How to better protect your Roblox account from hackers with two-step verification (2SV)

Graham Cluley
@gcluley

Accounts on the popular online gaming platform keep getting hacked. So, how can you better protect your Roblox account?

First things first. Make sure that you are using a unique, hard-to-crack password for your Roblox account. That means not using a simple, easy-to-guess password, dictionary words, or passwords that you are using anywhere else online.

That last point is particularly important, perhaps the biggest mistake internet users make when it comes to securing their accounts is to use the same password in multiple places. Reusing passwords across different services means that if a hacker breaches one website’s password database they can then use those passwords to see if they unlock your other online accounts.

For instance, Mark Zuckerberg had his Twitter, LinkedIn, Instagram and Pinterest accounts hacked in 2016 because he was using the same password for them as he’d been using on LinkedIn, which suffered a password breach in 2012.

But choosing a unique, strong, password isn’t enough. That password could still be phished from you, for instance.

And that’s why I recommend that computer users enable two-factor authentication or two-step verification (read this if you want to know the difference) where available, to add an extra step to the login process.

Sign up to our newsletter
Security news, advice, and tips.

How to enable two-step verification (2SV) for your Roblox account

Having logged into your Roblox account from a desktop or laptop computer, click on the cog in the upper-right hand corner of the screen and choose “Settings”.

Choose the “Settings” tab, and enable “2 Step Verification”.

Note that if you haven’t already done so, you will need to give Roblox an email address (and verified it) before enabling two-step verification. The reason why Roblox requires this will become clear in a moment.

Your account is now protected.

Next time you attempt to log into Roblox, the site will ask you for not just a username and password, but also a six digit code.

This is the reason why Roblox requires you to give it a verified email address. Upon attempting to login, you should have received in your email a message from Roblox containing the temporary verification code.

Of course, if it wasn’t you trying to access your Roblox account you now have a heads-up that someone else was… and that maybe your username and password have been compromised.

Email-based 2SV, not app-based

Users who are familiar with 2FA and 2SV will notice that there’s a difference between how Roblox has implemented two-step verification and the way that many other online services do it.

Many websites these days offer app-based 2SV where an authenticator app – often running on the user’s smartphone – generates a six digit code to help the user authenticate their identity.

The idea is that a hacker might have managed to grab your password, but they won’t – hopefully – have physical access to your smartphone.

Roblox, unfortunately, does not offer users the option of app-based 2SV. Instead when you attempt to log into an account protected by 2SV, Roblox will send a code to your email address. And that’s the code you enter to complete your login.

That’s certainly better protection than simply defending your Roblox account with a username and password, but it’s not going to be much help if a hacker has also managed to compromise your email account, and so is able to view the verification code that Roblox has just emailed to you.

My guess is that Roblox feels it’s easier to support two-step verification conducted only via email, particularly with a userbase largely made up of youngsters.

But it seems a shame that Roblox is not offering the option of app-based authentication which has been adopted by so many other sites.

Read more about two-factor authentication and two-step verification:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.