Thoughts on 2-Step Verification?

Better super safe than sorry.

True, I really hope they use google authenticator personally :slight_smile:

1 Like

can confirm the gametest servers look like this

Look what I found, just nearly a year later.

Staff has had 2FA forever.

Correct! Staff have had 2FA forever. The system the staff use can not support millions of players. It can only support a few hundred people. We’re working on the 2-Step Verification feature, which will support millions of players across all platforms.

2 Likes

The two factor explanation is really the explanation given to technically illiterate users, but the “two-factor authentication” name is misleading because the security gains are not from having two factors. It is impossible for a server to know whether a user physically carries something. I consider the significant security gains come mostly from the fact the secret token used to generate the one-time passwords is chosen randomly by the server. This implies that two-factor authentication is not much better than authentication with a strong, randomly generated password, but users are really bad at choosing good passwords. In all the cases where an account protected by a randomly generated password could be compromised, it is very likely an account protected by requiring one-time passwords generated from a shared secret token could be compromised as well, and this is how two-factor authentication works.

One way to actually improve authentication methods is to make the authentication asymmetric by using public-key cryptography. Let the user generate a key pair and use the private key to sign messages sent to the server and decrypt messages sent back by the server. In this manner, the information stored on the server would not allow an attacker to compromise the user’s account on that service or any other service, and there is no information ever exchanged on the network that would allow an attacker to have access to the user’s account, even temporarily. This is replay-resistant, in other words an attacker able to observe the user logging in once will not gain any information that would be useful to reproduce logging in. Public-key cryptography also has the advantage of making phishing and bruteforcing entirely irrelevant, and does not require that the user memorizes anything or recopies a code sent to him on some device, making it very convenient. It is supported by all servers that support HTTPS, which is no big surprise since public-key certificates are already how websites authenticate themselves to users. And all modern browsers today already support the keygen element introduced in HTML5 which can be used in forms to ask the browser to generate securely and store locally a private key and attach the public key to a form to be submitted for example when creating an account. Browsers also have an interface to backup or export certificates and to select which one to use when connecting to a website. It’s the most secure, most convenient, and most deployable authentication method, and it is even elegant in that client-side certificates are the natural counterpart to the server certificates already used to authenticate websites with HTTPS. Yet nobody uses them, go figure.

The table below provides a very good comparison of authentication methods from The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes:

That it is more secure is not true. It is far easier to intercept messages in cellular networks than between email servers. Email servers usually use opportunistic encryption for exchanged messages. This is very bad and would make email worse than SMS messages exchanged through the cellular networks if it wasn’t for the fact that those don’t use encryption in the first place and have essentially no authentication. You can just join a cellular network and pretend to be someone and, as long as you’re in the right area, you’ll get the messages delivered to you. (ISO/IEC 21989)

On the Internet, however, you can send packets pretending to have any IP address, but you won’t get the responses back, which means you can’t get past the TCP handshake. Since in addition to that email servers will encrypt messages opportunistically with STARTTLS, only an attacker who controls part of the path on the network between the ROBLOX email server and the user’s email provider would be able to intercept the one-time password, and even this would require an active attack so that the attacker pretends one of the receiving email servers does not support TLS.

2 Likes

I’m no expert, but I’d think driving to a different state or flying to a different country to pose as an account owner’s phone (assuming you even knew their phone number in the first place) would be significantly more difficult than cracking e-mail 2-factor authentication (which is apparently almost as vulnerable as plain text) from the comfort of your home, especially given that most ROBLOX users still live with their parents.

1 Like

There are several smart people working in the web team without doubt, and I’m sure they will implement the best compromise between efficiency, usability, user coverage and projected level of security. I wouldn’t doubt that they have considered all possible options for 2FA.

As for the second part of the post I would like to point out that you already tried this argument (SMS vs email 2FA security) earlier on in this thread and it was already responded to by several users. Not sure if there is any point in bringing it back.

1 Like

Its still 2FA. That particular device with the app on it, registered so that only that app on that device can provide the authentication, is still something that user has, whether or not they’re playing on that device. Someone else who didn’t have that particular device would not be able to authenticate.

To put it another way, whether I play on the computer, or on my phone, or if I want to update my games, I need the same two things, both the thing I know (my password) and the thing I have (my device).

@EchoReaper

As I’ve said, “only an attacker who controls part of the path on the network between the ROBLOX email server and the user’s email provider would be able to intercept the one-time password.” It’s at least as unlikely you control part of the path on the network between the ROBLOX email server and someone’s email provider as it is you’re in the same geographical area as that person’s cellular network.

@buildthomas

These users have not responded in any meaningful way. The most they’ve done is disregard everything I had said and reply that SMS is necessarily good enough since otherwise the all-knowing and always-wise Google would not support it as an option, or “summarizing” what I had said into things I hadn’t and then replying to their summary

ditto

Don’t care enough to read the debate above but we really need this ASAP. SMS verification is my favorite because of how convenient it is (don’t have to unlock phone and open an app) but I’ve recently heard of people using social engineering to receive SIM cards from cell providers and hijacking the authentication codes, so that might not be the best method right now.

Yeah, a lot of youtubers are getting hacked because people are getting their sim cards, I think the best thing to use is google authenticator.

1 Like

Since people don’t believe me when I say it myself, even though I explain the reasons SMS is insecure and unreliable very well, here are more reasons why it should not be supported:

Here’s also an article from The Washington Post about a blatant vulnerability in cellular networks: German researchers discover a flaw that could let anyone listen to your cell calls.

1 Like

Two locks will always be more secure than one, even if both can be cracked.

I currently have a strong password. With sms/authenticator/whatever, I now have 2 things that require cracking. So unless somebody manages to crack both, (not either or) then I’m safer than before.

6 Likes

I just had a thought on a way to avoid this risk, and to improve the security. Use an internet phone number for your two step authentication via SMS. Such as Google Voice/Hangouts. It doesn’t work as a replacement for having it on the Roblox App, or using something like Google Authenticator, but for more security minded people, you’d need two-step authentication to get to your 2nd step on say Roblox.
Same is true with the email though, but I use Google voice daily, so it will be faster for me, and anyone else who uses an internet phone number.

1 Like

The question is not whether we should have two-factor authentication, the question is whether SMS should be a supported method. SMS is unreliable and insecure, while other methods exist that have none of the problems with SMS. Suggesting to users an option, to increase account security, that is insecure and has no advantages over other options is a bad idea.

Cellular networks function in a way that makes delivery of SMS unreliable because their design is flawed. The time it takes for a message to be delivered is unpredictable because only the cell cluster that you are part of knows the location of your phone, and it is possible for the message not to be delivered at all, in which case you would need to ask the website to send an authentication code again.

Two-factor authentication with SMS would require work and resources to maintain, would be frustrating for users, and would give an illusion of security to users who don’t understand the technical flaws it has. Two-factor authentication with an application that supports TOTP, and these exist on every platform, for every device, is secure, reliable, not frustrating, and not flawed by design. Two-factor authentication with email is inconvenient, but otherwise secure and reliable.

I think you’ve been sippin’ too much security doom-preacher Kool-Aid.

I have my Gmail account hooked up to SMS 2-factor and have not had any issues or been dissatisfied with it over these past couple of years I’ve had it enabled. I’ve never had to request more verification texts – all have gone through on the first try. Having to install a mobile app on my phone to generate a login key for 2-factor would be the frustrating of the two.

Not sure what you mean about illusion of security. Someone would have to 1) find where I live, 2) drive/fly to where I live (most likely far away), 3) have my account password, 4) know my phone number, and 5) have the necessary skills to pretend to be my phone and intercept the SMS text. That sounds like a whole lot of security to me. If someone went the route of tricking my carrier into sending them a SIM card for my number, they’d still have to have my account password, know my phone number, and know my personal details to pass as me. The latter may be easy for impersonating YouTubers whose lives are mostly public, but not so much for some random person on the Internet.

They only need 3, 5, and possibly 4, all of which barely add security over what’s already there with passwords. Email and TOTP applications (FreeOTP, Authy, and Google Authenticator on phones, oathtool on desktop and portable computers) don’t give the illusion they provide more security than they really do.

That’s your experience. It is a fact that the cellular networks are poorly designed and that they have reliability issues, but these issues may or may not affect you depending on your provider and your geographical location. In any case, these reliability issues do not affect email, which transits over the Internet and not the cellular networks, and certainly not TOTP applications, which don’t even require any network connection.

The only reason TOTP applications require more work for you is that your phone came with applications for SMS and not for TOTP. It may well have been the reverse, since not all phones come with SMS but all those with a processor can execute a TOTP implementation. Regardless, having to install a TOTP authentication application is a one-time task that you only need to accomplish once per device, not per login or per website, and not a particularly difficult one.