There certainly is something wrong with supporting insecure and unreliable options and suggesting them to users, especially when they have no advantage over other options, especially when these insecure and unreliable options require an implementation, especially when they are presented to users as intended to increase account security. Most users won’t have the technical knowledge to understand each approach.
Email uses the Internet for message delivery. It has its problems, but doesn’t have the security issues there are with SMS text messages and doesn’t have the same kind of reliability problems. I’m not particularly in favor of email, since I prefer simply giving the user the shared secret (then the user generates the temporary passwords himself and there is no possible security or reliability problem—this is what websites usually do), but I’m not against it either because it has the advantage of not requiring any software, and doesn’t have security issues like SMS.
I trust Google and their decision that SMS was good enough for 2factor more than I trust some random individual on the internet saying “SMS is insecure!!!”.
The first version of 2SV is under development. It’s not going to be TOTP. It’s going to be email to start, and hopefully SMS not too long after (soonTM on SMS). You will be able to choose between email and SMS when SMS becomes available.
If I summarise this you are saying “two-factor authentication using SMS will not increase account security”. It’s simply not true, it will increase account security over what we have right now.
Not only is there a second authentication method over password-only that way, but you also cannot intercept specific SMS messages related to ROBLOX and also link them to specific accounts at the same time. You would have to know the whereabouts of the user’s phone as well as their ROBLOX username, and then force a code to be sent and intercept that from the network. At that point, the perpetrator may as well threaten you IRL to give up your account and/or steal your phone in passing, since they know where you are.
I have SMS set up with PayPal. The only flaw with PayPal is that you can skip 2 step verification by using my recovery questions. (I think on mobile they let you skip SMS as well at one point). As long as nothing ridiculously redundant like that is implemented, I’d vote for SMS as my favorite 2 step authentication method!
Keeping in mind there needs to be new recovery options in case someone has their phone number changed.
+1 Really the only thing I can be absolutely positive that I’m the only one that’s using it. Email for example can be accessed if someone has my password (well not really since I have 2factor authentication for it with my phone, but if we pretend I didn’t), and the same is true with other web-based authentication (if someone from ROBLOX manages to sneak a RAT onto someone else’s system, they can access any web-based 2factor authentication), opposed to SMS authentication where only someone physically touching my phone can authenticate.
The LARGE majority of stolen accounts on ROBLOX are just scam sites, so of course SMS wil prevent this, and you shouldn’t dismiss extra security just because it’s not the best security possible.
The account break-ins can be prevented easily if people use different passwords for different web services and make sure that their usernames for different services aren’t comparable (e.g. your email prefix is not related to your ROBLOX username). This has been posted here so many times as well.
Either way, they’re not going to speed up the development of this just because one guy got hacked in the past 24 hours, and I would feel really uncomfortable if they released a feature too early that could have a major negative impact when not implemented and tested thoroughly and properly.
Yes with the recent events, it is clear this needs to be prioritized after having been put off for an entire year.
I got to be the first hand witness of this and I am sure Roblox’s moderation team is going through a great deal to settle the damages of what happened.
Not to mention, the same attacker has attacked again with the same methods on another developer immediately a day after me.
You can be completely safe by using a browser password manager with randomly generated passwords. That’s the best way to foolproof your account security against yourself: you can’t choose a bad password since you don’t choose the password at all, and you can’t fall for phishing attacks because your password is only filled in automatically on the correct website. This is what I do, it’s also more convenient because I don’t need to remember the passwords at all, don’t need to choose them and don’t need to fill them in. I also cannot lose access to my accounts because I have encrypted copies of the password database backed up in various places automatically every week!
And then you can brag about having 60-character passwords. Of course programs running on my computer can access the passwords (they’re encrypted when stored however), but that’d also be true if I filled them in manually. You can’t expect any account security if your computer is compromised, two-factor authentication doesn’t help with that.
No system can make you absolutely positive that you’re the only one able to use it except specialized hardware tokens (e.g. Yubikeys) or keeping an asymmetric public-key cryptography private key on a computer which is never connected to the Internet. “Two-factor” authentication is just a metaphor to make users understand that two-factor authentication gives them more security, but it isn’t really about “something you own” any more than passwords are about “something you know”. There is no way, barring funny quantum experiments that allow Alice and Bob to detect when a man-in-the-middle is intercepting a communication between two quantum devices, for a website to know that a given action or request really comes from the user physically owning a phone. I’m not being the devil’s advocate, I’m talking about realistic attack scenarios that are not accounted for in the threat model. SMS networks are insecure, your mobile phone can be compromised (probably is, depending on what is meant by that), your account can be compromised temporarily with the token by someone with remote or physical access to your computer, etc. I’d consider web-based two-factor authentication with TOTP done with a properly secured computer more secure than SMS-based authentication, I’ve already explained why in previous posts.
