Upcoming Changes to Account Recovery for Users with 2SV

Updates Announcements
1

[Update] Feb 2, 2026

Hi Creators,

To improve security across Roblox, we are updating the account recovery requirements for all users with 2-Step Verification (2SV) enabled. This new recovery policy will be fully enforced by March 2026.

What This Means for 2SV Enabled Users

If you ever lose access to your primary 2SV method (like your authenticator app or security key), you will typically need two different verification methods on your account to complete recovery.

This means that if you lose access to the primary 2SV method and your account does not have two distinct recovery methods on file, you may be unable to regain access.

What You Need to Do Now

Choose one or more of the following backup options to ensure you can recover your account in the future:

Option 1: Add a Phone Number

  • This ensures you meet the two-method recovery requirement. At recovery, you will need to complete both an email challenge and a phone challenge to successfully regain access to your 2SV-enabled account.
  • Only available for users aged 13 and over.

Option 2: Add a passkey

  • Signing in with passkeys, a fast and non-phishable authentication method, will skip the 2SV challenge
  • Available for all ages

Option 3: Save Backup Codes

  • These one-time codes let you complete the 2SV challenge even if you lose access to your primary 2SV method.
  • Available for all ages

You can update your account and recovery methods in Settings:

Account Info:

  • Add a phone number
  • Add a passkey

Security:

  • Save backup codes

For more information on keeping your account safe, please visit the Help Center.

Thank you for taking a moment to secure your account.
The Roblox Security Team

49 Likes
2

This topic was automatically opened after 10 minutes.

3

A phone number actively makes your account weaker due to SIM-swap attacks. The other methods are fine, but this specifically should not be an option when the site still allows you to reset account passwords from a phone number alone despite this having several issues.

56 Likes
4

Not bad honestly, I like ths security this update brings.

Though, via Phone Verification, wasn’t there a SIM Swap issue?

2 Likes
5

This will just add more problems in my opinion but sure I guess

4 Likes
6

Phone security is horrible because it can be easily hijacked.

16 Likes
7

I don’t see the issue here honestly, aside from the SIM Swap possibility with the Phone Verifications.

5 Likes
8

Why cant we recovery our gmail though? I need some FAQ why recoverying with gmail is deprecated now.

4 Likes
9

OK, not a bad update. Security is always good. My only question is if this means we may see trade holding periods reduced in the future.

As i’m sure you’re aware, the entirety of the trading community was incredibly disappointed when you added trade holds, and i’m sure all of us traders would like either a reduction or removal of the holding period system.

1 Like
10

iirc Email Verification is very vulnurable, being more vulnurable compared to Phone Verification.

4 Likes
11

Not a bad update actually. 2FA in my opinion is needed more than before so seeing how they’re improving the security of it is nice to have. Also I noticed that 2FA is prompted when doing some actions such as spending robux when location is different, so that’s nice too

1 Like
12

I’m just saying that because I can’t even attach an phone number (not that I even wanted to add it) and I’m not bothering to buy an passkey either

1 Like
13

You can always save your backup codes somewhere in the event you lose your 2FA.

It’s also free aswell.

1 Like
14

twg
twg517×200 7.88 KB

Edit: On mobile app it works, so the problem is resolved for me.

2 Likes
15

Email is only vulnerable if you aren’t making full use of the security features most email providers offer. And presumably, if you have at least 2SV via Security Key enabled there’s a very reasonable assumption the user has also secured their email.

You’re confusing passkeys for security keys. Passkeys make use of your existing device’s security capabilities while security key is a dedicated device for securing an account.

9 Likes
16

The wording is confusing as hell, but is Email 2FA going to be kept or will it be removed?

1 Like
17

Question 1:
Does the new update mean email verification codes are no longer valid?

Question 2:
So, do we need three methods to log into our account now if we have 2SV?
Password, Email Verification code and a third method (phone, passkey or backup codes)?

Question 3:
Does this update have anything to do with that incident several months back when users found their emails have been disconnected from their accounts?

2 Likes
18

Hey folks, we understand that there’s some concern about the possibility of SIM-swapping attacks with phone verification, and we want to emphasize two points:

  • With 2SV enabled, you will need to present two methods in total to recover your account going forward, so even if phone is one of your two methods, an attacker will NOT be able to recover your 2SV-enabled account through SIM-swapping alone

  • We encourage the usage of passkeys and/or backup codes if you are not comfortable with phone verification.

15 Likes
19

This is a policy update to our account recovery flow to require two methods of ownership verification, in the case that you lose your 2SV method.

Email 2SV and Login will continue to work as they do today!

4 Likes
20

Good post. I’ve just recently got my account compromised and I got access to it as of yesterday, now waiting on a rollback request. I’m going to make sure I take extra security measures on my account from this point onwards especially when the likelihood of me accessing my account was influenced by a couple of factors that could have prevented me from accessing my account which was scary.

3 Likes