All Discussions > Steam Forums > Steam Mobile > Topic Details
This topic has been locked
Gargoyle May 29, 2016 @ 2:27am
Steam Guard: Mobile vs Email?
Also read as:
Why enforce the mobile client?

If the mobile client was the de facto "better alternative" for receiving your Steam Guard codes, why would there be a need to enforce people into using it?
Certainly people would realize and opt for the "better alternative", yes? :creep:
And yes, by slapping some arbitrary 15 day steam community market sell delays etc, it is very strongly being coersed. (The same tactic bullies use? And, eh, parents?) :spazdunno:
"Oh you don't have to, we're not forcing you to do anything, but..."
That but is the telltale sign? :steamsad:

Is it really "more secure" ? (when compaired to email?)

This seems a bizarre view on the matter, because on several aspects phone is actually less secure than an email. And not even talking about how you can lose your phone or how it can be stolen etc, those bases are pretty good covered by Steam & "backup codes" etc. But see, for an example, don't your friends already know how to disable your screenlock?
If your account has the authenticator enabled, you will be asked to enter your current code after you've entered your user name and password.

  • Open the Steam Mobile App. If you are logged in on your phone, go to the Steam Guard menu (the top-most menu selection) to see the current code. (If you aren't logged in to Steam on your phone, your current code is displayed on the login page).
  • Enter the current code when you are asked to. Don't worry if the code on your phone turns red and changes, you still have a little bit of time left to enter the old code.

So in short, all they need is you to smooching in the other room, having a long session in the toilet or having being passed out, for an example. And then your computer and your phone, which would both be there if this was your house, and ... they have all the power to sell your steam inventory out? (As an example.)

Or am I missing some key point here, how & why this is *more* secure than email?
(Sure, if the emails come to phone which is unlocked by a "swipe" or even the "pattern" - then the email option is just as (un)safe as the phone is. But you can also use another email account for Steam related purposes and not have that delivered to your phone, etc.)

-- The Confused & Curious Gargoyle


Ps: Not sure if I should've posted this under Steam Mobile or not.
I know moderators can move posts so perhaps they will do that if they deem it necessary.
But! ...This isn't really about Steam Mobile (alone) -- certainly not a bug report or a help request or rant in that aspect -- but more about how it compares to email as an avenue to use Steam Guard with. And why it is (or isn't) more secure etc, and why it yet remains the "coersed method"? =P
Not really just a rant either, I'm ASKING.
If someone has some solid answers I would really like to read them! :steammocking:
< >
Showing 1-15 of 21 comments
The_Driver May 29, 2016 @ 2:38am 
As I see it, it's more about getting a REAL 2FA* instead of a semi-2FA.

Many people save the credentials to their email address on the same device as they use for gaming, which means that when that device is compromised (stolen, hacked, ...), it doesn't prevent too much from happening with that extra step.

The phone however is a separate device, that would have to be compromised as well as your steam login credentials**, which makes it a bit more difficult, but certainly not impossible.

One might also argue about emails insecurities (possibly being transmitted unencrypted etc), but as you said, the phone itself is used for other things enough to be compromisable as well.

edit:
* it isn't even that though as discussed later in this thread
** see further discussion, apparently, the app apparently has more privileges than just authentication -.-'
Last edited by The_Driver; May 30, 2016 @ 5:08am
#1
Tev May 29, 2016 @ 2:40am 
Here:

It's to prevent users who compromise your computer from getting your items. When your confirmations are done on a whole different piece of hardware, simply compromising your computer (and thus e-mail) isn't enough.

We already see attempts of "scams" placed on compromised account's computers:

These are placed, because they cannot get your items without you co-operating by their rules.


Also, in addition to having a PIN code on your phone, you could consider enabling Steam Family View PIN and maybe not leave yourself logged in on the Steam Mobile -app.

P.S. Most people have an e-mail app on their phone too; in which they have their credentials on. So switching to e-mail -protection would hardly fix this.

I get your point that stolen phones are a security issue; it not only affects Steam but practically everything people store on it. It's smart to have a recovery code at hand to remove the authenticator with, in addition to backup codes as you mentioned (as login tokens)

Virtual thefts are more common than physical thefts, that being said.


The Mobile Authenticator also decreases third party dependency, i.e. previous issues with providers such as AOL, Yahoo and Windows Live not receiving e-mails.
Last edited by Tev; May 29, 2016 @ 2:49am
#2
The_Driver May 29, 2016 @ 3:00am 
Originally posted by Teutep:
The Mobile Authenticator also decreases third party dependency, i.e. previous issues with providers such as AOL, Yahoo and Windows Live not receiving e-mails.

Emails are easy to replace though; the mobile auth has added the exclusion criteria of "anything other than android or iOS/supported devices" in exchange for that. Emails work on basically any device capable of connecting to the internet.



Originally posted by Teutep:
These are placed, because they cannot get your items without you co-operating by their rules.
Haven't seen this before, thanks.
#3
Tev May 29, 2016 @ 3:06am 
Originally posted by The_Driver:
Originally posted by Teutep:
The Mobile Authenticator also decreases third party dependency, i.e. previous issues with providers such as AOL, Yahoo and Windows Live not receiving e-mails.

Emails are easy to replace though; the mobile auth has added the exclusion criteria of "anything other than android or iOS/supported devices" in exchange for that. Emails work on basically any device capable of connecting to the internet.

While that's true, the fact it's all first party with the Steam Mobile -app makes it easy to narrow down to should an issue happen. That in both a good and a bad way.


The other pro that I can imagine to using the Mobile Authenticator is, since it's a separate piece of hardware, you're excluded from cookie based New Device Restrictions should you have had it on at least the past 7 days.

http://store.steampowered.com/news/19618/
Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.

Maybe as a side note to the topic title,
Steam Guard: Mobile vs Email?
Last edited by Tev; May 29, 2016 @ 3:07am
#4
Gargoyle May 29, 2016 @ 11:17am 
Thanks for your replies, everyone. Good points. :bigups:

Personally, having my steam account(s) mail me to an email account which is not automatically delivered to my phone nor my computer is what I use as "security".

And I still attest that this is a better layer of security than having an authenticator on a phone!
(Because, like said, most people use only the "swipe to unlock", and even if they use the pattern/pin thing, it's not uncommon to share this with friends for an example. So when at your house, both you computer & your phone there, they will effectively have "full access".)

But that's just me - and my opinion on the matter.
Others do things differently and may have other opinions, that's their prerogative.

I'm just not a fan of this "must use mobile authenticator or wait 15 days to sell / trade stuff".
So my personal solution will probably be that one of the 3 accounts in the household will be attached to the Mobile Authenticator for Market Selling -purposes, stuff can be then traded to that account with a one day wait. *Shrug.*

The extra oddity -- this really bamfoozels me, if someone can explain this I would greatly appreciate it! -- is that Steam Support has already stopped returning items that have been traded out with what seems to be "approval of the account (holder)", yes?

So if this is already the case, regardless of security settings & optin in or out of the mobile authenticator, why is the option of not wanting the mobile authenticator penalised so heavily?
Where is the option to opt out of this penalizement?
(Other than adopting the Mobile Authenticator?) :spazdunno:

I suppose I willingly, knowingly, in full mental and physical health, want to reduce the parenting I Steam is giving me? :P Taking care of me & my stuff too much now, Steam! Not appreciated!

Wanting good, wanting to protect us weak mortals, that's fine!
But to enforce it... (in such a way) ...is much less cool.
#5
The_Driver May 29, 2016 @ 11:27am 
Originally posted by Gargoyle:
Personally, having my steam account(s) mail me to an email account which is not automatically delivered to my phone nor my computer is what I use as "security".
Yeah, sad that such security procedures/principles/concepts aren't done by the masses. While not technically enforceable, good 2FA would have been doable with emails. You just need to "force" people to use a second device for that that isn't used elsewhere. The emails could even list the trade details, just like the mobile auth app does. It's just the users behavior messing things up for the technically savvy people that would be perfectly fine with only email auth.



Originally posted by Gargoyle:
So if this is already the case, regardless of security settings & optin in or out of the mobile authenticator, why is the option of not wanting the mobile authenticator penalised so heavily?
Where is the option to opt out of this penalizement?
That opt-out would need at least the same time period to apply though, otherwise the implemented security would be compromised, as an attacker could just downgrade your security.
#6
Gargoyle May 29, 2016 @ 11:32am 
Originally posted by The_Driver:
That opt-out would need at least the same time period to apply though, otherwise the implemented security would be compromised, as an attacker could just downgrade your security.
Agreed on that! :bigups:
(I'd take it. Even if it was a 30 day waiting period!)
#7
Joci May 29, 2016 @ 12:19pm 
asa
#8
HLCinSC May 29, 2016 @ 1:03pm 
Originally posted by Gargoyle:
Also read as:
Why enforce the mobile client?

If the mobile client was the de facto "better alternative" for receiving your Steam Guard codes, why would there be a need to enforce people into using it?
Certainly people would realize and opt for the "better alternative", yes? :creep:
And yes, by slapping some arbitrary 15 day steam community market sell delays etc, it is very strongly being coersed. (The same tactic bullies use? And, eh, parents?) :spazdunno:
"Oh you don't have to, we're not forcing you to do anything, but..."
That but is the telltale sign? :steamsad:

It is similar to seatbelt laws. Obviously, virtually everyone knows that it is safer to use one than not, but not all people are willing to deal with the hassle or discomfort of using one. Even though not using a seatbelt pretty much only affects the non-wearer, it is important enough that those in power decided to issue penalties (traffic stops, fines, court dates) for those who choose to not participate in the practice.
#9
Tev May 29, 2016 @ 11:54pm 
Originally posted by Gargoyle:
The extra oddity -- this really bamfoozels me, if someone can explain this I would greatly appreciate it! -- is that Steam Support has already stopped returning items that have been traded out with what seems to be "approval of the account (holder)", yes?

So if this is already the case, regardless of security settings & optin in or out of the mobile authenticator, why is the option of not wanting the mobile authenticator penalised so heavily

Not sure if this is the answer you seek, but here's one negative side to account thefts despite items no longer being returned,
Originally posted by Tito Shivan:
Stolen accounts can harm you by:
-Sending malware to people on their fiendlist pretending to be the right owner.
-Using the account as a way of scamming individuals or stealing more accounts.
-Polluting the community with spam and links to malware, viruses & phishing sites.
-dumping items & games purchased with shady payment methods into the market & trade ecosystems we all use.
-Hampering your gaming experience through the use of cheats or griefing.

There's many ways a stolen account from other person can harm you. Users who get their accounts stolen are not just a problem for themselves, but a liability to everyone else on Steam.
#10
Naota May 30, 2016 @ 4:34am 
I've been here for 8 years.

I have more than 100 games and I've bought and sold on the market hundreds of times.

What is my reward for this loyalty and money spent?

Valve tells me I need to buy a smartphone and pay a monthly fee to a third party, in order to keep using all their features.

Thanks Valve - You suck

Also - let's not have this "you can still use the market" bs. People without the mobile app have effectively been cut out of the market - AND EVERYONE KNOWS THAT.
Last edited by Naota; May 30, 2016 @ 4:36am
#11
Aahzmandias May 30, 2016 @ 4:37am 
Originally posted by The_Driver:
As I see it, it's more about getting a REAL 2FA instead of a semi-2FA.

Many people save the credentials to their email address on the same device as they use for gaming, which means that when that device is compromised (stolen, hacked, ...), it doesn't prevent too much from happening with that extra step.

The phone however is a separate device, that would have to be compromised as well as your steam login credentials, which makes it a bit more difficult, but certainly not impossible.

One might also argue about emails insecurities (possibly being transmitted unencrypted etc), but as you said, the phone itself is used for other things enough to be compromisable as well.


But you know, that you have to log into steam on the smartphone with your login data? If they get their hands on this device, they have it all.
Last edited by Aahzmandias; May 30, 2016 @ 4:37am
#12
The_Driver May 30, 2016 @ 4:41am 
Originally posted by mkess:
But you know, that you have to log into steam on the smartphone with your login data?
I didn't knew all the details. Because I don't own such a tracking device. The basic principle is clear though.

Does it save your credentials (which would be an insane security f-up) or just a token that's only valid for Mobile Auth login or do you have to manually type in the login info every time?
Last edited by The_Driver; May 30, 2016 @ 4:48am
#13
Tev May 30, 2016 @ 4:43am 
Originally posted by The_Driver:
Originally posted by mkess:
But you know, that you have to log into steam on the smartphone with your login data?
I didn't. Because I don't own such a tracking device.

Does it save your credentials (which would be an insane security f-up) or just a token that's only valid for Mobile Auth login or do you have to manually type in the login info every time?
Sadly, unless you log in yourself, you'll stay logged in.

Also, the device that has the authenticator won't ask for your authenticator code.

When I was using iPhone, I'd use Steam Family View PIN, since you can restrict community access behind a PIN with that. That's not as doable on Android, for which is why I use AppLocker instead.
Last edited by Tev; May 30, 2016 @ 4:44am
#14
The_Driver May 30, 2016 @ 5:06am 
Originally posted by Teutep:
Originally posted by The_Driver:
I didn't. Because I don't own such a tracking device.

Does it save your credentials (which would be an insane security f-up) or just a token that's only valid for Mobile Auth login or do you have to manually type in the login info every time?
Sadly, unless you log in yourself, you'll stay logged in.

Also, the device that has the authenticator won't ask for your authenticator code.

When I was using iPhone, I'd use Steam Family View PIN, since you can restrict community access behind a PIN with that. That's not as doable on Android, for which is why I use AppLocker instead.

Ah, I assumed it was just 2FA.

I didn't know it had other uses and hence doesn't really qualify as such in a stricter sense.

Honestly, I don't even see the use cases now, as the pictures shown on the google play store are things the website itself could have done (like chat, community, store). And even if a standalone application would be needed for that for any reason, that app should have been a separate application so that the mobile auth aspect could get a token based login that's not valid for anything else.

Thanks for warning me.
#15
< >
Showing 1-15 of 21 comments
Per page: 1530 50

All Discussions > Steam Forums > Steam Mobile > Topic Details
Date Posted: May 29, 2016 @ 2:27am
Posts: 21
Start a New Discussion

Discussions Rules and Guidelines