this topic covers alot of that, they’re apparently adding more security for if somebody gets into your account.
1 Like
Oh, did they remove that? Makes sense. A few years ago, there was a massive explosion in a method of account stealing where someone would call up people’s SIM carriers and ask to get a replacement for their leaked phone numbrs, giving them access to their SMS 
my email account i verified my account with being locked by microsoft: i see this as an absolute win
i thought it was just chrome that had a 2fa incident
Why don’t you use the “Login with another device” or “Login via browser” option, assuming you’re logged-in on your browser?
1 Like
If they have your email they can
A: Change your password automatically.
B: Contact support and tell them you lost your phone and cannot use 2FA
1 Like
I mean like use SMS (if enabled) as a security if someone tries to reset ur password through your email. That way they need to know both your email and SMS when resetting ur password rather than being unable to verify ur identity if a hacker emails roblox under you.
Currently 2Auth with email relies on you knowing both ur email and roblox password, but the password aspect is easily bypassed since users might forget their password and thus roblox support resets it without verification.
Having some other verification against password reset attempts would help resolve this.
It’s just faster for me to use one time, but I’ll try using login via browser.
One-time has you go to an email website, click the email, copy the code, go to roblox, and paste the code as opposed to clicking two buttons.
sorta unrelated but i find the notion that the PIN was never supposed to be a security feature is fraudulent, regardless of how it performed.
Im looking at the login/forgot-password-or-username and it seems that if someone gains access to your email or phone number they can gain both your username and password.
In fact, even if you have 2auth enabled with email, it still allows you to reset your password + reveal your username with phone number alone.
I think Roblox is actively working on reducing security risk from these types of attacks. Recently, they implemented a new change that prevents devices accessing your account in unrecognised locations (i.e. you haven’t logged-in from them before) from changing account settings. Thus, if you’re a security-minded individual and frequently check your Logged-in Devices page and your email for security alerts, you’ll be able to take action.
https://twitter.com/Roblox_RTC/status/1866875104753299536
If you don’t care about your account’s security, then no amount of security options can force you to make your life harder just to make sure no one steals your account.
Also, as someone else said, this feature is working as intended. It isn’t a bug that you can gain access to your account with your email, given that that’s usually exactly what people want when they add a recovery/2FA email. They shift the security over to it, in order to prevent getting locked out, and also trusting the 2FA methods and more mature security systems that email usually has. I think it’s one of the better options in terms of what Roblox can do when trying to get people to make their accounts more secure when they don’t have anything set-up, it’s at least something for the bare minimum, and it’s usually the easiest, given that it’s possible to verify your email from any device logged into it, instead of having to reach for a phone.
I know that, if I hadn’t added my email to this account, I would have already lost it.
(P.S.: Maybe this isn’t the AI, but some of your posts are incredibly “bloated” with too many sub-headings and repetition of information, which can make it more difficult to extract the actual information presented from all the “fluff”. You should try and keep your posts more terse and brief, like you’ve done for your more recent replies)
I might be misunderstanding this post but… if someone has access to your email doesn’t that mean that they have access to your account anyways? (When excluding authenticator apps and hardware keys ofc). The feature seems to be working as intended it seems, and for most people, Roblox would be their last concern if their email got breached.
1 Like
Before Roblox added the Authenticator App and Security Key 2FA, I was hacked multiple times due to this issue on multiple of my accounts when I used to use only a singular email for all of them (before I took security way more seriously. I was a dumb kid). I am surprised Roblox has not yet removed email 2FA because it has always been a security issue. I’d argue that phone number 2FA is more secure in a way, but only by a small margin so I also don’t recommend using that either. Always use Authenticator App and/or Security Key 2FA over any other method. They are the most secure!
2 Likes
There is a separate concern that I have with regard to this subject – namely that, although at some point (perhaps 10 years ago), I had specified an email for my Roblox account in order to become “verified”, some time not too long ago I found that ALL of my Roblox accounts associated with this e-mail address were forced to use 2FA (against what would have been my better judgment). I would prefer if such a feature were optional, or if not optional then also not automatic. In this case, I lost access to the majority of the accounts because I had already terminated the ancient e-mail address in favor of a more secure alternative (i.e. the e-mail address no longer existed but was nonetheless required for a 2FA that I had not expressly configured for myself.
This isn’t a bug folks it’s called common sense. Roblox encourages using authenticators and biometric verification for a reason. Move this to dev discussion or suggestion/feature reqs.
5 Likes
why is this even a thread? If they have access to your email, its already game over
2 Likes
To be fair though, if someone gets into your email you not only have bigger issues to worry about, but they could easily get into your account regardless (send reset password to email, SEing support because you have access to the email in turn meaning you clearly are the owner of the account, etc so on and so forth)
Not downplaying this issue though. There is effectively no difference between getting a 2FA email code for regular logging in and a one time login code, as they’d both be doing the same thing (sending a code to the email) - it’s just that the one time code skips the whole need for a password.
This feature should really be removed, or at least disabled, for users who get their regular 2FA codes over email, because there’s objectively zero reason to have it there. It serves zero purpose for people using email for 2FA.
Forgot password? Use the forgot password button. Forgot username? Use the forgot username option (it’s the exact same form as the forgot password one)
1 Like
And then we arrive back at the same “problem” you are trying to point out with email, only that SMS is likely far easier to breach than your email. Email is pretty easy to secure if you actually are concerned about security since they support things like Security Keys for account access.
Am I reading this right? If your email is compromised (and you’re using email 2fa) your account is gone with or without the one time code, they can just change your password.
To note, a malicious actor still needs to know (or guess) what one-time code you were sent. Yes, they can theoretically bypass passwords with this, but they still need to guess that code; which is seemingly a 6 digit code that has a lifetime of 15 minutes. The malicious actor also presumably doesn’t get clarification on whether the email even has a Roblox account, so they could waste time.
The rate limit is probably pretty heavy, but even then, a malicious actor only needing to guess 6 digits, and just retrying later if they fail isn’t really secure at all either. The code is certainly too short, and in my opinion, that is the true massive flaw with this feature; had the code been longer, we wouldn’t have this issue since it would end up being the equivalent of guessing a time-sensitive password.
As for the case where someone is already in your email, you’re already in massive trouble at that point. Someone can reset your password and effectively lock you out. This feature was presumably made to mimic the process of resetting a password, so it’s likely intended to match it:
In the meantime, if you are currently concerned about being hacked this way; hardware security key 2FA is probably your way to go. If that isn’t available to you, use authenticator 2FA. This feature shouldn’t bypass any 2FA flow except email. More importantly, you should ideally not use your Roblox connected email for anything, especially development related stuff. Not only does it open you up to this attack, but it also opens you up to more phishing attacks.
If this happens, it is a bug; email 2FA shouldn’t activate when using this feature.
I’m no security professional either so I may be getting stuff wrong here; take what I say with a grain of salt.
3 Likes
My goat KrimsonWolf back at it with another useless topic
4 Likes