Thoughts on 2-Step Verification?

Polymorphic · March 30, 2016, 4:05am

take off tinfoil hat

sorry.

Seranok · March 30, 2016, 5:16am

Of course SMS messages are insecure, they are sent in plaintext. Two-factor authentication is meant to prevent cases where merely obtaining the user’s password enables their account to be compromised. If you log into a website on a computer, a program on that computer might be logging your keystrokes or someone might be reading your password over your shoulder. If two-factor is enabled, an unsophisticated attacker cannot get into the account without also compromising the user’s phone.

Semaphorism · March 30, 2016, 5:59am

I just hope we get google authenticator or something similar, that’s what I am looking forward to.

Dev0mar · March 30, 2016, 10:00am

This really is needed now, as a lot of developers are getting hacked.

I would very much love it if we can verify with:

Email
SMS

(I rather email more than SMS but yea…)

Digital_Boy · March 30, 2016, 1:59pm

Also, don’t open links on skype or accept contact requests from random people you don’t know.

Tinarg · March 30, 2016, 2:13pm

What methods are they using? What should we look out for?

TheGamer101 · March 30, 2016, 2:21pm

ToniToni tweeted about how it happened to him : https://twitter.com/tonivuc/status/714978976847040516

Tinarg · March 30, 2016, 2:24pm

Ah, I see. I never share my skype contact information with anyone, so I should be safe at least there.

Dev0mar · March 30, 2016, 3:28pm

If you really want to be careful about your account, then:

Don’t use other computers than your personal computer and don’t allow others to use your computer to login their account.

Make sure the site you go on has a valid SSL

Don’t click links that you are not 100% certain to where they lead, ( ex: from people you do not know )

probably there is more but yea

buildthomas · March 30, 2016, 3:32pm

Don’t go on public wireless networks preferably

wish_z · March 30, 2016, 3:57pm

I use NoScript just in case I ever click on a bad link.

ReeseMcBlox · March 30, 2016, 4:37pm

This is already as prioritized as it can be. The “Web team” is split into smaller teams that focus on different areas. 2FA is the next big thing one of the web teams will be working on.

Edit: I can’t give you a delivery date yet. My current estimation is a month or two for email 2FA. Other types to follow.

anon80475429 · April 20, 2016, 11:56am

Just checking in on the progress of this because it’s been round-a-bout a month. Any updates or news? I don’t know also if you saw my suggestions but will they ever be a thing?

anon80475429:

Limiting max devices logged in at one time (I’m not logged on than more than 2 devices my iPad and Computer) and if someone tried to log in it would just error saying ‘Please deactivate one of your current devices or increase your device limit’ this should be optional but I would certainly use it

This but instead of IP show a ‘rough location’
https://devforum.roblox.com/uploads/default/original/2X/3/31ae5f50d40390cd2eaa54a300a6b7ddd997a77d.png

If a buy a limited ‘escrow’ similar to steam so it can’t be traded or sold for 3 days or a week (or an custom amount of time)

When making large purchases over a certain amount (that you can edit yourself) you’ll have to confirm it via ROBLOX mobile app or email5) If I have the 2 step on when editing any of my account features (like password or email) require confirmation on the app

All these are optional features but of course having them all on makes your account much more secure

I care so much about my account security even more so than ever, considering our accounts can hold real world value of ££’s or even ££££££’s [because our accounts have real world value (at least in the UK) the Data Protection Act now comes into affect] and now I’m expecting the security to match that (or come considerably close) to that of a bank (pin sentry anyone?). HTTPS everywhere is a step in the right direction but we need to push further to help make our accounts as hard-as-nails.

T_FM · April 20, 2016, 2:30pm

The only thing that does is make a slight annoyance to anyone who hijacks an account. They could set up their account with thousands of purchasable assets for 999R$ and transfer all the account’s R$ without triggering the authentication (And maybe use a bot). This would also put a user at an even bigger disadvantage when purchasing the original limiteds to the sniping bots.

anon80475429 · April 20, 2016, 2:35pm

But how would they know what you set it for? It should be hidden by **** with a link at the side to change/see it but you’ll need your password.

T_FM · April 20, 2016, 2:41pm

If the hacker is using bots (if they got this far, they probably could), they could do it for a simple 10R$ at a time. If it’s already set below that, then they would be screwed, but then it would be inconvenient for any purchases the player.

anon80475429 · April 20, 2016, 2:44pm

Of course that won’t stop them fully the idea is to increase security as much as possible. It will slow down a lot of newbie hackers and reduce the amount of losing your items/stuff because if a 9 year old somehow gets my account his first thoughts are gonna be “IM GONNA GIVE ALL DIS MONEY TO MYSELF” and the struggle for an hour or few trying to figure out my password again and by that time hopefully, I would of gotten my account back with minimal damage.

It’s all about slowing them down and making it as hard as possible

Cindering · June 17, 2016, 1:16am

Any word on how soon™ 2FA will be arriving at this point?

ReeseMcBlox · June 17, 2016, 4:38pm

Ehhhhh

I now regret saying soon in the first place. There is progress, and it’s still a top priority. It’s slow going.

anon80475429 · June 17, 2016, 7:56pm

You can’t take back your words now