Two Factor Authentication

+1 Speaking for myself this should have been a factor from day 1.  Anything that requires transactions of monetary sums can and will have attempts on it to hack.  Incidentally this already happened, and the fact Roll20 has done nothing since that time astounds me.    It is my hope that the Ashton is right and something will be done.

Bumping this topic, as its implementation continues to be necessary. Likewise, we need an update.

From What I understand two Factor isn't all that much more Safe than what they have now. Not to mention there's not ALOT of reason for it on roll20 for individual accounts.

+1

+1

They've been researching how to do 2FA for 2 years now (July 21, 2021). This isn't a quality of life improvement. This is a security feature.

2FA is the most significant security feature they could introduce in short order for us, and we're still waiting on it without any real update. I've dropped pro status over lapses in confidence evidenced by this thread and others where it is clear our votes don't actually mean all that much. Another telling thing is the partial UI refresh, where for years now, some pages have a nice up-to-date looking styling, and others have the older looking styling; it just feels like a whole lot is being thrown over the fence or left to rot, those being the examples that quickly come to mind. I'm happy to pay, but can't reward roll20 until there's some accountability and actual transparency introduced. Two years of no visible movement while researching a feature that I've implemented on numerous projects in a time-frame of several days to a few months depending on the complexity of the integration, well, it's not very compelling from an outside perspective.

Bloody hell. Nearly 4 years on....

Koloqial said: Bloody hell. Nearly 4 years on.... Sadly this is not even unique to this request.

And seeing how much SPAM there is nowadays here on Roll20 this needs to be implemented ASAP...

I think all of us should make anniversary posts here, commemorating their original replies in this tread each year. Mine will be in just short 2 months. 

My friend account got hacked two times... so yeah he really needs this

My account info for roll20 was found in a data breach (I've since changed the password, I use unique passwords on every site).  I'd like 2-factor enabled on this website.  What the heck is going on Roll20?

Ditto.  Was just alerted that the password I used for this site was found in a data breach.  The time for MFA has long since come.  Please do this.  Thankfully the password is only used on this site.

Still not available??? Come on.

This suggestion has recently passed its 7-years mark, judging by the comments at the very beginning of this thread. A perfect age for brandy. Maybe not so much for an IT-ticket. 

Also got a notification that my account was part of a data breach. Lets get that 2FA!

Please add MFA before you have serious data breach and it then becomes the only thing you're working on. Better to prevent the compromise of your customers personally identifiable information on your own terms, than lose control of the agenda in the wake of a breach.

Yes, please add this.  Especially with regards to sites where we can make purchases of any kind.  Roll20, DriveThruRPG, and Dungeon Master's Guild.   The thought of losing all those purchases to a compromised account is disturbing.

This is a real basic ask.  It should be on any system that purchases can be made upon.  Please add this.

It's 2024. Get with the program. 2FA Now!

2FA should be much more of a standard security practice than it is. Please implement.

2FA should be standard.  Please add that feature.  

My password was reported as being compromised recently. Like others, I use unique passwords, why is this not a feature ya'll?

I just received the e-mail regarding an administrative account being compromised. You guys really need to add Two-Factor Authentification.

Javier Dice said: I just received the e-mail regarding an administrative account being compromised. You guys really need to add Two-Factor Authentification. Not just for users, but obviously for internal roll20 staff.  Seriously, this is 2024, how is this not a requirement for staff?  What am I paying you people for?  It's getting to the point where I might as well just self host Foundry on a home server.

DrHappyAngry said: Not just for users, but obviously for internal roll20 staff.  Seriously, this is 2024, how is this not a requirement for staff?  What am I paying you people for?  It's getting to the point where I might as well just self host Foundry on a home server. We have been at that point for a long while. I fully expect to be banned/censored for saying this, but Roll20 has not meaningfully upgraded or fixed what services they offer in years. No, dynamic lighting and dark mode are not important. Not when we have YET ANOTHER data breach on our hands. This is absolutely unacceptable for a tech company offering any  kind of service in 2024.  Now I'm sure some people are going to come in here and say that 2FA wouldn't have prevented this new admin account breach. And you're right, it may not have completely  stopped the breach, but it would have made it another step harder to compromise. And that's what 2FA is all about. You can't have a "perfect solution" that always stops accounts being hacked/compromised/w/e, but with every feature like 2FA you add the harder it is to pull off. So again, we've long been at the point where other VTT solutions/providers are the answer. They seem to at least care about data security.

This shouldn't be a request now, get it done Roll20 ^

Agreed; this is long overdue, and this breach should be the last impetus to finally get this done. 2FA is not that hard in 2024. Put some resources on it, please and get it done. Thank you.

5 years ago someone made a very reasonable suggestion. You have now been hacked... again. Implement 2FA TOTP. It is easy in 2024. There are no excuses.

At the very least, 2FA should be implemented for all admin-level accounts.  In 2024, after a 2nd breach, this should be a no-brainer.

Bottom Line Up Front (BLUF):  Roll20 appears to be insouciant toward customer account security.  Is Roll20 going to take specific action soon (e.g., within this calendar year) to provide effective account security enhancements? I've been a Roll20 user for over a year, and I am a senior systems engineer with a strong IT background.  Throughout my career, I've been exposed to numerous security-related topics and how they could affect my internal and external customers.  Through both necessity and curiosity, I've researched security technologies such as website user authentication mechanisms like FIDO2 and Webauthn, encryption technologies like public-key infrastructure (e.g., PGP and GPG), and secure communication technologies like TLS and website security certificates. In April 2023, I submitted request #119368 regarding account security and multi-factor authentication (MFA) and was directed to this five-year-old forum post advocating for the same feature, where the first comment mentions a recent security breach.  Roll20's dismissive attitude toward customer account security undermines any confidence I have for Roll20's stance regarding employee and administrative account security (a sentiment felt and expressed in April 2023), so it's not surprising that a year after I registered my concern there is another security incident. YubiKeys and authenticator apps are largely mainstream, although many organizations have only implemented sending one-time codes via SMS or email--a discredited practice that's even being deprecated by NIST.  Roll20 still only protects user accounts with a password, and while Roll20 has publicly committed to implementing additional restrictions on user data access, I'm very disappointed that the best action Roll20 can announce regarding account security in today's security bulletin is to "add enhanced security measures as needed to prevent this incident from happening again."  I believe Roll20 would do well to devise specific actions that it will take to address enhanced account security (for employees and the userbase) and then share those with the user community. Until Roll20 implements effective user account security improvements, such as support for YubiKey and authenticator apps, I will refrain from purchasing any Roll20 products or services and advise others to do the same.  I urge Roll20 to move beyond "researching" and commit to concrete actions.  Implementing MFA with options like YubiKeys and authenticator apps by the year's end (Dec 31, 2024) would be a significant step forward.  I believe such measures would rebuild trust and encourage users like me to continue using Roll20 services.

+1 I have so much valuable information on Roll20.

As a matter of fact, Engadget just published a news piece on this. And noted how we have been asking for 2FA for years, only to be ignored. <a href="https://www.engadget.com/virtual-tabletop-gaming-platform-roll20-experienced-a-serious-data-breach-181052179.html?guccounter=1" rel="nofollow">https://www.engadget.com/virtual-tabletop-gaming-platform-roll20-experienced-a-serious-data-breach-181052179.html?guccounter=1</a>

Bumping this. Please actually do this. For your customers as well as yourselves.

Bumping this so it doesn't go away and continued to be ignored by Roll20 staff, putting all of our accounts, personal &amp; financial information at risk.

Bumping this again. What happened with the research this topic had before the breach?

Apologies, but this subject should have been worked on after the data breach. While comforts to run a game are good and all, security data and credit card info is just as necessary, if not more.

I think it's time people look for other more secured platfroms. clearlery they don't give two shits about they're own users.