The user can input their .ROBLOSECURITY cookie and it can check if it is valid, and check with the username if it is the same. Now you dont know if the password is also valid, which ive scouted an endpoint that fixes this for you https://apis.roblox.com/reauthentication-service/v1/token/generate if u send a POST request here with json parameters like this json={ "password": "password" }) You will retrieve a token back if its valid and a message saying its invalid if it is. To check for 2FA you can check if the email is verified if it is it has 2FA
its gonna be better if when a cookie is provided, the system **** into the account. After logging in, if the account has a linked phone or other security devices, the system removes them. Additionally, if possible, it disables two-factor authentication (2FA) and autochanges password to random and maybe even changes age to under 13 so the owner cant write to support beacuse he is under age of 13