Are you referring to use of OpenID?

3rd party sites that utilise the Steam API is fine. Phishing sites with fake Steam logins or ones that have fake relog windows allow for accounts to be hijacked - that's down to stupid users and not Valve.

You can login anywhere which provides a real Steam login but if a user gives away their credentials to a scam site then that's their problem.

Once a hijacker has control of an account, they can create an API key freely. Yet again, that's the users fault for becoming compromised.

If it wasn't possible to log in on other sites, a lot less people would give their login data away to phishing sites. To be fair, some phishing attempts are incredibly smart and you can't expect everyone to be an expert in cyber security.

I don't really see how it can be useful to login on other sites, especially when there's a high risk for phishing.

Originally posted by legit:

I don't really see how it can be useful to login on other sites, especially when there's a high risk for phishing.

the steam login on steamdb for example is helpful.
the steam login on alienwarearena ist helpful when i'm too lazy to remember my password...

pretty sure there are some more examples, so it's not generally bad.

Originally posted by legit:

If it wasn't possible to log in on other sites, a lot less people would give their login data away to phishing sites. To be fair, some phishing attempts are incredibly smart and you can't expect everyone to be an expert in cyber security.

I don't really see how it can be useful to login on other sites, especially when there's a high risk for phishing.

No it wouldn't. If Valve removed the ability to login via third party sites right now it wouldn't change a thing. Dodgy sites would still exist and provide fake login functions and silly users would still use them just like they already do.

The only thing that'd change is all the non dodgy sites and users of those sites would suffer.

There is also no need to ever sign in on a third party site. login on official Steam site then use a new tab to visit a third party site. Use the one click login and it'll log in the user without them ever needing to enter any details because they are already logged in to steam in the other tab. If a site asks for any data it's a dodgy phishing site.

If users would read basic safety advice they wouldn't get phished all the time. They are the problem. Deal with their stupidity, greed and gullibility. Don't punish all the other users and sites because a few can't grasp basic internet safety and security. It's because of them we have the mobile authenticator, 15 day restriction without it and now a 7 day trade lock after receiving items before we can trade/sell them.

To be blunt, we already have security features that shouldn't be necessary because of the lowest common denominator. At some point the onus is on the end user to educate themselves rather than the platform continuing to remove features that provide convenience and/or add more security to try and keep said group safe.

In general terms, people should stop passing the buck and and take some personal responsibility for keeping their account safe. There are some scams, hacks, etc where I can genuinely empathize with people because they occurred through no fault of their own and/or were quite sophisticated, but this isn't one of those.

It is as simple as stated by Monkey. You only enter your credentials on Steam rather than the 3rd party site. If they are legit, you'll be able to click two buttons to log into their site. This removes any guess work for the end user.

Steam has been using OpenID for over a decade now. It is reasonable to expect people to practice some very basic security measures.

Scammers creating a phishing site has nothing to do with whether Steam "allows" 3rd party logins. Banks don't allow logging in on 3rd party sites, yet phishing exists there as well.

Besides, Steam utilises the one-click login, they don't actually allow logging in on 3rd party sites since the login is on Steam itself.

Originally posted by legit:

If it wasn't possible to log in on other sites, a lot less people would give their login data away to phishing sites. To be fair, some phishing attempts are incredibly smart and you can't expect everyone to be an expert in cyber security.

I don't really see how it can be useful to login on other sites, especially when there's a high risk for phishing.

People just need to use their brain. Even if Valve made the draconian move to restrict everything to Steam only thus killing off expansive API functionality, over 100,000 users a week would still be dumb enough to have their credentials captured somehow. If you can't teach them not to give away their information to a third party site, you wont be able to convince them that the Steam platform suddenly offers the only legitimate login.

People were giving away their bank information long before dupe sites were in operation and scammers will always find a way to obtain credentials no matter what.

Originally posted by legit:

If it wasn't possible to log in on other sites, a lot less people would give their login data away to phishing sites. To be fair, some phishing attempts are incredibly smart and you can't expect everyone to be an expert in cyber security.

I don't really see how it can be useful to login on other sites, especially when there's a high risk for phishing.

"Not affiliated nor associated with Steam" is a warning NOT to enter your details and phishing occurs because people do enter their details.

or for example your bank when logging in asks you to re-enter ALL your details, STOP and do a malware scan etc as there is a trojan lurking waiting for your input.

Well I agree with everything what's been mentioned so far. I'm definitely the last person who is asking for more security measures. I would rather get rid of all the trade lock and medieval mobile auth stuff.

So on the one side, steam has insane security measures which force me to use their mobile auth for selling my almost worthless trading cards, on the other side, it supports logging in on external sites, which opens the doors for fraud.

Originally posted by legit:

Well I agree with everything what's been mentioned so far. I'm definitely the last person who is asking for more security measures. I would rather get rid of all the trade lock and medieval mobile auth stuff.

So on the one side, steam has insane security measures which force me to use their mobile auth for selling my almost worthless trading cards, on the other side, it supports logging in on external sites, which opens the doors for fraud.

You don't log in to an external site. It redirects you to Steam, where you log in, then that directs you back to the site.

The problem is that hijackers fake the redirect to a legit looking site, so you give them the information they need.

Originally posted by legit:

Well I agree with everything what's been mentioned so far. I'm definitely the last person who is asking for more security measures. I would rather get rid of all the trade lock and medieval mobile auth stuff.

So on the one side, steam has insane security measures which force me to use their mobile auth for selling my almost worthless trading cards, on the other side, it supports logging in on external sites, which opens the doors for fraud.

If you login to an external site using the Steam API, nothing will happen the same way if you pay with card online on any site which supports an integrated payment portal.

Steam's security measures are an absolute necessity and are fine as they are. I've had one restriction in 8 years. Cards under $1 shouldn't need to be confirmed either. If you are unhappy with any restrictions in place then blame the community behaviour for making them essential.

If Steam removed their API framework, the knock-on effect would be horrendous especially for innocent sites like SteamDB.

The legit way to login to steam doesn't involve having to enter your username, password, or authenticator code and is 100% safe. Many sites use this, integrate to steam such as pathofexile.com which links your steam account, chars, etc and provides valuable functionality.

The fake sites are not real logins. They take what you enter, forward it to steams site, and then steal it.

Your basically saying the equivalent of why are movies sold if people will make bootlegs. Shouldn't they just stop selling movies then?

Originally posted by м:

Originally posted by legit:

I don't really see how it can be useful to login on other sites, especially when there's a high risk for phishing.

the steam login on steamdb for example is helpful.
the steam login on alienwarearena ist helpful when i'm too lazy to remember my password...

pretty sure there are some more examples, so it's not generally bad.

Yup. They are some sites that are helpful and many other's that are not.

It's up to user's to remain caution when logging in to strange sites. Do a bit of research.

The question is if it's worth it to make thousands of fake login scamming sites possible, just for a bunch of "convenient" legit login sites.

I'm not talking about the openID login process. What I'm trying to say is that if steam didn't have the ability to log in on 3rd party sites, no one would even bother to use fake phishing sites, because once a website wants your login, then you would immediately know that site is fraud.

Steam has a trading and inventory system, which can make peoples' account worth a lot of money. Then they also have a policy to never restore any scammed items. And yet they lay the seed for scams by offering you to log in on 3rd party sites, which is an invitation for all phishing scam sites to easily gather people's log in data under false pretenses. Imo it is an avoidable security risk.