have no idea where the userâs phone is in the network to begin with.
1 Like
Others dont use google authenticatorâŚ
Both SMS and whatever youâre attempting to describe are both TOTP, just I am unsure of what medium you want to receive the OTP in.
Email can be just as slow as SMS as can any server really, so to argue congestion is to be against anything that uses a form of server.