![]() I do want to join the conversation about that and I agree with OP. It’s not even that difficult to implement either, and in return you get a huge security bonus. Google even managed to reduce all phishing reports / confirmations to 0 - zero(!) - after enforcing all employees to use physical keys for authentication, which shows how effective these methods are. It’s not that there is an ongoing crisis, but the current flow just doesn’t fit for those more concerned about security. We need better alternatives, if not now, then very soon. There are so many reasons the current options are insecure, that a simple search online will give you more than enough information, hence why I’m not going to post it in here Game developers are risking all their income on “insecure” options to authenticate themselves, and it certainly does not make them comfortable. I’m going to second that the current system isn’t “severely flawed”, but I do vouch for it being flawed. ![]() The reason why it’s not “severely flawed” is because using a poor 2FA method is better than no 2FA, but it gives a false sense of being secure, which is not good Both, which are proven to be the least secure option out there. Developers who are in charge of huge organizations, holding millions of Robux, having access to many games and what not, are relying on 2FA through email or phone. I am going to bump this, simply because this is important. If you ever see “Not Secure” when using our website please file a bug so we can fix it. joining a game from the website incorrectly marks the page as insecure because it is using a custom protocol to launch the client. There are bugs which may cause this to happen, e.g. Developers saw “Not Secure” when browsing during the event.I’ve passed this information along to the right people so it can be investigated further. This appears to be happening to developers who did not attend RDC, so I suspect it is a platform-wide bug. Developers reported getting randomly logged out.The two symptoms things which led people to jump to that conclusion were: Regarding the suspected security incident at RDC Amsterdam, I’ve looked into it and I don’t see any compelling evidence that it was an attack. I still think it would be good to provide those options for other reasons. Providing alternate verification options like Authy or Duo wouldn’t provide any additional protection from those sort of phishing attacks over what we have today. The implementation is industry standard and is subject to the same sort of phishing attacks that companies like Google face. Going back to your original point, I am not sure that our 2SV system is “severely flawed”. There is only so much I can do as a developer to feel safe on the platform and frankly, I do not feel safe like I would on most other platforms. Despite the current system being technically sound, and still requiring a human error, it is too easy for attackers to use the methods described to trick people into bypassing 2FA security. I hope that Roblox decides to take a firm step into ensuring developer security. ![]() The 2-Factor system was totally bypassed by alleged attackers, who may have been able to intercept cookies that were travelling plaintext across the venue.Įven if this did not occur, the fact remains that it could have and hundreds of developers could have had their accounts compromised and all their assets downloaded and sold, or worse. Another example is the incident at RDC Amsterdam. There is no way to verify quickly that Roblox is the authority with the 2 factor authentication page, so attacks where the attacker blind-MITMs the code is possible (and just occurred). Personally, today, someone managed to gain access to my accounts for less than 2 minutes, regardless of 3 fail-safe systems preventing access, because the 2 factor authentication system has vulnerabilities. ![]() Roblox has made strides in terms of account security, but when we are talking about IP and assets worth thousands and even hundreds of thousands of USD for some users, the fact that it is so easy to fool people into bypassing 2FA is indicative of the problem that Roblox needs a proper, industry standard solution like every other major company (A solution like Duo, for example) As a Roblox developer, it is currently impossible to feel safe on the platform with my assets with the current lacking security methods. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |