If phones were so secure at rest, auto reboots wouldn't have become a thing. Device-based 2FA isn't a country mile better if that device has network or wireless connectivity, which is by the majority

did you actually read the stuff on the link?
Make sure you triple check stuff before posting

That's why you get a security key like a Yubikey/Nitrokey if you want maximum security, i think you can't even upgrade the firmware on the Yubikey because they don't want that to become a possible source of infection.
But SMS based 2FA is the worst, SMS has 0 encryption whatsoever, providers like Twilio get hacked constantly, SIM swaps are common, phone numbers are valuable for phishing, scammers and other undesirables literally have access to many phone providers backed, its just plain inconvenient when I can have TOTP on PC, etc it never even should've been a thing its so terrible and its time that Steam stops forcing it, thats the main problem, if for whatever insane reason someone chooses to use it, their problem okay, but don't force me to use it because you don't care to support better options.

Steam doesn't force it. They would PREFER you use the app like a normal person. You can also use email 2fa. he fact that such a small portion of the userbase is affected shows how few people were using the sms option in the first place

Not to mention that Twilio isn't Steam 2FA provider.

https://x.com/MellowOnline1/status/1922458687316074640

Publicado originalmente por Carlos100:

did you actually read the stuff on the link?
Make sure you triple check stuff before posting

I did read it. It seems to suggest that the this breach was not on users' side but more on the Valve side. This is one explanation for the all the posts talking about how their guard was defeated when they don't trade etc. But my point was, device-based 2FA isn't a silver bullet because that ♥♥♥♥ can and do just be lifted off the phones where it is.

Publicado originalmente por Realigo Actual:

Publicado originalmente por Carlos100:

did you actually read the stuff on the link?
Make sure you triple check stuff before posting

I did read it. It seems to suggest that the this breach was not on users' side but more on the Valve side. This is one explanation for the all the posts talking about how their guard was defeated when they don't trade etc. But my point was, device-based 2FA isn't a silver bullet because that ♥♥♥♥ can and do just be lifted off the phones where it is.

So you didn't read it then, since it clearly states that it most likely WASN'T on Valves side

Publicado originalmente por Malfunctioning Robot:

Steam doesn't force it. They would PREFER you use the app like a normal person. You can also use email 2fa. he fact that such a small portion of the userbase is affected shows how few people were using the sms option in the first place

Yes it does, functionality like trading and the market is restricted if you're not using their crap mobile app, and to use that you must use SMS too because they do not let you set up their crap proprietary authenticatior without having SMS on first. Yeah 89 million is a very insignificant number.

Publicado originalmente por tyl0413:

Publicado originalmente por Malfunctioning Robot:

Steam doesn't force it. They would PREFER you use the app like a normal person. You can also use email 2fa. he fact that such a small portion of the userbase is affected shows how few people were using the sms option in the first place

Yes it does, functionality like trading and the market is restricted if you're not using their crap mobile app, and to use that you must use SMS too because they do not let you set up their crap proprietary authenticatior without having SMS on first. Yeah 89 million is a very insignificant number.

out of nearly 2 billion accounts? Yes, that is a VERY small subset of the userbase. Less than 5%

But way to expose yourself there.

Publicado originalmente por Malfunctioning Robot:

Publicado originalmente por Realigo Actual:

I did read it. It seems to suggest that the this breach was not on users' side but more on the Valve side. This is one explanation for the all the posts talking about how their guard was defeated when they don't trade etc. But my point was, device-based 2FA isn't a silver bullet because that ♥♥♥♥ can and do just be lifted off the phones where it is.

So you didn't read it then, since it clearly states that it most likely WASN'T on Valves side

If Valve was using Twilio to send the codes out, and Twilio has a breach, then you think that's more on the user side?

I left Twilio a while ago. It's not the first time they've been at the center of data leaks
https://9to5mac.com/2024/07/04/authy-hack/
But in any case I don't need an OTP to access Steam. I have installed Steam on iPhone and I have to approve requests from smartphone

Publicado originalmente por Realigo Actual:

Publicado originalmente por Malfunctioning Robot:

So you didn't read it then, since it clearly states that it most likely WASN'T on Valves side

If Valve was using Twilio to send the codes out, and Twilio has a breach, then you think that's more on the user side?

Or the Twilio side.

Publicado originalmente por Realigo Actual:

Publicado originalmente por Malfunctioning Robot:

So you didn't read it then, since it clearly states that it most likely WASN'T on Valves side

If Valve was using Twilio to send the codes out, and Twilio has a breach, then you think that's more on the user side?

Publicado originalmente por Aluvard:

Not to mention that Twilio isn't Steam 2FA provider.

https://x.com/MellowOnline1/status/1922458687316074640

Publicado originalmente por Realigo Actual:

Publicado originalmente por Malfunctioning Robot:

So you didn't read it then, since it clearly states that it most likely WASN'T on Valves side

If Valve was using Twilio to send the codes out, and Twilio has a breach, then you think that's more on the user side?

You are pretending this is a zero sum game. It's not "either Valve or the user" and pretending otherwise is dishonest. If your ISP leaks your steam credentials because their data gets intercepted, thats not on "your "end, but its not on Valve's end either. Put the blame where it belongs.

Publicado originalmente por Aluvard:

Publicado originalmente por Realigo Actual:

If Valve was using Twilio to send the codes out, and Twilio has a breach, then you think that's more on the user side?

Publicado originalmente por Aluvard:

Not to mention that Twilio isn't Steam 2FA provider.

https://x.com/MellowOnline1/status/1922458687316074640

Ah, so not on Valv'e side then. I did think it was a bit plebian for Valve, but Twilio is a well-known name in VOIP and business phone systems.

So that's interesting. Twilio is more backend-focused. Makes me wonder if trader bots were the accounts involved.