I see what you guys are saying about how weak 2Auth can be with emails. I can definitely see the security issues in other ways like contacting customer support.
Although I’m not a security pro so I don’t know if there are other mechanisms to prevent hackers from resetting your password with ur email alone. This does sound like a pretty challenging situation.
I suppose the real difference here is maybe that One time code verification doesnt require username or password. Maybe knowing usernames is a barrier (although im sure it could be easy to find if they have 2Auth enabled with email since there would probably be requests saying it or something)
this is a challenging situation and I think maybe Roblox needs to boost its security in such situations in general. It still feels way too easy that with your email they can just log in without username or password or 2Auth
I can imagine that if i was a hacker and I had someones email it would be challenging to find their Roblox username unless it was sent in the 2Auth message. I wonder that if email is so weak if it could open the door to situations where a free Robux website or something else asks users to log in with their email to “create an account” then compromise the entire account bypassing everything
Now that I think about it, the real question is whether your username/password is easier to hack than ur email.
It seems like 2Auth with email isnt really 2Auth but simply shifting which is needed to be compromised:roblox password or email.
I suppose its harder to know a email if ur trying to attack someone specifically since u need both the email adress and password.
But like I was saying things like databreaches and the fact that emails are considered higher value (cause they have a lot of info on u) can make it more motivating/easier for them to hack u
Additionally, a lot of people reuse their passwords so if they know ur email password its possibly its also ur roblox one.
I think if they can adress both issues (one time code and support to reset password) it will make 2Auth with email actually 2Auth again.
I wonder why roblox doesnt have things like security questions or swirching to other verification methods (like sms) if enabled to reset passwords. I think they need to be more skeptical about the situation and more robust in general.
Its scary how weak it feels to use 2Auth for email and it seems like Roblox has just abanonded it. They istead offer it but not actually support it
Both the One Time Code feature and resetting the password via support seem like viable ways for a hacker to access your account, which only affirms the need for change by Roblox.
Currently they only need access to your email. Maybe they could also ask questions like where u were born or ur childhood nickname or recently played games. Thats still not a foolproof solution however so the best thing to do is not use 2Auth with email at all. Instead it would be significantly more secure to use an authenticater app or for roblox to at least make it more difficult for attackers to bypass ur password in general with only ur email (which one time code does a terrible job at)
Oh, did they remove that? Makes sense. A few years ago, there was a massive explosion in a method of account stealing where someone would call up people’s SIM carriers and ask to get a replacement for their leaked phone numbrs, giving them access to their SMS
I mean like use SMS (if enabled) as a security if someone tries to reset ur password through your email. That way they need to know both your email and SMS when resetting ur password rather than being unable to verify ur identity if a hacker emails roblox under you.
Currently 2Auth with email relies on you knowing both ur email and roblox password, but the password aspect is easily bypassed since users might forget their password and thus roblox support resets it without verification.
Having some other verification against password reset attempts would help resolve this.
Im looking at the login/forgot-password-or-username and it seems that if someone gains access to your email or phone number they can gain both your username and password.
In fact, even if you have 2auth enabled with email, it still allows you to reset your password + reveal your username with phone number alone.
I think Roblox is actively working on reducing security risk from these types of attacks. Recently, they implemented a new change that prevents devices accessing your account in unrecognised locations (i.e. you haven’t logged-in from them before) from changing account settings. Thus, if you’re a security-minded individual and frequently check your Logged-in Devices page and your email for security alerts, you’ll be able to take action.
If you don’t care about your account’s security, then no amount of security options can force you to make your life harder just to make sure no one steals your account.
Also, as someone else said, this feature is working as intended. It isn’t a bug that you can gain access to your account with your email, given that that’s usually exactly what people want when they add a recovery/2FA email. They shift the security over to it, in order to prevent getting locked out, and also trusting the 2FA methods and more mature security systems that email usually has. I think it’s one of the better options in terms of what Roblox can do when trying to get people to make their accounts more secure when they don’t have anything set-up, it’s at least something for the bare minimum, and it’s usually the easiest, given that it’s possible to verify your email from any device logged into it, instead of having to reach for a phone.
I know that, if I hadn’t added my email to this account, I would have already lost it.
(P.S.: Maybe this isn’t the AI, but some of your posts are incredibly “bloated” with too many sub-headings and repetition of information, which can make it more difficult to extract the actual information presented from all the “fluff”. You should try and keep your posts more terse and brief, like you’ve done for your more recent replies)
I might be misunderstanding this post but… if someone has access to your email doesn’t that mean that they have access to your account anyways? (When excluding authenticator apps and hardware keys ofc). The feature seems to be working as intended it seems, and for most people, Roblox would be their last concern if their email got breached.
Before Roblox added the Authenticator App and Security Key 2FA, I was hacked multiple times due to this issue on multiple of my accounts when I used to use only a singular email for all of them (before I took security way more seriously. I was a dumb kid). I am surprised Roblox has not yet removed email 2FA because it has always been a security issue. I’d argue that phone number 2FA is more secure in a way, but only by a small margin so I also don’t recommend using that either. Always use Authenticator App and/or Security Key 2FA over any other method. They are the most secure!
There is a separate concern that I have with regard to this subject – namely that, although at some point (perhaps 10 years ago), I had specified an email for my Roblox account in order to become “verified”, some time not too long ago I found that ALL of my Roblox accounts associated with this e-mail address were forced to use 2FA (against what would have been my better judgment). I would prefer if such a feature were optional, or if not optional then also not automatic. In this case, I lost access to the majority of the accounts because I had already terminated the ancient e-mail address in favor of a more secure alternative (i.e. the e-mail address no longer existed but was nonetheless required for a 2FA that I had not expressly configured for myself.
This isn’t a bug folks it’s called common sense. Roblox encourages using authenticators and biometric verification for a reason. Move this to dev discussion or suggestion/feature reqs.
To be fair though, if someone gets into your email you not only have bigger issues to worry about, but they could easily get into your account regardless (send reset password to email, SEing support because you have access to the email in turn meaning you clearly are the owner of the account, etc so on and so forth)
Not downplaying this issue though. There is effectively no difference between getting a 2FA email code for regular logging in and a one time login code, as they’d both be doing the same thing (sending a code to the email) - it’s just that the one time code skips the whole need for a password.
This feature should really be removed, or at least disabled, for users who get their regular 2FA codes over email, because there’s objectively zero reason to have it there. It serves zero purpose for people using email for 2FA.
Forgot password? Use the forgot password button. Forgot username? Use the forgot username option (it’s the exact same form as the forgot password one)
