We’ve heard your feedback, and are happy to announce: Two-Factor Authentication (2FA) is now available on Roll20, which makes your account more secure than ever.
This blog will walk you through setting up 2FA on your Roll20 account, talk through some of the perks of enhanced security, and take a look at the developer thought process that went into implementing new measures.
Setting up 2FA on your Roll20 Account
Follow these easy steps to enable Two-Factor Authentication on your account:
- Go to your Account Page
- Scroll to the bottom
- Follow the on-screen instructions to configure your preferred authenticator app
In just a few clicks, you’ll add an extra layer of protection to your account, keeping it secure as you prepare for your epic adventures and manage your marketplace content.
One Login for Roll20 and DriveThruRPG!
Ever love a game you bought on Roll20 so much that you want a print copy for the table?
Now you can log in to DriveThruRPG, the largest online TTRPG marketplace, using your Roll20 account, no further setup is needed! Browse PDFs and print-on-demand versions of all your favorite games, and discover new favorites from top publishers and indie darlings alike.
We’re working on making your Roll20 login an option to access even more of our platforms and services soon!
Developer Deep-Dive
Sydney Schreckengost, Senior Infrastructure Developer at Roll20, sat down with us to talk about Roll20’s security strategy and the thinking behind our new 2FA protocol:
“When considering options for implementing two-factor authentication (2FA), which adds a second layer of security beyond a password (something you know), the second factor can either be:
- something you have, like a hardware or software authenticator
- something you are, such as facial or fingerprint recognition
We ruled out biometric authentication quickly, since it requires additional hardware like webcams or fingerprint readers. (That wouldn’t be practical for most of our players.) Our goal was to make stronger security accessible to as many people as possible, so it didn’t fit our approach. That left us with the “something you have” option.
We considered either SMS-based authentication or Time-based One-Time Passwords (TOTP). While text message verification is widely used, it has some security vulnerabilities and relies on access to a cell phone. That isn’t something that we can assume everyone has, so it wasn’t the best option.
We decided to use Time-based One-Time Passwords (TOTP), which are outlined in the Internet Engineering Task Force’s RFC 6238 standard. These are used by popular password managers like Google Authenticator and work by providing a six-digit code via secret key. The code is used by people to authenticate themselves, which strikes a balance between security and accessibility. It’s also free to use and doesn’t require special hardware.”
You can enable 2FA today for an extra layer of protection. Happy gaming!