I realize many people might not be so concerned about this, since both steamlink device and streaming-host-server-thing will usually only be in their own home.

but (for obvious reasons, i.e. the Steam software client is more or less constantly dumping a framebuffer over the network, a la RDP) - the Big Picture UI (or the windowed Steam UI) can only be used if the host machine is unlocked and desktop open.

this causes at least 1 non-security concern of a more practical nature, as well as some quite apparent security problems:

1. if the stream-host locks for whatever reason (sleeps and wakes up and/or has timed screensaver lock set), then the steamlink shows the machine as "locked" and rather than give you a chance to unlock/login, simply shows an error message if you click to try to connect. this is rather inconvenient from a user experience standpoint.

2. for normal steamlink operation, this means the host has to be unlocked, i.e. anyone with physical access could use it. possibly even anyone with remote access.

3. for normal user experience, this means the stream-host has to be unlocked ALL THE TIME. so, disable sleep (or if WoL works, sleep is ok but disable sleep-lock. and disable screensaver-timeout-lock. and any other sort of lock.

4. are things like MitM attacks possible? it would be one thing if it was only rendering/streaming the various Steam UIs and games, but the whole Desktop Mode thing still scares me a little.

ideas:

is it possible to still render Big Picture and games even "beneath" the lock-screen? I have no idea, not really my field.

is it possible to allow access to the remote host's lock-screen when you try to connect? so that you could type in your password? this seems straightforward. but still the issue of the screen being constantly unlocked.

is it possible to tie some sort of secondary-auth to saved login credentials so that you only need to enter e.g. a six-digit PIN and that would unlock the remote host? more complicated, less secure, easier for the end user. (for "PIN", to make it easy for users to enter, I'm thinking of e.g. xbox live, where the six "digits" are actually just various keys on the controller e.g. your PIN is LB RT X LT A B etc.) - but ditto same issue as above.

is it possible to have some sort of Smartglass type app that could have additional function such as feed saved login credentials through the steamlink to the host? (or even directly to the host)

any other paranoid thoughts most welcome :)