Two Factor Authentication

I'm a bit surprised in Roll20's lackluster site's security. Upon changing my email, I shuddered that the system didn't send a link to the former email address to confirm the change, it just did it. You would think they'd have a 2-Step verification process via using cell phone number or email passcode. Obviously it would only have to be done once per device, but I'd be more comfortable knowing there's that extra layer of security.

Agree, this need to be implemented.

Two years, no implementation... I feel like roll20 is an abandon-ware :-(

Even though this has been well over 2 years, 2FA is definitely something I support and want to see implemented!

Have a look here then, 6 years, started by a roll20 team member, and now in "feedback".... <a href="https://app.roll20.net/forum/post/1239660/finish-implementing-the-external-journal-feature" rel="nofollow">https://app.roll20.net/forum/post/1239660/finish-implementing-the-external-journal-feature</a> Sho0og said: Two years, no implementation... I feel like roll20 is an abandon-ware :-(

Bumping this topic because it's important to have.&nbsp; With the ability to purchase things on the marketplace, and having games that are years old, the potential for someone to cause havoc with someone's account would be immense.&nbsp; This is more important than whatever new dynamic lighting system you have and push development on.&nbsp; Secure our accounts so we can use those features in safety.&nbsp; Thank you.

Hi everyone, thank you for your feedback on this! Just letting you all know that I've updated this suggestion to the researching status to reflect its current stage of development. As a reminder, researching means we're looking at what it will take to complete, including doing user research. Further feedback and votes on this post are welcome!

thank you

I appreciate this. Thank you.

Thanks for looking into this!

Any movement on this? It's been four months since this was moved into researching status.

You can do it Roll20! Pretty important!

Can i still upvote and bump this up? How, in the unholy name of Tharizdun&nbsp;the Dev team still can't make a UI overhaul to have Dark Mode and a modular visuals, AND after a massive breach they STILL DONT HAVE A 2 STEP AUT. What do they spend their sponsor, market and subscription money on? New fancy dices?

Ashton said: Hi everyone, thank you for your feedback on this! Just letting you all know that I've updated this suggestion to the researching status to reflect its current stage of development. As a reminder, researching means we're looking at what it will take to complete, including doing user research. Further feedback and votes on this post are welcome! Ashton, i'll try to be as polite as possible.&nbsp; But, it's REALLY strange how, the dev team, seems to have heard "concearns" and "Feedback" from years from the users.&nbsp; I know, i'm not a pro user. One of the reasons, is exactly the fact that i see how many Pro users ask things, that a dedicated team of developers could do in months, if not weeks! I'm no coder, but i work with game development.I see code beeing done, front end and back end. Worked on tech companies that took care of massive servers, with national range of systems and saw them strugle with extremeley complex structures beeing built in a matter of a year. But those were built.&nbsp; And they weren't genius. They were dedicated, just that. But, on a complete honesty? Roll20, at current year argument 2022, feels like a slighlty better version than the one at 2012.&nbsp; I swear, i'm not trying to be offensive here, but, if your developer team, if your programmers, aren't good enough to deliver what the users, subscribers have been asking for a literal decade, maybe it's time for you folk do the harsh&nbsp; thing and take a look inside your team and see what\whom are the problem holding back, what is stopping the project of actuallly evolving, not just giving crumbs and scraps of updates here and there. This could be one of the best, if not the best of the plataforms for vTTRPG. But for some reason, it seems that either someone at the top wants to keep the status quo, or somewhere on the chain of work, there is a heavy, long lasting problem. And now, risking beeing banned from the forums ( i hope only from the forums, because if criticism leads to an full blown account ban, ohh fam, this is bad) there are other softwares beeing built right now. For, personal reasons, i don't wanna support them, and yes, i'm talking about Foundry VTT.&nbsp; But, as far as i see, and as far as my friends, players, that have been using it say, it seemed that in what, a year? two years? They managed to do what R20 apparently have been either struggling or ignoring their userbase for a freaking decade.&nbsp; I have eye problems, and i have to use an extension to be able to use Roll20, because of the freaking brightness.&nbsp; So yeah, please, don't take this as an attack on you, or even on personal of the team.&nbsp; But, please, send up the chain the message to clean up your house, see what and why your product started to feel like it only wants to keep giving the bare minimum and promices that "in the future". Just, please, make this message go up the chain of command and find whoever is responsable for holding back what could have been a fantastic solution for vTTRPGers everywhere. And for any gods sake. I know it's probably your job to say you updated the suggestion box, but for once, show us that our suggestions are beeing worked on and not just beeing put on a box.

&gt;&gt; But, on a complete honesty? Roll20, at current year argument 2022, feels like a slighlty better version than the one at 2012. This is how I, and everyone I know who uses Roll20, feels about the platform right now.&nbsp; There have been minor improvements over the years but the platform is basically unchanged.&nbsp; Things like Updated Dynamic Lighting aren't really site improvements--they're just fixing existing features to work properly.&nbsp; Oh, and by the way any devs who are reading along, Updated Dynamic Lighting will still cause the browser to eat up 50%+ CPU time when playing which is embarrassing when playing a Foundry game in the same browser barely causes it to break a sweat. I like Roll20 and I like the community here.&nbsp; The community remains unmatched anywhere else.&nbsp; But as Lucas said above, I'm afraid this platform will become irrelevant in the near future if it cannot keep technological pace with its competitors.&nbsp; Something like two factor identification is bog standard basic these days.&nbsp; Implementing it shouldn't take any significant time at all.&nbsp; Even my doctor's office has it.&nbsp; The fact it has been in the "researching" phase for 5 months already is just a sign of the problem.

+1 for 2FA

I agree with everyone here, The fact that we dont have 2FA at this stage despite almost 10 years and the data breach yall had is very frightening. Yall need to get this implemented before you lose your user base over the fact that people arent feeling safe on the platform anymore. Im not a professional but I am a college student studying cybersecurity myself and just the fact i cant use 2FA on here worries me a great deal. So please for the sake of everyone, Look at your team and get them to make 2FA as well as listening to your user base.

Checking this again... this was five months ago. 2FA can't be that hard to implement, can it? It's the bare minimum for security nowadays.

Roll20, it's 2022... c'mon. 2FA is the bare minimum standard. Please.

I guess the research phase is conducted very thoroughly and extensively, as it is taking years now. Or Roll20 cares very little about their customer´s privacy and/or investment.&nbsp;

2022 and Roll20 still doesn't have this basic feature. Maybe it's high time I switch to Foundry once and for all.

PLEASE! Mine popped up saying I should reset my password.&nbsp;

+1

Nine months, now. Guys, we honestly need Two-Factor Authentification. It's a standard for security.

Sum41 - Does this look infected? - 4th Song

+1 My account got hacked.&nbsp; Was on it all week and suddenly couldn't get in and had to cancel a game.&nbsp; Not a password lock out as my password was saved in the browser.&nbsp; Roll20 was responsive in restoring my access and I immediately changed the password.&nbsp; I had a silly password for a long time and I publish my APIs on my own personal Github, so someone was able to guess my silly password because they knew my email address.&nbsp; With two factor, wouldn't have happened.&nbsp;&nbsp;

+1 This feature is needed!

It depends a great deal on how this is implemented.&nbsp; If it requires a mobile phone, it should never be implemented at all, or only be an opt-in system.

Kraynic said: It depends a great deal on how this is implemented.&nbsp; If it requires a mobile phone, it should never be implemented at all, or only be an opt-in system. Technically, a lot of services do, but it's highly encouraged. Mobile phones are such a necessity, it's why a lot of services either force them, or have an e-mail confirmation number as an alternative.

Jaydee said: Kraynic said: It depends a great deal on how this is implemented.&nbsp; If it requires a mobile phone, it should never be implemented at all, or only be an opt-in system. Technically, a lot of services do, but it's highly encouraged. Mobile phones are such a necessity, it's why a lot of services either force them, or have an e-mail confirmation number as an alternative. If you live in a rural area with an hour+ one-way commute to get a new phone if you damage yours, tying any service you like use to your cell phone is not a great thing to do. That is why I don't use 2FA on discord.&nbsp; While I check chat messages on my phone during the day, my primary use of discord is on my pc.&nbsp; Why should I be locked out of discord if something happens to my phone?

Kraynic said: Why should I be locked out of discord if something happens to my phone? I suggest you look into the Twilio Authy app, which I use, so I can use 2FA from both my Pixel 3 and my iPad.&nbsp;

Andrew R. said: Kraynic said: Why should I be locked out of discord if something happens to my phone? I suggest you look into the Twilio Authy app, which I use, so I can use 2FA from both my Pixel 3 and my iPad.&nbsp; So I should run some sort of mobile emulator on my pc to be able to run this thing for 2FA?&nbsp; Maybe I am missing something, but that doesn't sound like a great solution either.

Requesting a status update on this. Reason I consider this incredibly necessary, is in case of another data breach. Given online safety in this era, it is never a question whenever if your site and your information will be compromised, but when. Please add Two-Factor Authentication, because it is really necessary.

Two factor security is considered the bare minimum now in the CyberSec field. Harden your systems please.&nbsp;

Thank you for the bump, honestly. Please do not forget about this. It's been years, and it's STILL not on. You guys shouldn't risk another hack, and even less the lawsuits that could come from accusations of a lack of security.

+1 2fa should be an option at a minimum. Google authenticator works really well.

To staff: Has there been a status update on the research?

Kraynic said: Jaydee said: Kraynic said: It depends a great deal on how this is implemented.&nbsp; If it requires a mobile phone, it should never be implemented at all, or only be an opt-in system. Technically, a lot of services do, but it's highly encouraged. Mobile phones are such a necessity, it's why a lot of services either force them, or have an e-mail confirmation number as an alternative. If you live in a rural area with an hour+ one-way commute to get a new phone if you damage yours, tying any service you like use to your cell phone is not a great thing to do. That is why I don't use 2FA on discord.&nbsp; While I check chat messages on my phone during the day, my primary use of discord is on my pc.&nbsp; Why should I be locked out of discord if something happens to my phone? There are solutions other than mobile devices to provide 2FA, however, the same can be said of all of them if you lose/damage that second factor, "it's gone Jim." Obviously for the highly technical there's workarounds to all of that, but it also partially defeats the point of using 2FA. For example, your PC itself can serve as a second factor, or you can use a token like a yubikey to hold the token secret and use the PC as a timing source to produce the 2FA value. As far as your specific concern, most services will produce recovery codes along with your 2FA secret. So, you write a recovery code or two down some place safe, and put your secret into the mobile device. Should your phone be lost/break/etc, you can use the recovery codes to access your account and disable 2FA until you get a new phone. Ideally this isn't a thing that's happening all the time. To be clear, simple TOTP based 2FA (which is what we're talking about here, though there are other, better schema) mostly protects you against yourself (e.g. weak or shared passwords). A total database compromise will allow an attacker to get all the secrets that were issued as well. In either event, I prefer the option to use it as one of the scenarios it helps protect against is compromise of the accessing device. With your second factor of authentication being out of band, if your PC gets compromised, the attacker can of course mess with your account while you are logged in, or by stealing your session cookie - but once you are logged out and that cookie is invalidated, they don't have access to that second factor of authentication to log in again. It's a pretty resilient safeguard for the average person and a decent insurance policy, one which I both hope roll20 implements and remains optional.

Loremir said: As far as your specific concern, most services will produce recovery codes along with your 2FA secret. So, you write a recovery code or two down some place safe, and put your secret into the mobile device. Should your phone be lost/break/etc, you can use the recovery codes to access your account and disable 2FA until you get a new phone. Ideally this isn't a thing that's happening all the time. How would this work if the only mobile device I have is my phone?&nbsp; Maybe I am not understanding you correctly, but this still sounds like you have to buy and maintain a mobile device (or multiples to have a backup device?) to be sure you aren't locked out of your account.&nbsp;

Kraynic said: Loremir said: As far as your specific concern, most services will produce recovery codes along with your 2FA secret. So, you write a recovery code or two down some place safe, and put your secret into the mobile device. Should your phone be lost/break/etc, you can use the recovery codes to access your account and disable 2FA until you get a new phone. Ideally this isn't a thing that's happening all the time. How would this work if the only mobile device I have is my phone?&nbsp; Maybe I am not understanding you correctly, but this still sounds like you have to buy and maintain a mobile device (or multiples to have a backup device?) to be sure you aren't locked out of your account.&nbsp; If you want the benefits of the 'two' factors in 2FA, you do indeed require some sort of a separate device (not necessarily a mobile phone), which, not everyone has or is willing to use even if they have it, which is why I believe 2FA should be implemented, encouraged, but ultimately optional. Should a company force 2FA upon its users, there do exist solutions for PCs. A true PC based 2FA solution would be something like Yubico's authenticator, which relies on a small roughly $50USD thumb-drive style token as the separate device to securely hold the 2FA secret. Then there are of course workarounds, various apps do exist to let you store the 2FA secret on your PC and produce TOTP authentication codes, however, I cannot speak to their safety or recommend any personally. There are also sites that will store your secrets for you and produce codes. To be clear, that's not a 'good' idea, but it's not a dangerous thing either if you more or less trust the site, as without your password, there's still no access. However, the point I was trying to make in the text you quoted above was in response to your concern of something happening to your cell phone. I was trying to explain that at the time of enrollment in 2FA, you are *always* given a secret (which is necessary for 2FA, often in the form of a QR code for ease of use, and a long jumble of letters/numbers if you need manual entry), and sometimes given "recovery codes" at the option of the implementing site (hopefully roll20 implements these, if we ever get 2FA). Recovery codes are pre-generated, non-expiring, one-time-use authentication codes that will work in place of the 2FA authenticator generated code. In other words, if you lose your phone and can't produce the necessary code to log in, you have a few of these 'recovery codes' written down someplace, you go fish out that piece of paper, punch one in, and you're logged on (to be clear, no extra mobile device required - the codes are entered directly!). You then disable 2FA for your account until you get a new phone or such, and re-enable it again thereafter with a fresh 2FA enrollment. TL;DR, loss of mobile device, for sites who "do it right" and provide recovery codes, does not constitute account access denial, provided you took the effort to avail yourself of writing down one or more recovery code. 2FA is not meant to be bulletproof, it is meant for someone to require invasive access to multiple areas of your life in order to be able to compromise your account from your end, versus simply seeing you enter your password, or stealing it from another site, etc. For folks who use cloud based password managers, 2FA is also a huge boon because it reduces the trust you need to place in a service, which from the recent news articles on the matter, don't necessarily merit a ton of trust. Bonus - it also helps to hold Roll20 accountable, as if a number of their users who have 2FA enabled are having their accounts compromised, it strongly points to a compromise on Roll20, vs a bunch of different users somehow doing 2FA wrong.

+100 There are countries, like Australia, that have made the absence of 2FA illegal from such a large company. The UK is looking into a similar enforcement. The United States has been in the process of adopting this system for several years now (e.g. Law firms currently need 2FA for their websites or risk being decertified).&nbsp;

I would spend ALL of my Remaining Votes to finally see this done! There are A TON of Spammers here in the forums recently and it gets more and more annoying! It is February 2023 and Roll20 still does not have this... it's a shame!

Helping bump this again. I&nbsp; do not visit the forums save for this thread, but cripes . If the spam has gotten that bad, then it is only a matter of time before something worse happens. Can we get it developed, for the sake of cybersecurity?

I'm all in favor of 2FA because, well, I also believe in deadbolt locks, parking only in well-lit areas, VPNs and random alpha-numeric-special-character passwords.&nbsp; But where have you been seeing all of these spammers? I've seen only 2 in the last month and I visit the forum almost every day, although I don't usually look at the LFG or LFP threads.

If good &nbsp;2FA isn't implemented, roll20 will never get a penny from me.&nbsp; Not for my account, not for a gift subscription.&nbsp; Period. And SMS messages with one-time codes don't qualify as good 2FA.&nbsp; I want an authenticator app at a minimum , but ideally roll20 will implement WebAuthn where I can use one of my YubiKeys.

Bumping this for notoriety, and to know the current state of this. New features might be good and all, but they can disappear in one instant if proper security is not enabled.

NO! I absolutely HATE 2 factor authentication as it slows and steals my personal info. It also does not prevent security breaches. I don't use a smart phone (or want brain tumours) and do not want to give more of my details to a centralised systems that spies and collates info for future exploitation. As a concession for the sheep who like Big Brother and being fleeced/slaughtered, if desired or necessary, why not allow an opt-in system for them and allow the rest of us privacy that makes the WWW a great place. Please don't cave in to the sniveling weaklings who want to be controlled and have no idea how much worse their lives will become once a site-scraping social credit system is implemented... No offence intended - I don't know any of you due to the human right to privacy! We need more freedom, not less. :-)

Even without the 2FA they should have extra security questions or heck a security passcode with your phone number or something. As it is slow if not stop most people from getting fully into your account. Our Dm fell many times to hacks and I love to have something to stop this. As some people are jerks just to hack and mess up a game for fun and then steal credit info. I guess there are sickos out there to like to bother people that want to have fun.

Crisis said: NO! I absolutely HATE 2 factor authentication as it slows and steals my personal info. It also does not prevent security breaches. I don't use a smart phone (or want brain tumours) and do not want to give more of my details to a centralised systems that spies and collates info for future exploitation. As a concession for the sheep who like Big Brother and being fleeced/slaughtered, if desired or necessary, why not allow an opt-in system for them and allow the rest of us privacy that makes the WWW a great place. Please don't cave in to the sniveling weaklings who want to be controlled and have no idea how much worse their lives will become once a site-scraping social credit system is implemented... No offence intended - I don't know any of you due to the human right to privacy! We need more freedom, not less. :-) Mate, lay off the personal attacks. This makes you look worse, not better.

Crisis said: NO! I absolutely HATE 2 factor authentication as it slows and steals my personal info. It also does not prevent security breaches. I don't use a smart phone (or want brain tumours) and do not want to give more of my details to a centralised systems that spies and collates info for future exploitation. As a concession for the sheep who like Big Brother and being fleeced/slaughtered, if desired or necessary, why not allow an opt-in system for them and allow the rest of us privacy that makes the WWW a great place. Please don't cave in to the sniveling weaklings who want to be controlled and have no idea how much worse their lives will become once a site-scraping social credit system is implemented... No offence intended - I don't know any of you due to the human right to privacy! We need more freedom, not less. :-) Not sure if sincere or trolling, but for those reading this, while some companies (i.e., Facebook) have used phone numbers provided for 2FA for marketing purposes ,&nbsp;that is not the norm. Additionally, I'd strongly recommend that Roll20 not &nbsp;implement an insecure, SMS or email-based 2FA method. The app-based approach outlined in my prior post &nbsp; cannot &nbsp;steal your data as it provides the user with a new bit of info they can use to generate a temporary, one-time password. Let me be clear. The app-based method takes no &nbsp;personal info from the user. Hence there is no personal data to exploit (unlike the other methods). Also, c ome on, Roll20, it's been&nbsp; four &nbsp;years since my prior post and your security breach . At this point, there is no good-faith argument that security is a priority. And the cynic in me thinks 2FA might only be added if you start losing market share to competitors over such a feature. I'd gladly be wrong and hope that Roll20 pivots into a leader on security in this space, but I don't see it happening, which is a shame. Roll20 has been great for my friends and me, but it hurts to see the state of security on this platform.