Diposting pertama kali oleh ShelLuser:

The main problem isn't the security methods, it's the people who are misusing them because they get tricked into doing so and no system on the planet is going to change that.

Period.

Except the FIDO alliance's suite of protocols did actually make a bit step in that direction.

Diposting pertama kali oleh ShelLuser:

That's another point you're ignoring: Steam still is trying to make a profit here. So they don't want to add too much hassle because that's going to affect revenue. Especially if there's no need because... there's nothing to fix.

A FIDO based authentication flow is no more hassle than the current QR code app.
Pair your phone with BTLE to your PC; or connect it via USB cable. When you need to sign in; the phone pops a notification and you authorize it. Done.

Re-engineer the existing SteamGuard app on top of FIDO protocols and instantly the way they work under the hood prevents at a protocol-level the possibility of users being phished by malicious look-alike sites.

Diposting pertama kali oleh ShelLuser:

You want to stop scamming? Then preach harder for the use of smarrtphones and the Steam app. If people will stop using codes and only use the new QR scan authentication they're not going to get scammed. Period.

... as long as they don't try this on 3rd party websites of course because then you'd still have the MITM issue to address. Your fancy new authentication scheme is also not going to solve that either.

Exactly - the SteamGuard app QR code flow did nothing to enhance security wrt MitM phishing attacks that trick users into believing they are communicating with the legit Steam services.

It can't fix that problem, because there's no secure and trusted side-channel involved which tells the SteamGuard app in a trustworthy manner what the actual website is that the user is attempting to sign into, so it can refuse to provide authorization where this is not a site operating on an authentic Steam domain.

The result of that shortcoming is that a scammer could just try to log in with the legit user's username and password stolen via the phishing site and when presented with a QR code to scan; can forward that back to the legit user to scan; and they're in. You're exactly no further than you were in the situation with manually entering one-time TOTP codes. I.e. the QR codes didn't improve security - only convenience. (Saves a user the hassle of manually reading back a code from the phone app and manually entering it into the sign-in prompt on the site they're signing in.)


But when using The FIDO U2F flow to provide 2FA when logging into a website, such a secure side-channel does exist.
The 'hardware key' sign-in functionality in browsers that connects the website wanting to receive authentication to a FIDO-compatible authenticator is provided by a dedicated API called the WebAuthn API - a joint-effort by the FIDO Alliance and W3C working groups.
As part of that API, browsers themselves act as a trusted agent that initialize an authorization request with the authenticator based on a cryptographically secured key-handle. That key-handle includes information regarding the origin/domain the browser knows the authorization request came from; and to which it knows it will be supplying the result.
The authenticator in turn knows whether that origin/domain is the legit one belonging to the service the user signed up for. And if things don't match, then the authenticator will simply refuse to honor the authorization request.
So phishing sites aren't going to be able to get a code out of it. Period. Any attempt to do so is immediately stopped cold. (And the authenticator will probably helpfully alert the user that the site in question is not the one they registered for - i.e. is fraudulent.)

Diposting pertama kali oleh Komarimaru:

Again, you're wrong.

So far in this thread I've posted a manual from Google demonstrating how to set up either your Android or iOS Phone to serve as a 2FA authenticator aka 'hardware key' for when signing into your Google account on other systems.
I've posted a news article from Google way back when the feature was introduced to Android in Android 7 Nougat, which comes complete with an infographic showing how the process works between a laptop running Chrome and an Android phone on the side.
And I've posted a news article from the FIDO alliance linking to said news article from Google, reinforcing it.

You have supplied in return ... exactly nothing but your own word.
I am wrong? Fine. Waylay and provide counter-evidence to the references I provided then.
Actual documented stuff.

Diposting pertama kali oleh Komarimaru:

The phisher just has to trick the person in giving away the code.

FIDO U2F doesn't involve a one-time code to give away.
At least; not one that is ever communicated visibly to end-users as plain text they can copy and supply to someone else. All of it is just high-entropy 1024+ bits cryptographic key exchanges.

And another thing... like this website[en.wikipedia.org] explaining that:

Challenge / response is signed (encoding originating domain/website) to prevent interception and reuse

The funny thing is that the same thing applies to HTTPS and that is touted as being more secure to HTTP because of that and yet MitM still happens.

In the end U2F is a lot of hassle which doesn't solve the actual problems at all. There is so much wrong with U2F... for example:

Private key only stored on user hardware device.

What device would that be?

The USB devices communicate with the host computer using the human interface device (HID) protocol, essentially mimicking a keyboard.

It could even be a simple smartphone. No one in their right mind is going to rely on a dedicated dongle for something as trivial as Steam trading. Lose the dongle and you can no longer access anything? That sounds like a disaster in the making to me.

Another thing:

The device key is vulnerable to malicious manufacturer duplication.[citation needed]

Translation: "Your account is going to be banned soon unless you sent us from Steam a file from your phone, just open your file browser... like that yes, now sent the file to your shared OneDrive / Google Drive folder... good!".

It doesn't fix stupid. (edit): In other words... the more complicated you're going to make the process, the easier it'll be for scammers to trick people: "Your phone is going to die soon because of a bug in the system and the link with your computer, but we can fix this!".

No matter how fancy new lock on your account the human element still remain the weakest link, it still doesn't solve the issue with phishing attacks, to solve it is to fully take away end user rights from how, and where you want to login from, basically preventing you from trying to login scam sites, and such simply because you saw "Free stuff", or were asked for vote for a team, or someone claiming to be a admin, or whatever. But yeah end user would rather right to control over their account, than not to have control at all.

- Some users want to be able to login where ever. <--- Yes people travel...
- Some users may have family / friends login for them. <--- Yes some people may do this.
- Some users may use email over phone apps for 2FA. <--- Yes some people have their own reasons.
- Some users may not want extra things on their account, and key it simple. <--- Yes some people are like that.

Implement HWID lock, steam laucher locks on to your hardware ID and no second place can sign in to the account if you don't allow it for example on phone ( get a notification "new sign in detected" approve or deny like Google has

Diposting pertama kali oleh SqueakyTweaky:

Implement HWID lock, steam laucher locks on to your hardware ID and no second place can sign in to the account if you don't allow it for example on phone ( get a notification "new sign in detected" approve or deny like Google has

HWID may be idea, but still no dice as need something to cut out the human element such as the end user from granting any login permissions.

Defective Hardware, or upgrade hardware is gonna be your issue. If something happens, well there goes your access as there no way to get your hardware ID if hardware is not usable, and if got rid of said hardware before transfer for doing upgrade / replacement, again lock out for that reason. Now it's not hard to copy HWID, and spoof it either.

Another thing is people that travel, or use multiple device may also be an issue, there also people that use cybercafe, and etc which why would you lock their hardware to your account that you don't even own.

Steam does has this feature where you get notification asking for approveal for login via Steam guard mobile app, just like Battle.net app, the thing Steam does they gone step beyond by including showing you a geolocation where you're being login from. Issue is still remains on the end user to not just click approve to a sign in they didn't want to approve.

Nothing is 100% secure, hackers can hack nasa and the pentagon if they wish

Diposting pertama kali oleh SqueakyTweaky:

Implement HWID lock, steam laucher locks on to your hardware ID and no second place can sign in to the account if you don't allow it for example on phone ( get a notification "new sign in detected" approve or deny like Google has

A phone code? Like the one required to swap the autenticator? The one thieves regularly obtain from their victims?

Diposting pertama kali oleh Tito Shivan:

Diposting pertama kali oleh SqueakyTweaky:

Implement HWID lock, steam laucher locks on to your hardware ID and no second place can sign in to the account if you don't allow it for example on phone ( get a notification "new sign in detected" approve or deny like Google has

A phone code? Like the one required to swap the autenticator? The one thieves regularly obtain from their victims?

No code, just a regular button that says are you logging in from a new device & you will have to say/press button yes or no

Diposting pertama kali oleh Rotan:

Nothing is 100% secure, hackers can hack nasa and the pentagon if they wish

indeed i am currently learning how to make private email server on raspberry pi and isolate it so no one can access it outside home network and just receive steam guard codes on that

I think the easiest solution here is... never give away your password or 2FA code.
Now, no one but you can login.

Diposting pertama kali oleh Kiwi {♥♥♥♥♥ IS LORD}:

Diposting pertama kali oleh Rotan:

Nothing is 100% secure, hackers can hack nasa and the pentagon if they wish

indeed i am currently learning how to make private email server on raspberry pi and isolate it so no one can access it outside home network and just receive steam guard codes on that

Don't make something that is less secure. You might think that having full control over your own email server makes it more secure - but it only leaves opportunity for you yourself to make a mistake and lose everything.

Diposting pertama kali oleh RiO:

Diposting pertama kali oleh Komarimaru:

Again, you're wrong.

So far in this thread I've posted a manual from Google demonstrating how to set up either your Android or iOS Phone to serve as a 2FA authenticator aka 'hardware key' for when signing into your Google account on other systems.
I've posted a news article from Google way back when the feature was introduced to Android in Android 7 Nougat, which comes complete with an infographic showing how the process works between a laptop running Chrome and an Android phone on the side.
And I've posted a news article from the FIDO alliance linking to said news article from Google, reinforcing it.

You have supplied in return ... exactly nothing but your own word.
I am wrong? Fine. Waylay and provide counter-evidence to the references I provided then.
Actual documented stuff.

Diposting pertama kali oleh Komarimaru:

The phisher just has to trick the person in giving away the code.

FIDO U2F doesn't involve a one-time code to give away.
At least; not one that is ever communicated visibly to end-users as plain text they can copy and supply to someone else. All of it is just high-entropy 1024+ bits cryptographic key exchanges.

You posted a link, showing that the connection verification just requires accepting it via a touch to the users phone.

That's it.

The exact same thing I've been saying.

Thanks for admitting you know nothing about it though, about dang time. "I posted links!" Ok, ya... links saying exactly what I've been saying, way to go, Bravo... Kinda undermining everything you're claiming it is, when it's not.

Diposting pertama kali oleh Nebsun:

Diposting pertama kali oleh Kiwi {♥♥♥♥♥ IS LORD}:

indeed i am currently learning how to make private email server on raspberry pi and isolate it so no one can access it outside home network and just receive steam guard codes on that

Don't make something that is less secure. You might think that having full control over your own email server makes it more secure - but it only leaves opportunity for you yourself to make a mistake and lose everything.

private email ensures NO ONE can gain access UNLESS theyre outside my home using my wifi

Diposting pertama kali oleh Kiwi {♥♥♥♥♥ IS LORD}:

Diposting pertama kali oleh Nebsun:

Don't make something that is less secure. You might think that having full control over your own email server makes it more secure - but it only leaves opportunity for you yourself to make a mistake and lose everything.

private email ensures NO ONE can gain access UNLESS theyre outside my home using my wifi

Sadly not true, since still requires a domain name, and your servers is constantly looking to download from it. Quite easy to enter into the system unless you've secured the connection, which 99% don't know how to do.

Let alone the now lack of encryption for the connection, and yes finding the domain is easy since part of your email address you created.

Your account security is your own responsibility. Steam has always had this policy