Yubikey support or other physical key support

I’m not sure if this has been brought up yet, but are there any plans to add support for hardware security keys, such as yubikey? FIDO U2F is generally a stronger authentication than TOTP, so having that option available for developers with security keys would be a big plus.

30 Likes

Gmail allowed me to use my phone as a security key. When I log into Gmail, it automatically turns on Bluetooth on my phone and then lets me log in.

I don’t have an actual USB security key. I probably would order one but I cannot order anything physical online without a passport (which expired 2 years ago and my mom has been too lazy to get me a new one).

2 Likes

I can’t even use my Yubikey with TOTP authentication under this beta with the Yubico Authenticator app. Only the Microsoft Authenticator app works. I have tried using TOTP with period set to 30 seconds, six digits, and the algorithm at SHA1, SHA256 and SHA512, and I am still unable to correctly create a key that works with Roblox’s authentication.

Does anyone know what settings I can use in order to use an app of my choice, rather than being forced to use my mobile phone with an Authenticator app?

That’s strange, I was able to use yubico authenticator normally - I wasn’t able to scan the QR code though, I had to input the secret key manually. Are you sure you’re filling out the fields properly?

(not a YubiKey user - I’m team KeepassXC - but here’s some insight)
The codes are generated according to RFC 6238 (SHA1, 6 digits, 30 seconds).

Random troubleshooting would suggest the clock is just out-of-sync enough to consistently produce an incorrect code, but given computers right now keep their clocks synchronized over and over again I have my doubts over that.

Being on-topic, though: While I would think U2F sounds overkill for Roblox, it makes a ton of sense especially for developers. There are accounts worth thousands of dollars (or tens or hundreds of thousands of dollars, even).

1 Like

Thanks! Strange that my clock was desynchronized. Visiting https://time.is/ showed that my clock was 0.6 seconds behind, so I decided to sync via Windows’s Date & Time Synchronize feature anyway, now it is 0.7 seconds behind but it manages to accept my code.

Thanks for the tip!

1 Like

Well - 0.6 seconds behind is certainly not enough to cause the issue. I was talking about a 45s+ gap between the computer’s clock and the clock on the authentication endpoint.

I’ll assume it was a fluke then.

1 Like

Yeah, that’s what I was thinking too. Strange too because I tried once again before resyncing and it still didn’t work.

I can kind of answer this by referring back to the first time we heard about TOTP 2FA being introduced at RDC 2021, in which my question did specifically look at U2F auth as another method.

While the answer did not directly mention 2FA, @Seranok was interested in other ways of securing Roblox accounts. A continued push towards improved security should occur where reasonable.

U2F implementation done right represents the gold standard and offers Roblox developers much benefit over TOTP, although we are at the very least moving towards a baseline for standard auth protocols.


CC: @OverHash Roblox uses otpauth://TYPE/LABEL?PARAMETERS from Google’s OTP URI. I haven’t personally got into Yubikey OTP but I’m generating codes without a mobile device with no problems. Good to see it was just a time check issue.


I would describe it as a longer term goal but I wouldn’t call it overkill it just represents users who take their security to the next level, the industry at large is starting to implement U2F auth into their products although I would want to see further improvement with Roblox’s internal security protocols before really going into U2F.

I would need to trust Roblox’s internal security protocols first, and I don’t think it’s there given the continued historic issues with the external parties Roblox uses. I’m happy to be at the industry standard for now.

1 Like

Hi Dragon,
Thanks for this question. Yubikey and other hardware support is definitely something we’re interested in, and we build our systems to support a broad range of authentication methods. But first we’ll get Authenticator ready for everyone and then consider if and when we’ll be able to add Yubikey.

21 Likes

Checking in now that the Authenticator has been released to everyone, has the possibility of adding Yubikey been discussed? I would like to see this implemented as well as better policies for restoring your account to reduce the likelihood of a social engineering attack succeeding.

For example, you would need to exhaust all your options before support would consider removing TFA, or possibly even having an option to block support from being able to disable TFA. I know Google has a similar approach to this where it will only let you restore your account if you lose TFA if you cannot succeed in the many verification options (such as Backup Codes or Security Key). If these options are exhausted, you must be on a recognized device to even get in touch with support who may or may not let you in your account. Considering how Roblox is a “bank account” for many, there should be comparable if not better protections in place. If there was support for Yubikey and Authenticator (which also has backup codes), it would be nearly impossible for me to lose my account and I would feel comfortable blocking support from disabling 2FA in any scenario.

Considering how much money is stored in developers’ accounts, sometimes more than what’s in their bank account, there should be more protections in place to prevent unauthorized access that can not be controlled by developers. Personally, I would not like to trust the same people that can’t restore my assets correctly to also block malicious actors from accessing my account.

6 Likes

This has been implemented as of today!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.