Latty Mar 16, 2016 @ 2:11pm
Steam Guard - Can we get numerical codes, rather than alphanumerical?
The 2FA from the mobile application is great, and a welcome security addition to steam. I was initially annoyed at the fact I couldn't use an existing 2FA application, with steam having a custom set-up, but I read about the way it is integrated into trading and I understand the value of that.

This being said, there is an annoyance that I'd like to see fixed, and that is the alphanumerical codes - every other 2FA device I have used has only used numbers, and this makes it easy to hold a phone in one hand and tap in the digits with the other. Steam's current setup means this isn't possible and increases friction. A longer code that was numerical only would be much preferred over the mixed code.

Something went wrong while displaying this content. Refresh

Error Reference: Community_9745725_
Loading CSS chunk 7561 failed.
(error: https://community.fastly.steamstatic.com/public/css/applications/community/communityawardsapp.css?contenthash=789dd1fbdb6c6b5c773d)
Showing 1-12 of 12 comments
HEART Mar 16, 2016 @ 2:14pm 
No, there are too many steam users and given that a 5 digit number has only 99,999 possible combinations, there is a very good chance that two of the same authentication code will come up at the same time in various places in the world, creating a problem.

With letters, the number of combinations becomes 36x36x36x36x36...whatever that number is
Latty Mar 16, 2016 @ 2:20pm 
Originally posted by ✴ Celestial Fatality ✴:
No, there are too many steam users and given that a 5 digit number has only 99,999 possible combinations, there is a very good chance that two of the same authentication code will come up at the same time in various places in the world, creating a problem.

With letters, the number of combinations becomes 36x36x36x36x36...whatever that number is

So firstly, you are misunderstanding how 2FA works - two people getting the same code is not a problem, you are logging in to a specific account, you will only log in to your account if the code matches what steam expects based on *your* shared secret. Another user is irrelevant.

Reducing the problem space could be a problem in the sense it could weaken the strength of the check being applied (it is easier for someone to get the code illegitimately), but this could be countered, if necessary, by increasing the length of the code (as stated in the original post).

Most 2FA systems I have used use 6 digits (e.g: Google, LastPass, Facebook, Microsoft, Github, Facebook - all use the same RFC 6238 spec).
Last edited by Latty; Mar 16, 2016 @ 2:22pm
RZW Mar 16, 2016 @ 9:41pm 
At the moment you just split it into 2 groups in your head. Usually takes 3-5 seconds to enter a code. A longer code would take more mental effort to memorize and time to enter. It would be a pain in the ass by comparisson.
Last edited by RZW; Mar 16, 2016 @ 9:45pm
Latty Mar 17, 2016 @ 12:29pm 
Originally posted by Metal Scourge:
At the moment you just split it into 2 groups in your head. Usually takes 3-5 seconds to enter a code. A longer code would take more mental effort to memorize and time to enter. It would be a pain in the ass by comparisson.

As mentioned, other applications use 6 digits, which is two groups of three, easily memorisable. And even if they were not, the point of my post was that by using digits, it is easy to type one handed, while you read off a device, stopping the need for that, and making the whole process less intrusive.
Last edited by Latty; Mar 17, 2016 @ 12:30pm
HEART Mar 17, 2016 @ 12:56pm 
I stated this in post #1 but OP shot me down.
Latty Mar 17, 2016 @ 1:48pm 
Originally posted by laff:
10^6 = 1,000,000 your suggestion
36^4 = 1,679,616
10^7 = 10,000,000
36^5 = 60,466,176 current
10^8 = 100,000,000

Using only numerical digits, you would need at least 8 numerical digits for it to be as secure as the current 5 alphanumeric digit case-insensitive system. Even chopping off one of the current digits would still be more secure than your suggestion.

Besides, if you were just better at memorizing or typemanship, you wouldn't care like everyone else on Steam.

You are right that a wider range of characters means there are more possible codes, and in this sense, an alphanumeric code is 'more secure', however, the you are talking about more secure against a brute force attack (trying all possible codes until you get the right one) - given that steam will rate limit the number of guesses you could make, a million combinations is more than enough to ensure no attacker could realistically attack that way. Longer codes really aren't going to have a measurable impact on security.

If you are not convinced, then please look again at the list of companies that use the 6 digit codes - Google, LastPass, Facebook, Microsoft, Github (and many others - see https://en.wikipedia.org/wiki/Google_Authenticator#Usage for a list). These are hardly companies that would accept a poor level of security (especially LastPass - their entire business is security).

And then you turn it into a personal attack on me - I'm not making this suggestion because I can't memorize a number or type, but simply because it would provide a better user experience, with less friction. That's a good thing for everyone. It's easier to type in a code when it's purely numerical, so I'm suggesting that switch - there is no security reason not to, it's simply a usability issue - it'll make it easier for a lot of people, and can't hurt anyone else.
Satoru Mar 17, 2016 @ 2:12pm 
So far Steam seems to want to use a custom TOTP code variation

There's nothing 'in theory' with using a typical numerical impelenation but its not likely Steam is going to change how SteamGuard works at this point.
Latty Mar 17, 2016 @ 2:17pm 
Originally posted by Satoru:
So far Steam seems to want to use a custom TOTP code variation

There's nothing 'in theory' with using a typical numerical impelenation but its not likely Steam is going to change how SteamGuard works at this point.

I read Valve are using a custom implementation so they can show trades to the user when getting a code to confirm it, which decreases the chance someone is tricked by a scam trade - this is reasonable, and I understand why they don't use a standard method (e.g: RFC 6238).

That said, there is no reason that implementation couldn't use numerical rather than alphanumerical codes, as you say (people aren't going to not be able to type in a numerical code when they were typing an alphanumerical one before).

It is indeed unlikely that a Valve employee finds this and the change gets made, but without expressing it, they definitely won't, I'm simply making a suggestion based on my experience, with the hope it does change, as I believe it would be an improvement to Steam.
Last edited by Latty; Mar 17, 2016 @ 2:18pm
HEART Mar 17, 2016 @ 2:19pm 
"this makes it easy to hold a phone in one hand and tap in the digits with the other"

My question is this. If you are using both hands anyway, what difference does it make if its only number or letters and numbers?
Latty Mar 17, 2016 @ 2:24pm 
Originally posted by ✴ Celestial Fatality ✴:
"this makes it easy to hold a phone in one hand and tap in the digits with the other"

My question is this. If you are using both hands anyway, what difference does it make if its only number or letters and numbers?

Because one hand is holding my phone to open the application and read the number from. I then either have to memorise the code and put the phone down/put the phone down and read off it (which is inconvinient for my setup), or type with one hand, which is awkward to do for an alphanumeric code.

I then usually want to leave the steam application on my phone, which would then require picking it up again if I used both hands to type, it is all just more awkward.

A number-only code is simple to type on a numpad (or the number row for those lacking a numpad).

I use 2FA on all my accounts where possible, and Steam is the most awkward to use because of this. It's not the end of the world, but it would be a usability gain to change it.
Gus the Crocodile Mar 17, 2016 @ 3:35pm 
Yep, all seems like a pretty good idea to me. Alphanumeric seems like a way of complicating things without offering any real benefit in return.
Latty Mar 22, 2016 @ 1:33pm 
Originally posted by laff:
Originally posted by Latty:
And then you turn it into a personal attack on me - I'm not making this suggestion because I can't memorize a number or type, but simply because it would provide a better user experience, with less friction. That's a good thing for everyone. It's easier to type in a code when it's purely numerical, so I'm suggesting that switch - there is no security reason not to, it's simply a usability issue - it'll make it easier for a lot of people, and can't hurt anyone else.
How the ♥♥♥♥ do you consider this a personal attack? It's a fact. It takes maybe 3 seconds to type a few characters and you've spent how much time here complaining that you have bad memory and typemanship and you expect me not to touch on that?
Originally posted by laff:
Besides, if you were just better at memorizing or typemanship, you wouldn't care like everyone else on Steam.

I will try to give an example - say there is a door that needs to be pushed with a handle, rather than a push plate - this is a common design flaw, that makes it slightly annoying to use the door. If I asked to change that door to install a push plate, am I terrible at using doors? I'm not saying the door is unusable, just that it would be better if changed.

This is the same case - the current system works, I am just suggesting an option with less friction. Even if this doesn't affect you, it is odd you found it necessary to say that I must be at fault, unable to type or keep a number in my head.

I have not complained that my memory is bad or that I can't type (quite the opposite, as a developer I type for most of my working day) - I called this an annoyance in my original post, and said it increases friction.

Maybe it would make absolutely no difference to you, but to most people, two factor authentication is a step that, while excellent for security, does add a step between them and where they want to be. Good design is about trying to reduce that step to be as unintrusive as possible, I'm simply suggesting a way to improve the system as it stands.
Last edited by Latty; Mar 22, 2016 @ 1:37pm
Showing 1-12 of 12 comments
Per page: 1530 50

Date Posted: Mar 16, 2016 @ 2:11pm
Posts: 12