Does Steam Authenticator disable 2FA emails?

All Discussions > Steam Forums > Help and Tips > Topic Details

Arno Nov 26, 2018 @ 11:12pm

I'd like to set up the Steam app to do 2FA so I can trade items without a hold, but I'm concerned that some day I'll want to do something that requires 2FA (trade, log in from a new computer, etc.) when I don't have the device with me.

If I set up the Steam app and start getting 2FA notifications on my Android device, will it still be possible for me to validate a new computer and confirm trades without a hold, using email as a fallback?

The author of this topic has marked a post as the answer to their question.
Click here to jump to that post.

Originally posted by Cathulhu:

No, it's one or the other. Would be rather pointless if that were possible, considering that a compromised computer is normally the same device that is used to receive emails, making the SMA rather pointless in that case.

< >

Showing 1-9 of 9 comments

The author of this thread has indicated that this post answers the original topic.

Cathulhu Nov 26, 2018 @ 11:21pm

Arno Nov 26, 2018 @ 11:27pm

Well, TBH the Steam app is already pointless from a pure 2FA perspective since the same piece of software contains your username/password as well as managing the confirmation. I'm just trying to work within the system they gave me. :)

I suspected that would be the case; thanks for the clarification.

Phantom Nov 27, 2018 @ 3:04am

Originally posted by Arno:
Well, TBH the Steam app is already pointless from a pure 2FA perspective since the same piece of software contains your username/password as well as managing the confirmation. I'm just trying to work within the system they gave me. :)

I suspected that would be the case; thanks for the clarification.

Obviously you have no understanding of how a PC can be infected and becomes leeway for a hijacker.

It's done through a remote access Trojan.

Victim downloads and executes the RAT -> Hijacker has access to victim's PC -> The hijacker puts up the item as a listing.

Option (A) The hijacker can access victim's e-mail, confirm the listing. The listing is held for 15 days, because the confirmation is done on a platform the thief can more easily access on the compromised device. Some people are so crazy; they leave their credentials or sessions up.

The 15 days is leeway for the victim to notice what has happened and undo the damages.
Option (B) The thief can't access victim's mobile 2FA as it's on a wholly separate piece of hardware, thus they can't confirm the listing. Therefore listings are immediate as the risk of compromise is close to null.

I'll just link the previous explanation...

https://steamcommunity.com/discussions/forum/8/1752358461541342182/#c1752358461541853017

This is all far from useless.

Last edited by Phantom; Nov 27, 2018 @ 3:05am

Tito Shivan Nov 27, 2018 @ 3:05am

Originally posted by Arno:
Well, TBH the Steam app is already pointless from a pure 2FA perspective since the same piece of software contains your username/password as well as managing the confirmation. I'm just trying to work within the system they gave me. :)

The Steam auth codes work without having to be logged in the app.

Arno Nov 28, 2018 @ 8:30am

Originally posted by Tito Shivan:
The Steam auth codes work without having to be logged in the app.

OK, but how do you get the code if you don't have the app? Does the system still send the code to your email address...or are you saying you can get 2FA auth codes in the app without entering your Steam account's username and password?

Obviously these are basic questions from someone who's never used the app, but I couldn't find any documentation online that answered my questions; feel free to point me to some if this turns into a LMGTFY moment. :)

Phantom Nov 28, 2018 @ 9:02am

Mobile auth codes are generated locally by your device.

The time / date on your device must be accurate for correct codes to be generated.

This process does not require an internet connection.

Tito Shivan Nov 28, 2018 @ 11:21am

Originally posted by Robin3sk:
Mobile auth codes are generated locally by your device.

just like every 2FA keyfob distributed, the app simply displays the codes on your screen which are valid for a limited time (represented by the status bar below)
https://imgur.com/gallery/7gYT9rE

You check the code in your device whenever you're asked for one for login into Steam

Last edited by Tito Shivan; Nov 28, 2018 @ 11:22am

Phantom Nov 28, 2018 @ 12:29pm

That screenshot...

Just so it's clear about the auth codes, they expire within 30 seconds - and it's indicated with the blue bar.

(So an attacker / hijacker can't really try fancy attacks).

Arno Dec 10, 2018 @ 10:44am

Originally posted by Robin3sk:
Mobile auth codes are generated locally by your device.

The time / date on your device must be accurate for correct codes to be generated.

This process does not require an internet connection.

Ohhh yeah, now that you say that I remember what I found out the last time I researched this (a long time ago). It's essentially TOTP but they made some (very) minor modifications to the implementation; just enough to prevent people from just using any TOTP client (FreeOTP, Authy, Google Authenticator, etc.) with Steam.

Patches for other TOTP clients exist to allow generating Steam-compatible pseudo-TOTP responses, but I remember being worried at the time about using one, getting dependent on it, and then having Valve break my MFA one day with a random update (whether intentional or not) so I decided it wasn't worth the hassle and shelved the whole idea.

Last edited by Arno; Dec 10, 2018 @ 10:44am

< >

Showing 1-9 of 9 comments

Per page: 1530 50

All Discussions > Steam Forums > Help and Tips > Topic Details

Date Posted: Nov 26, 2018 @ 11:12pm

Posts: 9

Start a New Discussion

Discussions Rules and Guidelines

Report this post