266 ratings
How to Use WinAuth Properly For Trading
By Satoru
WinAuth has now integrated trade confirmations into its client. So you're probably chomping at the bit to use it

The problem is that you're probably doing everything wrong. Why do I say that?

Having the authentciator on the same computer as where you're trading is of course convenient. But it also means if you get hijacked your attacker owns you, your email, your steam account and your authenticator!

Since you're violating a basic security protocol for 2FA you need to protect yourself from potential hijackers basically bypassing all the security you've put in. This guide will help you through how to set this up.
 
Rate  
Favorite
Favorited
Unfavorite
Download WinAuth - Must be at least version 3.4.23 (beta)
First you'll need to get WinAuth

http://winauth.com/download/

For now, as of December 22 2015, you have to use the beta version of WinAuth version 3.4.23

If you're using an older version none of these options will appear. If you don't see them use the absolute latest version of WinAuth. For now that means you need to use the beta 3.4.23

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH
Add The Steam Authenticator to WinAuth
Run the winauth.exe



Click "Add" then "Steam"



Type in your Steam Account name and password. Then click Login



You will now receive a SteamGuard code in your email. Type the SteamGuard code you get into the box and click "Continue"

Possible Error If You Don't Have a Phone # Registered On Steam
Skip this section if you already have a phone number registered with Steam


To use the Steam Mobile Authenticator, even on WinAuth, you need an SMS phone number registered on Steam. If you don't you will get the following message after the step above



You'll need to register a phone # on Steam before you can proceed. My guide below has a section on how to add a phone # to your account

Refer to the section "Adding a Phone Number to your Account"

http://steamcommunity.com/sharedfiles/filedetails/?id=495405494

Then proceed on with this guide
Getting Your R-Code - WRITE YOUR RCODE DOWN
You'll now be prompted for a code that you will receive via SMS

Put that SMS code into the "Confirmation Code" box which is circled in yellow



Now refer to the red circles

This is your R-code

If ANYTHING happens to your authenticator you MUST have the R-code.

Place this code somewhere safe and separate from your computer

Check the "I have written down my revocation code". You cannot proceed until this checkbox is selected.

Click "Confirm"



Click "Close"
!!!WRITE DOWN YOU RCODE!!!!
WRITE DOWN YOUR R-CODE

I am not kidding about this. If anything happens to your authenticator you NEED this code.

If you don't have it, you'll be reenacting "50 Shades of Steam Support" for 8 weeks

You really don't want that

WRITE DOWN YOUR R-CODE
Critical Security Section - DO NOT SKIP THIS STEP
These steps are NOT optional. You MUST do these otherwise you are defeating the entire purpose of why you're using the authenticator.

THIS IS THE MOST IMPORTANT STEP IN THIS PROCESS



Password Protection

You MUST check the box for "Protect with my own password"

If an attacker hijacks your computer and this is NOT checked off, they can
1) extract your R-code
2) create an exact duplicate of your authenticator

Now your attacker can log in, as you, anywhere they want. Does that sound awesome? Yeah didn't think so.

DO NOT USE THE SAME PASSWORD AS STEAM OR EMAIL

By now your attacker probably has hijacked your steam account and your email.

Don't be a fool. Make sure the password you use for WinAuth is DIFFERENT than your Steam or email accounts

Encrypt WinAuth Files

For double protection you can encrypt the files using the local account and computer.

Note if you do this, if you MUST disable this feature before reformatting your system, or you can't recover any WinAuth settings.


How Do Trade Confirmations Work?
Right click on your authenticator and select "Confirmations"



Log in using your Steam username and password

DO NOT CHECK THE BOX TO SAVE YOUR PASSWORDS

I repeat DO NOT CHECK THAT BOX

Why? Because once I own your PC, and if you already have Winauth open, you are screwed. I can 'confirm' any trade I want because you let me do it.



From here you can now confirm any trades you have



IF YOU DO NOT SEE CONFIRMATIONS IT MEANS YOU'RE ON AN OLDER VERSION OF WINAUTH
I Need To See My R-Code Again
If you forgot your R-code and want to see it to write it down again you can do so.

Right click on the authenticator, select "Show SteamGuard and Recovery Code"



Here you must enter the password you protected your authenticator with

YOU DID PUT IN THAT PASSWORD RIGHT.



Here you can see your R-code that Steam uses, as well as a bunch of other stuff. We'll ignore that for now since really you should only need the R-code.



Generate Set of SteamGuard Backup Codes
http://steamcommunity.com/sharedfiles/filedetails/?id=495405494

You need to have a set of SteamGuard backup codes in case you lose access to yoru SMS number. Refer to my previous guide on how to generate this

DO NOT SKIP THIS

If you ever lose your phone number the only way to remove it is either having your authenticator running or having SteamGuard backup codes
Stuff Is Not Working!
Trade Cannot Be Confirmed

Right Click in the Authenticator window
Click "Sync Time"

WinAuth Error - Boolean.System Runtime

Uninstall DotNET 3.5
Reboot
Install DotNET 3.5 SP1

No Oauth token in response

Install the latest DotNET 4.5.1

Ensure you're running at least WinAuth 3.4.23
No Amount of Security Can Protect You from Yourself
Remember most hijacks happen because USERS download some random trojan or click some link. Hijacks don't happen out of thin air.

You are the weakest link in the security chain.

Dont download shady garbage from teh internet

Dont click on random links from 'friends'

tl;dr version
1) You MUST use the password protection security on Winauth
2) WRITE DOWN YOUR R-CODE
3) DID YOU WRITE DOWN YOUR R-CODE?
4) SERIOUSLY WRITE THAT R-CODE DOWN!!!
5) Generate a set of Backup SteamGuard codes in case you lose access to your SMS number
6) WinAuth can't protect you from yourself. Don't download crap from the Internet
< >
173 Comments
satanya Jul 10 @ 10:37pm 
No other way to get codes from my phone and PC at the same time then? Even using another app?

I've tried using Authenticator Apps from google and exporting from winauth and then importing it there but they always show the wrong code.
Satoru  [author] Jul 10 @ 10:34pm 
You cannot have 2 authenticators running at the same time
satanya Jul 10 @ 10:33pm 
Is there a way to use BOTH WinAuth and Steam Mobile App at the same time?

I mean just for getting codes to be able to login, sometimes I play on other computers with friends and I have to use another account just to play since I don't' have WinAuth in there. Any tips?
BlankFX Jun 28 @ 3:20am 
Sadly completely useless for me as I certainly won't give my phone number to a US Company like Steam.
AzKat Jun 26 @ 2:56am 
@kyren no you can't, people have proven to be retarded beyond measure and that's why you need to confirm everything from your phone now.
Kyren Du Nord Jun 3 @ 10:38pm 
Ughhh, steam support is messed up
I want to get codes by email but without the limitations
Satoru  [author] Jun 3 @ 8:49am 
@kyren you have to choose email or the mobile Authenticator. You can't have the mobile Authenticator and get codes via email. That defeats the purpose of the mobile Authenticator
Kyren Du Nord Jun 3 @ 8:05am 
Can we like enable Steam Guard Mobile but still get the codes via email? .-.
Vinhy Mar 8 @ 3:49pm 
I have the newest version of WinAuth(3.5.1) an I'm able to trade everything but I don't see the confirm option and my drop menu does not look like that.
Kain Mar 3 @ 5:54am 
Or i need to wait for 7 days before i can use it?