Instalar Steam
iniciar sesión
|
idioma
简体中文 (Chino simplificado)
繁體中文 (Chino tradicional)
日本語 (Japonés)
한국어 (Coreano)
ไทย (Tailandés)
български (Búlgaro)
Čeština (Checo)
Dansk (Danés)
Deutsch (Alemán)
English (Inglés)
Español - España
Ελληνικά (Griego)
Français (Francés)
Italiano
Bahasa Indonesia (indonesio)
Magyar (Húngaro)
Nederlands (Holandés)
Norsk (Noruego)
Polski (Polaco)
Português (Portugués de Portugal)
Português - Brasil (Portugués - Brasil)
Română (Rumano)
Русский (Ruso)
Suomi (Finés)
Svenska (Sueco)
Türkçe (Turco)
Tiếng Việt (Vietnamita)
Українська (Ucraniano)
Informar de un error de traducción
Normas y directrices sobre discusión
Denunciar este mensaje
Your suggestion will change nothing. Idiots will still getting phised.
Valve can not protect the user from themselves. That's not what Multi-Factor Authentication is for.
At least try to think your idea through. Think about how an attacker would deal with such a change. In your case, it requires little change on both sides and nothing will change for the victims.
The email telling you it's been removed is all you need to LOCK your account if it wasn't you that disabled it.
Also steamguard codes them self should only be asked once a 30 days on new machines with option to lockout certain region's outside the country of the user resides in, steamguard is bassicly asking code every single time, if it only asked it every 30 days would less likely to give it up on phishing site cos they know they recently typed it in, maybe even get rid of the code and just have a aproval system that auto blocks anything outside country user resides in as option that user can give up, while acces can be restored if neccesary by contacting support, and giving up id etc
Anyway i think steamguard is not safe in current state unless you a user with experience and common sense.
I think the biggest issue is that it always asks for code on a machine with no way to remember current machine, 2FA is far to usefull but if everyone knows code has be typed in every time then makes phishing oh so much easy'r even more so if it can be disabled without some kind of code, and know i would not do this by 2FA code but by unlock code that states its only for removing steamguard cos that way everyone knows the intention of some one asking for that code cos it should only be typed into steam when you want to remove steamguard.
Im slightly annoyed to by steamguard in current state but security > annoyance however annoyance can be patched out by giving options
The burglar is alredy inside your home. Asking for a code to let him open the door from inside is not going to hamper him much.
And people would still give the code away.
It already happens.
To move your authenticator from phones you're required a SMS code, sent to your phone. Code that's never requested for normal login at all.
Well people are already giving that info away
Most hijacks happen within your own machine. And 'new machine' is a really fuzzy term. A private browsing log from your browser is a 'new machine' for example.
You're triggering something on your machine to do that. I haven't been asked a steamguard code neither on my client nor my browsers in a long time.
If you're being requested your login credentials you either have something in your machine messing with the sessions or something in your location tags your place as not secure, triggering a forced login.
So another code to remember/store somewhere that will still be entered into phishing sites as they'd take a minute to add a request for that code the same as they do for everything else.
Username
Password
Authenticator/Steam Guard code
Newcode 1
Newcode 2
Newcode 3
Newcode 4
Newcode 5
Newcode ...................................
The users will know not to enter it but they will still fall for the obvious and not so obvious phishing sites that ask for security details.
Another hoop to jump through will just P off those of us that think and check things. Education is what is needed. The meaning for the following examples apply to everything in the real world. Including everything on the internet.
Don't trust strangers,
Stranger danger
Don't believe everything you read
Don't judge a book by it's cover
Why, yes.
That's why it's only natural that after 2FA comes 3FA, then 4FA, and evetually, 223435FA....
Why stop at 2FA? Because someone, arbitrarily, said "That's enough"?
I do not want to have to remember another code. Or store one. And I definately dont want another app to that code create a code just to remove something in my account and I sure I'm not the only one that feels this way.
The weakest link in any security is us mere mortals. No amount of security methods implemented will fix stupid humans all they do is make life more frustating with each security protocol we have to deal with.
Instead of constant patches to prevent our data from exposure the human needs to be educated to stop opening the cracks.
Yes, because the account owner allowed someone to access their account. Op mentioned scamming. If the person is gullible enough to get scammed, they will most likely provide the auth code needed to disable 2fa. Hell, right now there are those who already provide scammers with their steam auth code.
Which brings me back to my usual thing.
If "people be stupid" is an argument against an new layer of security, why is it at the same time an argument in favor of current layers of security? After all, if it's just down to people being gullible, why add 2FA? Hell, why have account passwords at all? Surely someone dumb enough to share their username with a third party will also share the password...and their 2FA code...and their 3FA code....and their 52FA code...so it's useless....
True, that people already provide their 2fa code to scammers - they can probably make very convincing replicas of steam pages and it is probably not difficult even for a cautious person to be fooled. Also true that a scammer could simply ask for an additional code and the person may think they entered it incorrectly.
I think people being gullible or careless is one thing, but the main point is enabling 2fa immediately logs you out and requires to re-authenticate using login and a 2fa code - but disabling it requires nothing else other than clicking a button. I have my auth codes sent to email, so maybe this process is different when using the mobile app.
I think it is odd to be logged out when enabling it, but have no such action when disabling it.
How often will you be changing the 2fa settings though, I don't think it is something that people would even notice if they aren't going in to change it frequently. If you have 2fa enabled, you are asked for a code on any new device anyway, the only difference now would be that you need to authenticate to disable authentication. (again, I use email and it might be different when using the app). I can see it creating issues if people lose their phone or lose access to their email and can no longer authenticate, in that case it could cause a huge hassle.
That is because by enabling 2fa, you are saying "I want my account secure now". That will log out account to make sure you have to use 2fa to get back in. no need to do that when disabling since you're opening up the account anyway.
You need a Steamguard code to disable Steamguard from inside your own account. If you don't have access to the codes you're locked out of disabling Steamguard.
You're screwing the people who needs to disable it and don't have access to their 2FA (email/phone)
This feature would only enable again the mess that happened when Steamguard was enabled and lots of people found themselves in a catch 22 where they needed the code to get into their accounts but had lo means to access their emails to retrieve it... But the other way around.
And you can't access someones account without 2FA/ That right there is all the protection a person needs. If users can't protect their username, password and the Steam Guard code (2FA) adding another from of 2FA for yet another code is a waste of time. Those that get compromised already will hand that new code to phishing sites like they already do.
No matter how many levels of 2FA or other security measures a company implements the gullible, stupid and greedy users will still hand out their security details when asked to by these sites. There is no reason to add more security options/procedures when the current methods are good enough. More will just complicate thing and P off those of us that think before we act and have been forced to use yet another security protocol because of others.
Seriously add another 10000000000 levels of 2FA or any other method and those same gullible, stupid and greedy will have their accounts compromised because they'd give away that data to phishing sites. And that would be after they complain about all the security features that they are forced to use and then they'd be on here complaining they lost items and want Valve to give them back and/or remove ban because hijacker cheated. Maybe even posting a warning about anew scam site/method that is new and is clearly warned about in the pinned threads. Pinned threads they never bothered to read, didn't believe or whatever.
But the method suggested is flawed in that disabling authentication could be done at the same time as the hijackers BOT receives login details including the authentication code from their site. It could log in automatically and immediately disable it using the same authenticator code used to log in before the code could change.
So that extra step that would require time to code be implemented could be bypassed using the same phishing techniques already used. Phishers could also script their BOT to change other details like a persons email and phone number at the same time.
That would mean another code for everyone to input when changing important things, Steam Guard/Authenticator, email address and phone number that doesn't really add any more protection from phishing sites. Unless of course it's a different code from the authenticator App or even another app. But As mentioned before Sites can easily ask for the different code and the same users that hand over the details using current practices will hand over the new codes.