TOTP Two Factor

As a Roblox developer, it is currently impossible to verify who I am with two factor authentication without this code being transmitted to a place that an attacker might reasonably be able to get into (in this, case, my email account). Roblox should permit users to use Time-Based One Time Pads (TOTP’s) as used in Google Authenticator / etc.

Benefits for Roblox:

  1. No having to send out SMS’s or Emails for each authentication attempt, you only need to verify a code when it is presented.

Benefits for users:

  1. Email account being pwnd doesnt mean instant two factor codes served hot and fresh.
  2. No ability to access your email? No problem as long as you still have your phone on you.
  3. No waiting for two factor codes to be delivered via email, codes can be gained instantly through your authenticator app of choice.
22 Likes

Devices like YubiKey should also be allowed to increase security and join the standard

1 Like

one step at a time :stuck_out_tongue:

2 Likes

Indeed but it would be amazing to have.

Personally I 100% agree - the email thing is annoying and it is stupidly easy to add time-based codes. As you say, they don’t need to generate, save and email a code, they can just save a secret and verify the code when the user enters it.

However, the other side to it is probably due to the age range here. Many young users are not going to save a recovery code. Even if they do they might lose it. And how many kids are gonna accidentally uninstall their authenticator app, or reset their phone, or lose their phone and then get locked out of their account forever?

Passwords and email accounts are near-universal concepts, kids, parents, even grandparents understand them. But time-based TFA still isn’t mainstream enough for all parents and kids to understand it and the risk of losing both your secret and recovery codes.

The obvious solution is to make both options available, but I still think customer service are gonna get so many emails from people who are locked out if they implement this.

OTP backup codes can solve this issue, it’s also possible to implement systems such as a time delayed unlock via the registered email address of the account.

People who don’t understand 2FA probably don’t use it, I would say that the average user using TOTP would have to understand the principles of it to even set it up and therefore wouldn’t use it, therefore the issue with people losing their codes wouldnt be that huge, this is more primarily aimed at power users who have good reason to lock down their account (popular games, high robux value, etc).

1 Like

Absolutely. Just simulating the discussion that may have led them to using email instead :stuck_out_tongue:

I agree with your point that the same people who don’t understand it either wouldn’t use it or wouldn’t know how to set it up. Hopefully you get support from Roblox because this feature is needed.

With the low amount of work needed to bring this to reality and the nice benefits / high visibility it will bring hopefully someone in the bay will want to ship this :wink: lookin at you web team

1 Like

Then allow both?

More security options would be lovely. Doesn’t have to be just A, or just B, it can be A and B.