I NEED TO TRADE! But I don't have a smartphone!! Use WinAuth
Recently Steam has added a delay in trades between users if one user doesn't have the Steam Authenticator enabled. Maybe you don't have a smartphone. Maybe you're cursed with a Windows Phone or one of 5 people left with a Blackberry. What can you do?
WinAuth as of 3.4.2 beta now supports both the SteamGuard authenticator codes and trade confirmations. If you don't have a mobile phone, definitely go this route. Please refer to my guide on how to secure your WinAuth authenticator from hijackers
Please note that using WinAuth is less secure than having a separate device for trade confirmations.
Not getting hijacked is the best defense. And not downloading garbage from the Internet is the best way to ensure your account is safe.
Introduction about the Steam Authenticator
So you've decided to dive in and get a Steam Authenticator. This is a good thing. Doing so will greatly increase the security on your Steam account.
If you're new, the Steam Authenticator works like SteamGuard but doesn't require email. No more waiting for your SPAM filters to catch up. No more lost email codes. Sounds great doesn't it?
However before we proceed you will need the following
An Apple or Android device
A real phone # that can receive SMS messages. This is now mandatory so you'll need to get something that does SMS.
A piece of paper and a pen. Yes you need this.
Getting Started - Registering your SteamGuard Authenticator
Get the Steam App from your app store
The first step is obviously to go to your phone's app store and download the Steam app. There are Android and iOS versions of the Steam app. Ensure you're getting it from the Google or Apple store! Fake "Steam App" can be used to steal your credentials! So only download from the authorized stores.
Log into the app using the 'old' method
You'll need to log into the app once using the old email SteamGuard code. This gets your bootstrapped into the app.
Register your phone
Here's where the fun begins. In the app find the SteamGuard section. Note my screenshots are from iOS. Android might be slightly different but the overall flow should be similar
Select "Get Steam Guard Codes from my Phone"
Authorize using SMS
This changed in recent revisions, but you can now ONLY use SMS to authorize the app.
Type in your phone number and tap "Add Phone"
Type in the code you got via SMS and tap Submit
Now get that pen and paper ready, and skip to the "WRITE DOWN YOUR R-CODE" Section.
WRITE DOWN YOUR R-CODE!!!
When you authorize the Steam Authenticator you will receive a screen that has a code that looks like
This will stay on the screen for 30 seconds
Remember that paper and pen I told you about before.
WRITE THIS CODE DOWN NOW
Put this code in a safe place! It is one safety net you will have if you somehow screw up your Steam Authenticator app.
WRITE THIS CODE DOWN NOW
Especially if you decided to not to register your phone! The R-code is the ONLY way to remove the authenticator if you don't have an SMS number. So again:
WRITE THIS CODE DOWN NOW
I Registered The App But Did Not Get The R Code! What Do I Do?
Rarely the app won't show or generate the R-code as part of the registration process. The app will generate the codes but you don't have an R-code in case of emergency. This is not good.
Go Into The App And Get The RCode
The app now allows you to view the Recover Code after you've registered the app. Update your app if you don't see the following.
1) Go into the SteamGuard section
2) Tap "My Recovery Code"
3) You will now see the recovery code screen
Remember what was stated previously
WRITE THIS DOWN!
DO NOT STORE ON YOUR PHONE
DO NOT SAVE YOUR R-CODE ON YOUR PHONE!
Did you write down your R-code? That's great.
Is it on your phone? Maybe you took a screen shot on your phone of the R-code. Or wrote it on a note on your phone.
DO NOT SAVE YOUR R-CODE ON YOUR PHONE
Because when are you going to need your R-code?
When you can't use your authenticator. Probably because you lost your phone, or formatted it or whatever. Guess what?
Now the only way to recover your phone authenticator is to find a code..... on the phone you no longer have....
Put your R-code separate from your phone!
Save off some Backup Steam Guard Codes In Case You Change Phone Numbers!
This is your second line of defense
If you ever log out of the Steam Authenticator app, in order to log in again you'll need a Steam Guard code. A code you can't get because... you logged out of the app! WHAT TO DO?
Easy. You can generate a list of one time use Steam Guard codes.
YOU MAY NEED THESE CODES IF YOU LOSE YOUR PHONE NUMBER
Note this step is VERY VERY important, if you ever lose your phone number then you have very few ways of removing the number except via SteamGuard codes. Having backup SteamGuard codes ensures you can use them to remove your old phone number and register a new one.
On a computer (not your phone) go to your Account Settings. And click "Manage Steam Guard"
Then click "Get Backup Codes"
Input your SteamGuard code from your authenticator
Save these codes off to a safe place. You can use them in desperation if you need to log into Steam but don't have your authenticator for some reason.
Adding A Phone Number To Your Account
So you opted out of using the SMS option when you created your authenticator originally. But now you want to add a phone number to your account for increased security and ease of recovery later.
Its important that you have several Plan B for when things might go wrong with your authenticator. An ounce of prevention today, will prevent 8 weeks of torment from Support in the future. Well worth it in my opinion.
Go to you Account Settings. In the Contact Info section click "Add A Phone Number"
Input your SteamGuard code from your authenticator
Enter your phone number here. Ensure you change the country code to your appropriate country. Note SMS charges will apply to you
Input the 5 digit numeric code you get through SMS
Woo Hoo! Your phone is now authenticated
You now have an additional recovery option when anything happens to your authenticator.
HOLY S%&# I LOST MY AUTHENTICATOR
So now you've done it. You lost your authenticator. Whatever the reason. You formatted your phone. You lost it. Your dog ate it. You destroyed it while doing your victory dance when you got a CSGO Karmabit Knife Camo. Whatever it is. You're now screwed
Or are you?
If you followed all my tips above then don't fear! You have an escape hatch with a parachute waiting for you.
This is where the SMS option is CRITICAL. It is the most reliable way to recover your account. Alternatively you can use your R-code as well.
Click "I deleted or Lost my Steam Guard Mobile Authenticator"
First type in your account name
Then it will send a recovery code to either your email or via SMS.
If you choose the SMS option
Type in the code that yoru phone gets. It will look like a Steam Guard code
Then goto Remove Authenticator
All you need to do here is type in your Steam password.
Presto you're saved! See I told you that SMS option was the way to go!! Gold star for you!
You choose email
Type in the recover code. Again it looks like a Steam Guard code
Click Remove Authenticator
Ok now you have 2 choices.
1) Use the R-Code which YOU WROTE DOWN BEFORE RIGHT? YOU DID DIDN'T YOU? So you just need to put in your Rcode
2) Or you can have Steam send you another Steam Guard code via SMS. See you can't get away from that SMS option.
Then input your Steam password
Now you can remove your SteamGuard authenticator
My SteamGuard Codes Don't Work?!?!
The authenticator user your phone's time in order to generate the codes. If the time is off on your phone, then the app will generate the wrong code and it wont work.
Check that your phone time is properly synced, then try a new code.
What Kinds of Protection Do I Get?
So its important to understand what kinds of things the Mobile Authenticator and the SMS phone option give you. Its not 100%. But it does add layers of protection for you
SMS Phone Number
Note this is primarily as a RECOVERY tool. It will allow you to RECOVER your account if
You lose/delete/format your Mobile Authenticator
A hijacker changes your password
That's pretty much it. It will not protect your Inventory. Because your attacker can change your email address in the Steam client to their own. Then trade your items away. So while you can get your account back, it doesn't afford any protection for your inventory.
Still its important to have this as a backup recovery method in case you lose your Mobile Authenticator for some reason. Don't ignore this!
The Mobile Authenticator give you far better protection for your items. This is where the big security measures come in
A hijacker cannot change your email without the code from your Mobile Authenticator. This prevents the #1 way in which hijackers steal your items
As of Oct 20th Steam trades REQUIRE the Mobile Authenticator code instead of the one from your email. This means that even if the hijacker steals both your Steam account AND your email somehow, your items are safe because they cannot be traded away without your Mobile Authenticator as well.
As you can see the Mobile Authenticator gives you the greatest level of security for both your account and your items. If you want to really protect your account, having the Mobile Authenticator adds a gigantic wall for potential hijackers to overcome. It mitigates even if you foolishly give away both your email and steam account credentials as well.
SteamGuard Cannot Protect You From Yourself
So you've done all the right things. You now have two-factor authentication on Steam. You've enabled it on your email account too. You have unique passwords on Steam. You're totally safe now right?
You must always be vigilant. You are your own worst enemy. People are hijacked because attackers trick them into giving them the keys to their accounts. No amount of security in the world is going to help if you give your 'trader' access to your PC.
Always be vigilant.
Beware of all external links. Beware of downloads. Beware of unknown sources.
Security is about layers. The more layers there are the more inconvenient it is for attackers. But the reality is YOU are the weakest layer.
Don't let hijackers exploit you. Always be wary of links. Never rush things. Assume EVERYTHING is out to get you. Basically assume you're in Australia. Because everything there is Nature's way of saying "GTFO or die!". Everything is out to get you. Act accordingly.
Use WinAuth If You Don't Have a Smartphone
Feeling left out in the cold because you don't have a smartphone? Don't worry there's a solution for you!
WinAuth is an Open Source two-factor keyring. It supports the two-factor authentication for many services. And recently has begun to support SteamGuard.
If you don't have a smartphone then you can download WinAuth and register your account to have a desktop application that gives you the SteamGuard codes
SUPER CAVEAT THIS IS TECHNICALLY INSECURE
The whole point of two factor authentication is to separate the authenticator from the authentication. Putting the authenticator on your computer means that a hijacker has access to your computer AND THE AUTHENTICATOR!
This is a big problem since they can steal the SteamGuard codes from you! WinAuth has a password option. ENABLE THIS OPTION.
Does the Authenticator and the Phone Number need to be on the same device?
You might be confused as to whether your registered phone # needs to be on the same device as the authenticator.
All you really need is
* An iOS or Android device. This can be a smartphone, or it could be a totally wifi tablet or other device. This just runs the app.
* A phone number thta can receive SMS messages. You need this to get the authorization for the app but that's it. It can be a flip phone from the 90s you grandpa has.
Thus you can have various combinations of devices such as:
1) iPhone/GalaxyS for SMS + iPhone/GalaxyS for app. Where the app and SMS are on the same device. This is the typical scenario. 2) wifi iPad/Galaxy Note/some garbage tablet you got at a Christmas Secret Santa for the app + flip phone for SMS 3) iPhone for the app + Samsung Galaxy S4 for the SMS (for the ultra rich and ultra paranoid!)
I Need SMS! Should I use Google Voice or Similar Online Services for SMS?
The Mobile Authenticator now requires an SMS phone number to register the app. Maybe you don't have one.
You might be tempted to use an online service like Google Voice to get an SMS number.
While this does work, as I have tested a Google Voice number with another account, I would advise EXTREME caution when doing so.
As you can see using an online service like Google Voice for your SMS may leave you vulnerable to hijacking despite having 2FA and an SMS phone number.
In other words BE VERY VERY CAREFUL if you use this route. You need to be super paranoid and cautious about stuff. Because a hijacker can attack you and steal your credentials and your SMS which is VERY bad
In the USA you can use services like Google Voice.
Outside of the USA you'll have to see if there are any similar services available
DO NOT USE ANY FREE SMS SERVICES. Hijacks have occurred because a person used a free SMS service and got their account hijacked. Or worse, their accounts were VAC banned because the 150th person that used that phone # cheated.
I Changed My Phone Number! How Do I Change It In Steam!?
Lets say you change your phone number. Maybe you lost your phone. Maybe you're on a new contract. So you need to change it.
This basically sends an SMS message to your existing phone. Then you can remove the phone # from Steam. When you get your new phone number, simply add it back using the "Adding A Phone Number To Your Account" section above
Of course this somewhat assumes you're thinking ahead.
2) Use SteamGuard codes
In this scenario you use a SteamGuard code in order to remove the phone number.
You may * Use a SteamGuard code from your authenticator * Use a SteamGuard code from your Backup SteamGuard codes
Remember back when I told you to generate a set of Backup SteamGuard codes?
Did you ignore that?
Yeah don't ignore that!
Go back and generate those codes right now!!
Why Do I Still Have Trade Holds?
1) To have the Mobile Authenticator on 2) Have the Mobile Authenticator on for 7 days straight
If any of the above isn't correct you will still be subject to 3 day trade holds.
You MUST have the Steam Mobile Authenticator
In your browser click on your name then select Account Details
If your "Account Security" section looks like this
Note the yellow shield. That's wrong. Go back and activate the Authenticator properly
It should look like this
Note the green shield. That means you have the Steam Mobile Authenticator active on your account
It MUST be active for 7 days straight
After you activate the Steam Mobile Authenticator you must wait a 7 day cooldown before you are exempt from trade holds
If you ever remove the authenticator or change to the email authentication and go back to the mobile authenticator, that re-triggers the 7 day cooldown. You'll have to wait another 7 days after that.
1) Register a the Mobile Authenticator 2) Register a SMS # with Steam 3) WRITE DOWN YOUR R CODE 4) Generate a set of Backup SteamGuard Codes