All Discussions > Steam Forums > Steam Discussions > Topic Details
3LL Oct 13, 2022 @ 10:30am
2FA authentication made worthless?
I just logged into steam and got my usual 2FA window to enter code. I open the Steam guard I've had on my phone for a very long time to get the code. It's NOT there! I was forced to login, which I've never had to do before today. What do I find? I've just logged into Steam on my phone with NO 2FA code required!

What sense does this make? I loved the setup before where all i had to do was click the Steam button on my phone and find the code. No logins, no worries, no HASSLES.

Now I must use an app logged into my account on my phone and scan changes? I don't want to be logged into STEAM on my phone at all.

Who thought this was a good idea?
< >
Showing 1-13 of 13 comments
ShelLuser Oct 13, 2022 @ 1:45pm 
Nothing really changed. You say that you used steam guard? That too was a Steam app where you had to be logged onto Steam on your phone.
#1
Zefar Oct 13, 2022 @ 2:08pm 
Originally posted by Eiswolfin:
This is now an increased security risk compared to what we had before. If our phones get stolen, the thieves could have complete access to our Steam accounts, unlike the previous version of the app all they would have is the 2FA code and nothing else.

The old App just had you press it to generate a code.

Anyone getting your phone could get access to this app and press it and it would generate a code for him. You could even put it on the start screen.

How is this safer for you?

Are you gonna try to use that the mobilephone itself is the protection? Because if so why can't the new app use that reason as well?
#2
Zefar Oct 13, 2022 @ 2:46pm 
Originally posted by Eiswolfin:

what? having the 2FA code only is useless without having the user name and password. So with the old app, they could have the code only, but still have absolutely no access to the Steam account what so ever, where as with this new app they have full access to the account.

With this new app, the only way for the thief to have not have full access to the Steam account is if the user logs out of the Steam app after every use, but then the user is left with having to log into the app every single time they want to log into Steam on their desktop, which is a degraded log in experience compared to using the old version of the mobile app.

The app itself doesn't give you full access to the Steam account.
With Autologin on they wouldn't know the password. So even if they decide to change SteamGuard or turn it off they would not be able to login onto your account on a PC.
#3
Muppet among Puppets Oct 13, 2022 @ 4:02pm 
Originally posted by Eiswolfin:
On the Steam app, they have access to all kinds of things, they can even change the phone number and email on the account, all without needing a password.
That was with the old one allready the case.
But now it makes it obvious for everyone that the app is one factor login.
Last edited by Muppet among Puppets; Oct 13, 2022 @ 4:02pm
#4
Chika Ogiue Oct 13, 2022 @ 9:14pm 
You can log into accounts with the new app without being signed in on the app. I have three Steam accounts I use, only one is signed in on the app. The other two don't need to be signed in, you can still display the authenticator codes for them.

The bigger problem, however, is that you cannot SIGN OUT of an account once you've signed in. You'll get a warning that you need to remove Steam guard authenticator first. Now THAT needs fixing.
#5
Wolfpig Oct 13, 2022 @ 9:40pm 
Originally posted by Eiswolfin:

With this new app, the only way for the thief to have not have full access to the Steam account is if the user logs out of the Steam app after every use, but then the user is left with having to log into the app every single time they want to log into Steam on their desktop, which is a degraded log in experience compared to using the old version of the mobile app.


Just asking, why do you think that anyone who steals a phone would be interested in it's content?

Most who do that make it for the money, so if they do something it probably is a hardreset of the phone to clear everything and sell it to the first fool they run at.

And even then, if you protect your lock screen with a pin/fingerprint/faceunlock you would not have to worry at all as the sverage thief has no idea how to bypass that,

The rest of them would be a bigger Problem, as they usually go after specific Persons and are interested in other stuff then your steam......
#6
Downpour Oct 14, 2022 @ 10:51am 
Completely agree even as a rule of thumb having to be constantly signed into any account is just not good. Being signed in constantly to any app or account is a security risk.
Last edited by Downpour; Oct 14, 2022 @ 10:52am
#7
malditobastardo Oct 16, 2022 @ 3:13am 
I am also very concerned about this specially when I am traveling a lot and if my phone get lost they have access to all of my steam account now! Why the authenticator is linked directly to being logged in to Steam app now? This is truly dangerous and I am not happy at all.
#8
J4MESOX4D Oct 16, 2022 @ 3:46am 
Originally posted by malditobastardo:
I am also very concerned about this specially when I am traveling a lot and if my phone get lost they have access to all of my steam account now! Why the authenticator is linked directly to being logged in to Steam app now? This is truly dangerous and I am not happy at all.
That's why I wont have an email box attached to my phone because if it gets swiped, they can literally access everything. You can't even logout of Outlook on an iPhone without removing the entire account.

The new Steam app seems to have more account functionality but then negates the very thing it was designed to do - provide an independent login element. It's now one-factor without authentication:lunar2019laughingpig:
#9
malditobastardo Oct 16, 2022 @ 4:01am 
Originally posted by J4MESOX4D:
Originally posted by malditobastardo:
I am also very concerned about this specially when I am traveling a lot and if my phone get lost they have access to all of my steam account now! Why the authenticator is linked directly to being logged in to Steam app now? This is truly dangerous and I am not happy at all.
That's why I wont have an email box attached to my phone because if it gets swiped, they can literally access everything. You can't even logout of Outlook on an iPhone without removing the entire account.

The new Steam app seems to have more account functionality but then negates the very thing it was designed to do - provide an independent login element. It's now one-factor without authentication:lunar2019laughingpig:

Exactly it's insane. In fact the 2fa should've been available to use with third-party authenticator such as FreeOTP or even Google Authenticator. Having another separated app such as Steam for this was also bad already but now it's even worse.
#10
str4hlemann Oct 16, 2022 @ 4:05am 
This new 'cannot log out while steamguard is running' is just ludicrous.

Now, I feel safer not using steamguard at all, which is not how it should be...
Last edited by str4hlemann; Oct 16, 2022 @ 4:07am
#11
[N]ebsun Oct 16, 2022 @ 4:20am 
I just use email, and seems nothing has changed there.
#12
str4hlemann Oct 16, 2022 @ 4:25am 
That is what I will do from now on. Entering codes from the app was slightly less tedious and probably safer since having a second device involved, but I sure as hell will not be logged in with my phone 24/7.
#13
< >
Showing 1-13 of 13 comments
Per page: 1530 50

All Discussions > Steam Forums > Steam Discussions > Topic Details
Date Posted: Oct 13, 2022 @ 10:30am
Posts: 13
Start a New Discussion

Discussions Rules and Guidelines