237 ratings
How to Use WinAuth Properly For Trading
By Satoru
WinAuth has now integrated trade confirmations into its client. So you're probably chomping at the bit to use it

The problem is that you're probably doing everything wrong. Why do I say that?

Having the authentciator on the same computer as where you're trading is of course convenient. But it also means if you get hijacked your attacker owns you, your email, your steam account and your authenticator!

Since you're violating a basic security protocol for 2FA you need to protect yourself from potential hijackers basically bypassing all the security you've put in. This guide will help you through how to set this up.
 
Rate  
Favorite
Favorited
Unfavorite
Download WinAuth - Must be at least version 3.4.23 (beta)
First you'll need to get WinAuth

http://winauth.com/download/

For now, as of December 22 2015, you have to use the beta version of WinAuth version 3.4.23

If you're using an older version none of these options will appear. If you don't see them use the absolute latest version of WinAuth. For now that means you need to use the beta 3.4.23

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH
Add The Steam Authenticator to WinAuth
Run the winauth.exe



Click "Add" then "Steam"



Type in your Steam Account name and password. Then click Login



You will now receive a SteamGuard code in your email. Type the SteamGuard code you get into the box and click "Continue"

Possible Error If You Don't Have a Phone # Registered On Steam
Skip this section if you already have a phone number registered with Steam


To use the Steam Mobile Authenticator, even on WinAuth, you need an SMS phone number registered on Steam. If you don't you will get the following message after the step above



You'll need to register a phone # on Steam before you can proceed. My guide below has a section on how to add a phone # to your account

Refer to the section "Adding a Phone Number to your Account"

http://steamcommunity.com/sharedfiles/filedetails/?id=495405494

Then proceed on with this guide
Getting Your R-Code - WRITE YOUR RCODE DOWN
You'll now be prompted for a code that you will receive via SMS

Put that SMS code into the "Confirmation Code" box which is circled in yellow



Now refer to the red circles

This is your R-code

If ANYTHING happens to your authenticator you MUST have the R-code.

Place this code somewhere safe and separate from your computer

Check the "I have written down my revocation code". You cannot proceed until this checkbox is selected.

Click "Confirm"



Click "Close"
!!!WRITE DOWN YOU RCODE!!!!
WRITE DOWN YOUR R-CODE

I am not kidding about this. If anything happens to your authenticator you NEED this code.

If you don't have it, you'll be reenacting "50 Shades of Steam Support" for 8 weeks

You really don't want that

WRITE DOWN YOUR R-CODE
Critical Security Section - DO NOT SKIP THIS STEP
These steps are NOT optional. You MUST do these otherwise you are defeating the entire purpose of why you're using the authenticator.

THIS IS THE MOST IMPORTANT STEP IN THIS PROCESS



Password Protection

You MUST check the box for "Protect with my own password"

If an attacker hijacks your computer and this is NOT checked off, they can
1) extract your R-code
2) create an exact duplicate of your authenticator

Now your attacker can log in, as you, anywhere they want. Does that sound awesome? Yeah didn't think so.

DO NOT USE THE SAME PASSWORD AS STEAM OR EMAIL

By now your attacker probably has hijacked your steam account and your email.

Don't be a fool. Make sure the password you use for WinAuth is DIFFERENT than your Steam or email accounts

Encrypt WinAuth Files

For double protection you can encrypt the files using the local account and computer.

Note if you do this, if you MUST disable this feature before reformatting your system, or you can't recover any WinAuth settings.


How Do Trade Confirmations Work?
Right click on your authenticator and select "Confirmations"



Log in using your Steam username and password

DO NOT CHECK THE BOX TO SAVE YOUR PASSWORDS

I repeat DO NOT CHECK THAT BOX

Why? Because once I own your PC, and if you already have Winauth open, you are screwed. I can 'confirm' any trade I want because you let me do it.



From here you can now confirm any trades you have



IF YOU DO NOT SEE CONFIRMATIONS IT MEANS YOU'RE ON AN OLDER VERSION OF WINAUTH
I Need To See My R-Code Again
If you forgot your R-code and want to see it to write it down again you can do so.

Right click on the authenticator, select "Show SteamGuard and Recovery Code"



Here you must enter the password you protected your authenticator with

YOU DID PUT IN THAT PASSWORD RIGHT.



Here you can see your R-code that Steam uses, as well as a bunch of other stuff. We'll ignore that for now since really you should only need the R-code.



Generate Set of SteamGuard Backup Codes
http://steamcommunity.com/sharedfiles/filedetails/?id=495405494

You need to have a set of SteamGuard backup codes in case you lose access to yoru SMS number. Refer to my previous guide on how to generate this

DO NOT SKIP THIS

If you ever lose your phone number the only way to remove it is either having your authenticator running or having SteamGuard backup codes
Stuff Is Not Working!
Trade Cannot Be Confirmed

Right Click in the Authenticator window
Click "Sync Time"

WinAuth Error - Boolean.System Runtime

Uninstall DotNET 3.5
Reboot
Install DotNET 3.5 SP1

No Oauth token in response

Install the latest DotNET 4.5.1

Ensure you're running at least WinAuth 3.4.23
No Amount of Security Can Protect You from Yourself
Remember most hijacks happen because USERS download some random trojan or click some link. Hijacks don't happen out of thin air.

You are the weakest link in the security chain.

Dont download shady garbage from teh internet

Dont click on random links from 'friends'

tl;dr version
1) You MUST use the password protection security on Winauth
2) WRITE DOWN YOUR R-CODE
3) DID YOU WRITE DOWN YOUR R-CODE?
4) SERIOUSLY WRITE THAT R-CODE DOWN!!!
5) Generate a set of Backup SteamGuard codes in case you lose access to your SMS number
6) WinAuth can't protect you from yourself. Don't download crap from the Internet
< >
165 Comments
Vinhy Mar 8 @ 3:49pm 
I have the newest version of WinAuth(3.5.1) an I'm able to trade everything but I don't see the confirm option and my drop menu does not look like that.
Kain Mar 3 @ 5:54am 
Or i need to wait for 7 days before i can use it?
Kain Mar 3 @ 5:47am 
Even if can confirm of selling cards in WinAuth they still on hold for 15 days, why?
RatonhaketonBR Feb 19 @ 1:02pm 
even though I'm on the latest version of winauth, i can't see the Confirmations options. Please Help
renatofrontino Jan 14 @ 11:14am 
It would be nice to rename "id device" strange mac of 32 characters.
Schwartzy Dec 21, 2016 @ 9:08pm 
Is there a way to configure steam to only use mobile authenticator when trading and not when I open steam?
[Ze_B/O]LilGMan Dec 11, 2016 @ 2:57pm 
I really wish there was a way to do this without having a cell phone number :/
Ronney™ Nov 25, 2016 @ 11:58pm 
what a bm author ignoring me .-.
Satoru  [author] Nov 25, 2016 @ 2:10pm 
Contact WinAuth if the application itself is crashing.
Dante660 Nov 25, 2016 @ 12:43pm 
this is not my first connection, before everything was ok