Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
With letters, the number of combinations becomes 36x36x36x36x36...whatever that number is
So firstly, you are misunderstanding how 2FA works - two people getting the same code is not a problem, you are logging in to a specific account, you will only log in to your account if the code matches what steam expects based on *your* shared secret. Another user is irrelevant.
Reducing the problem space could be a problem in the sense it could weaken the strength of the check being applied (it is easier for someone to get the code illegitimately), but this could be countered, if necessary, by increasing the length of the code (as stated in the original post).
Most 2FA systems I have used use 6 digits (e.g: Google, LastPass, Facebook, Microsoft, Github, Facebook - all use the same RFC 6238 spec).
As mentioned, other applications use 6 digits, which is two groups of three, easily memorisable. And even if they were not, the point of my post was that by using digits, it is easy to type one handed, while you read off a device, stopping the need for that, and making the whole process less intrusive.
You are right that a wider range of characters means there are more possible codes, and in this sense, an alphanumeric code is 'more secure', however, the you are talking about more secure against a brute force attack (trying all possible codes until you get the right one) - given that steam will rate limit the number of guesses you could make, a million combinations is more than enough to ensure no attacker could realistically attack that way. Longer codes really aren't going to have a measurable impact on security.
If you are not convinced, then please look again at the list of companies that use the 6 digit codes - Google, LastPass, Facebook, Microsoft, Github (and many others - see https://en.wikipedia.org/wiki/Google_Authenticator#Usage for a list). These are hardly companies that would accept a poor level of security (especially LastPass - their entire business is security).
And then you turn it into a personal attack on me - I'm not making this suggestion because I can't memorize a number or type, but simply because it would provide a better user experience, with less friction. That's a good thing for everyone. It's easier to type in a code when it's purely numerical, so I'm suggesting that switch - there is no security reason not to, it's simply a usability issue - it'll make it easier for a lot of people, and can't hurt anyone else.
There's nothing 'in theory' with using a typical numerical impelenation but its not likely Steam is going to change how SteamGuard works at this point.
I read Valve are using a custom implementation so they can show trades to the user when getting a code to confirm it, which decreases the chance someone is tricked by a scam trade - this is reasonable, and I understand why they don't use a standard method (e.g: RFC 6238).
That said, there is no reason that implementation couldn't use numerical rather than alphanumerical codes, as you say (people aren't going to not be able to type in a numerical code when they were typing an alphanumerical one before).
It is indeed unlikely that a Valve employee finds this and the change gets made, but without expressing it, they definitely won't, I'm simply making a suggestion based on my experience, with the hope it does change, as I believe it would be an improvement to Steam.
My question is this. If you are using both hands anyway, what difference does it make if its only number or letters and numbers?
Because one hand is holding my phone to open the application and read the number from. I then either have to memorise the code and put the phone down/put the phone down and read off it (which is inconvinient for my setup), or type with one hand, which is awkward to do for an alphanumeric code.
I then usually want to leave the steam application on my phone, which would then require picking it up again if I used both hands to type, it is all just more awkward.
A number-only code is simple to type on a numpad (or the number row for those lacking a numpad).
I use 2FA on all my accounts where possible, and Steam is the most awkward to use because of this. It's not the end of the world, but it would be a usability gain to change it.
I will try to give an example - say there is a door that needs to be pushed with a handle, rather than a push plate - this is a common design flaw, that makes it slightly annoying to use the door. If I asked to change that door to install a push plate, am I terrible at using doors? I'm not saying the door is unusable, just that it would be better if changed.
This is the same case - the current system works, I am just suggesting an option with less friction. Even if this doesn't affect you, it is odd you found it necessary to say that I must be at fault, unable to type or keep a number in my head.
I have not complained that my memory is bad or that I can't type (quite the opposite, as a developer I type for most of my working day) - I called this an annoyance in my original post, and said it increases friction.
Maybe it would make absolutely no difference to you, but to most people, two factor authentication is a step that, while excellent for security, does add a step between them and where they want to be. Good design is about trying to reduce that step to be as unintrusive as possible, I'm simply suggesting a way to improve the system as it stands.