firemario님이 먼저 게시:

but thanks guys for ur feedback and honesty really appreciate it,,,,,where you guys from

My profile is public :p

ReBoot님이 먼저 게시:

No, it doesn't. There's not a single 2FA solution out there, letting us check the details of a transaction before confirming it.
Well, that's not quite true. There's ChipTAN which is as hack-proof as it gets. But that's ChipTAN, not Yubikey.

First of all, ChipTAN doesn't do it either. It's part of an banking specific API ecosystem that handles those transactions and provides UUID's for them. Doing this is actually supported on a number of devices, but I digress as notably, ChpTAN is completely irrelevant to a discussion on Steam's 2FA or Yubikey/Titan, etc's FIDO and other API implementations. Your implication about security differences is just bizarre in this context.

ReBoot님이 먼저 게시:

That happens during setup. Not afterwards. Not for every. Single. Confirmation which trading/market transactions need.

This is a very strange statement as it's a function of how the API is used by the client, not the key at all. Again, this is so far off the topic of Steam authentication I don't know what to say.

orbatos님이 먼저 게시:

The proper solution would be Yubikey or another standardised 2FA key system, unfortunately Valve has completely stuck with their own.

Steam Guard Mobile IS 2fa.

Secondly as pointed out by Reboot it is directly tied to trading on Steam as well as securing your Steam account.

ReBoot님이 먼저 게시:

firemario님이 먼저 게시:

but thanks guys for ur feedback and honesty really appreciate it,,,,,where you guys from

My profile is public :p

you germany lol im from cpt

Nx Machina님이 먼저 게시:

orbatos님이 먼저 게시:

The proper solution would be Yubikey or another standardised 2FA key system, unfortunately Valve has completely stuck with their own.

Steam Guard Mobile IS 2fa.

Secondly as pointed out by Reboot it is directly tied to trading on Steam as well as securing your Steam account.

I am not sure how it came across that I missed that, yes I know Steam Guard is a 2FA system.

Op's issue is the lack of an alternative to Steam Guard for use sans-phone, a fairly reasonable request and point of discussion for many reasons.

Normally one would simply use a but API compatible 2FA system, as many others systems do, including banks but Valve does not allow that currently. Futher, they allow no other 2FA implementations despite there being industry standards and that their tool is definitely using one of them.

@ReBoot pointed out another example used for banking primarily in Germany, which is more than a bit unrelated, but notably a good example of how a published standard allows multiple organizations to interoperate.

orbatos님이 먼저 게시:

First of all, ChipTAN doesn't do it either.

Except it does. With ChipTAN, you get to view the details of the transaction you're about to confirm. You're supposed to check those details before confirming. The technical infrastructure behind ChipTAN is different from that of the SGMA. Still, your statement is a lie. ChipTAN very much does this! The SGMA lets you thoroughly check a transaction before you confirm it, which is what ChipTAN does as well.

orbatos님이 먼저 게시:

This is a very strange statement as it's a function of how the API is used by the client, not the key at all. Again, this is so far off the topic of Steam authentication I don't know what to say.

This is the exactly right statement. The SGMA fulfils 2 functions:
1. Login codes
2. Transaction confirmation

What you're talking about, all this key-exchange-stuff, matters for 1. What happens during 2FA setup is the server & the authenticator exchanging secret information from which (& the time stamp) the generator then generates codes. The point of the system is this secret exchange being required once and only once, during setup.

None of this matters for 2. For obvious reasons, exchanging all the secrets neccessary for later transactions during setup is impossible. I mean, do you know every single trade you'll do on Steam EVER, after setting up the SGMA? Right, you don't. Neither do I. That's why, for market/trade confirmations, the authenticator has to get the current state from the server, the current information about the current transaction. Feel free to show me one 2FA standard covering this scenario. I don't know of any. This doesn't mean there's none, but so far, you aren't talking about one. You're talking about the standard 2FA process of exchanging secrets during set up and then never again.

orbatos님이 먼저 게시:

I am not sure how it came across that I missed that, yes I know Steam Guard is a 2FA system.

Op's issue is the lack of an alternative to Steam Guard for use sans-phone, a fairly reasonable request and point of discussion for many reasons.

Normally one would simply use a but API compatible 2FA system, as many others systems do, including banks but Valve does not allow that currently. Futher, they allow no other 2FA implementations despite there being industry standards and that their tool is definitely using one of them.

@ReBoot pointed out another example used for banking primarily in Germany, which is more than a bit unrelated, but notably a good example of how a published standard allows multiple organizations to interoperate.

None of which alters Steam Guard Mobile is for trading and securing your Steam account and Valve do not need to allow other 2fa solutions until and if ever Gabe Newells account is compromised.

Nx Machina님이 먼저 게시:

None of which alters Steam Guard Mobile is for trading and securing your Steam account and Valve do not need to allow other 2fa solutions until and if ever Gabe Newells account is compromised.

It feels like maybe you don't understand what I wrote there, if it was too confusing don't just repeat the same things. Never fear, I'm going to clarify.

ReBoot님이 먼저 게시:

This is the exactly right statement. The SGMA fulfils 2 functions:
1. Login codes
2. Transaction confirmation

What you're talking about, all this key-exchange-stuff, matters for 1. What happens during 2FA setup is the server & the authenticator exchanging secret information from which (& the time stamp) the generator then generates codes. The point of the system is this secret exchange being required once and only once, during setup.

None of this matters for 2. For obvious reasons, exchanging all the secrets necessary for later transactions during setup is impossible. I mean, do you know every single trade you'll do on Steam EVER, after setting up the SGMA? Right, you don't. Neither do I. That's why, for market/trade confirmations, the authenticator has to get the current state from the server, the current information about the current transaction. Feel free to show me one 2FA standard covering this scenario. I don't know of any. This doesn't mean there's none, but so far, you aren't talking about one. You're talking about the standard 2FA process of exchanging secrets during set up and then never again.

You really went off the rails here, I didn't need and explanation of SGMA setup and don't even think we disagree on many technical aspects except on the part of Valve. Could there be a language issue?

To avoid further confusion, let's go back to the basics:

• Op wants an alternative 2FA to phones, this is reasonable, let's discuss productively.
  
• Steam Guard is a standard 2FA using 30 second (SGMA) or 5 minute (email) tickets, less novel than old RSA/etc rolling systems.
  
• ??
  
• Profit??

Some relevant notes:

• Despite speculation that this is somehow as complex as the German banking authority, it is not. All trades/holds/etc are processed using the same tickets as authentication, this is documented.
  
• To confirm the last note, complete 3rd party implementations have been made and they are quite simple.
  
• Valve's reason for no desktop clients is due to past software security issues, with scammers and modified fake Steam Guard clients.
  
• Physical keys were never allowed to be tested.

orbatos님이 먼저 게시:

It feels like maybe you don't understand what I wrote there, if it was too confusing don't just repeat the same things. Never fear, I'm going to clarify.

Nothing to clarify.

Valve does not need to add additional 2fa for niche users who fail to grasp, Gabe Newell's account remains uncompromised because he did not give away the key to the door, the Steam Guard Mobile code, even though those wanting change claim it is not secure.

orbatos님이 먼저 게시:

To avoid further confusion, let's go back to the basics:

Let's go to the basics indeed. The discussion between us both started with me asserting that available 2FA solutions won't work for Steam because they don't cover market/trading. They would work, fine at that, for the purpose of logging in, but not for market/trading. Henceforth, I suppose, Valve don't support them, because Valve prefer one cover-all solution.

If you want to explain me how an existing 2FA solution would cover market/trading, shoot. Don't make things complicated, just show me, how exactly Yubikey or another standard solution would cover the scenario of market/trading confirmations.

Plain and simple explain me how this would work.

If I de-activate authentcator on phone re-activate SDA will I get 15 day hold or can get around n 2 days?

❟❛❟𝑰𝒕𝒂𝒄𝒉님이 먼저 게시:

hi all i want to put steam desktop authenticator on my pc for quick login as i never have my fone at time when i needed to log in,,,,so is this trust worthy to put a steam desktop auth on my pc which wasnt made by steam/valve and its apparently open source app please those who have more info kindly shine some light please

Create a request in suggestions and ideas. It would be like having whatapp to dektop... maybe

❟❛❟𝑰𝒕𝒂𝒄𝒉님이 먼저 게시:

hi all i want to put steam desktop authenticator on my pc for quick login as i never have my fone at time when i needed to log in,,,,so is this trust worthy to put a steam desktop auth on my pc which wasnt made by steam/valve and its apparently open source app please those who have more info kindly shine some light please

Jessecar96 version github. Rest are hacks....

Mary Virgin님이 먼저 게시:

If I de-activate authentcator on phone re-activate SDA will I get 15 day hold or can get around n 2 days?

Deactivating it gives you a 15 day restriction.

Using the same number and transferring it correctly...

https://help.steampowered.com/en/faqs/view/7EFD-3CAE-64D3-1C31#transfer

2 day holds on trades for the following 2 days.

2 day holds on Market listings for about the following ~36 hours.