Bump.

I'd suggest everyone send a message to steam support. Inform them that you're refusing to use their marketplace and transitioning to Epic. Maybe once they start taking a notable financial hit, they might change and do things in a way that benefits their customers instead of strong-arming people into their ecosystem.
tbh, part of me hopes that it works. As much as I've hated Epic (even refusing their free offerings), I'm going to look to see if they support 3rd party MFA and if they do, I'm going to make that my main platform.

I don't expect anyone--let alone valve--to care, but today, I finally have lost my patience. I'm not particularly willing to compromise the security of my account by using the existing 3rd party tools (use at your own risk)[www.gamingonlinux.com], but I am willing to change platforms for this feature.

^-^V peace, y'all

Maybe I'm oversimplifying things a bit, but just to compare to Google's Play Store as an example; I can browse the store all day and get free apps without any additional authentication, but I have opted to require a fingerprint when making purchases. This should be fundamentally the same with Steam. Require 2fa when logging in, making any purchases, or making any trades. Make each of those optional for the user to decide if they want 2fa to be required, or if Steam won't allow trades without 2fa then just don't let you turn it off for that, but make the others optional. Also if 2fa is enabled, require 2fa when making changes to account security settings (ex: need a 2fa to disable 2fa). I feel like this is how most services make use of 2fa, and they all seem to have no issues using TOTP.

BTW for me personally I use Authy, mostly because the 2fa syncs across devices and in case of a lost/stolen device I have options to recover everything in Authy by signing into another device, rather than going to every service I have a TOTP for and using backup codes to reset my account security everywhere. I believe when I did my most recent phone transfer the Steam app was transferred automatically and signed in on the new phone automatically. I may be misremembering that, but if I'm not then my only worry is a lost or stolen phone where I am unable to transfer everything from phone to phone without both devices in hand.

P.S. I have used steam trading (very lightly) and it doesn't bother me that steam wants strong security around it, but I think there's more than one way to accomplish strong security and Steam seems to have cemented into this being the only option. I do hope that alternatives (ex: TOTP) can be considered.

Ursprungligen skrivet av y.taru:

Bump.

I'd suggest everyone send a message to steam support. Inform them that you're refusing to use their marketplace and transitioning to Epic. Maybe once they start taking a notable financial hit, they might change and do things in a way that benefits their customers instead of strong-arming people into their ecosystem.
tbh, part of me hopes that it works. As much as I've hated Epic (even refusing their free offerings), I'm going to look to see if they support 3rd party MFA and if they do, I'm going to make that my main platform.

I don't expect anyone--let alone valve--to care, but today, I finally have lost my patience. I'm not particularly willing to compromise the security of my account by using the existing 3rd party tools (use at your own risk)[www.gamingonlinux.com], but I am willing to change platforms for this feature.

^-^V peace, y'all

So wait you want to use a threat of leaving to another marketplace but you don't even know if the other marketplace supports the feature you are looking to move for?

Very disappointing

Ursprungligen skrivet av NyNe:

Maybe I'm oversimplifying things a bit, but just to compare to Google's Play Store as an example; I can browse the store all day and get free apps without any additional authentication, but I have opted to require a fingerprint when making purchases. This should be fundamentally the same with Steam. Require 2fa when logging in, making any purchases, or making any trades. Make each of those optional for the user to decide if they want 2fa to be required, or if Steam won't allow trades without 2fa then just don't let you turn it off for that, but make the others optional. Also if 2fa is enabled, require 2fa when making changes to account security settings (ex: need a 2fa to disable 2fa). I feel like this is how most services make use of 2fa, and they all seem to have no issues using TOTP.

BTW for me personally I use Authy, mostly because the 2fa syncs across devices and in case of a lost/stolen device I have options to recover everything in Authy by signing into another device, rather than going to every service I have a TOTP for and using backup codes to reset my account security everywhere. I believe when I did my most recent phone transfer the Steam app was transferred automatically and signed in on the new phone automatically. I may be misremembering that, but if I'm not then my only worry is a lost or stolen phone where I am unable to transfer everything from phone to phone without both devices in hand.

P.S. I have used steam trading (very lightly) and it doesn't bother me that steam wants strong security around it, but I think there's more than one way to accomplish strong security and Steam seems to have cemented into this being the only option. I do hope that alternatives (ex: TOTP) can be considered.

Agreed. I don't even know what the "trading" part is. I just want to log into Steam, buy games, and play games. Anything beyond that is immaterial.

I'm in the process of switching as many apps to use the standard token generator that doesn't tie me to particular application - authy, google authenticator, 1password, etc all do OTP generation.

Not only is it standard, I can just copy/paste it from the app into the Steam App or website, and I'm done. No hunting through email or having to launch yet another application to get the code.

I hope we can send enough feedback to Steam to convince them to move the OTP generation out of email or a proprietary application into a standards-based model.

Voting with your wallet is the best bet, but it's hard, even for me, to boycott Steam by not buying games in order to get the message across.

Ursprungligen skrivet av The Major Gear:

Ursprungligen skrivet av NyNe:

Maybe I'm oversimplifying things a bit, but just to compare to Google's Play Store as an example; I can browse the store all day and get free apps without any additional authentication, but I have opted to require a fingerprint when making purchases. This should be fundamentally the same with Steam. Require 2fa when logging in, making any purchases, or making any trades. Make each of those optional for the user to decide if they want 2fa to be required, or if Steam won't allow trades without 2fa then just don't let you turn it off for that, but make the others optional. Also if 2fa is enabled, require 2fa when making changes to account security settings (ex: need a 2fa to disable 2fa). I feel like this is how most services make use of 2fa, and they all seem to have no issues using TOTP.

BTW for me personally I use Authy, mostly because the 2fa syncs across devices and in case of a lost/stolen device I have options to recover everything in Authy by signing into another device, rather than going to every service I have a TOTP for and using backup codes to reset my account security everywhere. I believe when I did my most recent phone transfer the Steam app was transferred automatically and signed in on the new phone automatically. I may be misremembering that, but if I'm not then my only worry is a lost or stolen phone where I am unable to transfer everything from phone to phone without both devices in hand.

P.S. I have used steam trading (very lightly) and it doesn't bother me that steam wants strong security around it, but I think there's more than one way to accomplish strong security and Steam seems to have cemented into this being the only option. I do hope that alternatives (ex: TOTP) can be considered.

Agreed. I don't even know what the "trading" part is. I just want to log into Steam, buy games, and play games. Anything beyond that is immaterial.

I'm in the process of switching as many apps to use the standard token generator that doesn't tie me to particular application - authy, google authenticator, 1password, etc all do OTP generation.

Not only is it standard, I can just copy/paste it from the app into the Steam App or website, and I'm done. No hunting through email or having to launch yet another application to get the code.

I hope we can send enough feedback to Steam to convince them to move the OTP generation out of email or a proprietary application into a standards-based model.

Voting with your wallet is the best bet, but it's hard, even for me, to boycott Steam by not buying games in order to get the message across.

"Trading" is when you trade skins and other Steam inventory items with other Steam users. By the way, Steam Guard is now supporting a new authentication method where the login screen displays a QR code which the mobile client uses to log in, bypassing your browser.

I can't believe what I just read. We're customers, asking for a feature. It seems Steam can't be bothered to follow standards and allow their users a choice. To write this, I had to reach for my phone, find the Steam app, open it, click through it, stumble though it because its UI is busy with other things I don't care about, and finally log in. With standard OTP and a password manager, I'd have that secret securely contained within in my Yubikey, for which I have a desktop app I can click through and get my OTP code MUCH more easily than I can by reaching for my phone, all while NOT keeping the OTP secret anywhere on the device that's logging in. That's all I want! The convenience and security OTP provides, without Steam thinking they know better with their app. I, like the others, do not care about trading. I just want to be able to login conveniently and play games. The steam mobile app simply does not provide that!

All the suggestions that people read other people's posts are spot on. All the detractors can't seem to comprehend that other people understand how this works and just want options based on that knowledge. And yes, most of us are Linux users. Just because you're locked into your bubble doesn't mean we have to be.

I'm calling you out, Steam. Please make this a thing. Your customers are asking for it. You already have a hit with the Steamdeck. You owe us Linux users for that. Throw us a bone.

Steam guard is enough, you don't need other.

Being the customer does not entitle you to the right to demand how a business protects its customers accounts.
Being a customer does not give you the right to demand how a business runs itself.

Ursprungligen skrivet av HikariLight:

Being the customer does not entitle you to the right to demand how a business protects its customers accounts.
Being a customer does not give you the right to demand how a business runs itself.

What is this board called and what do you think its purpose is?

What do you think is the way most people respond when a suggestion that is very important to them is disregarded?

Please remember to address users suggestions in a constructive manner.

Ursprungligen skrivet av William Shakesman:

Ursprungligen skrivet av HikariLight:

Being the customer does not entitle you to the right to demand how a business protects its customers accounts.
Being a customer does not give you the right to demand how a business runs itself.

What is this board called and what do you think its purpose is?

What do you think is the way most people respond when a suggestion that is very important to them is disregarded?

Please remember to address users suggestions in a constructive manner.

It a DISCUSSION board.
Which means we are free to point out WHY something is a bad idea or a waste of time.

Ursprungligen skrivet av HikariLight:

Ursprungligen skrivet av William Shakesman:

What is this board called and what do you think its purpose is?

What do you think is the way most people respond when a suggestion that is very important to them is disregarded?

Please remember to address users suggestions in a constructive manner.

It a DISCUSSION board.
Which means we are free to point out WHY something is a bad idea or a waste of time.

Yes but you should play the ball, not the man. There is no excuse for attacking the suggester.

Plus if you actually want to convince someone that the idea is incorrect you will typically need to demonstrate you understand the users perceived and/or actual functional need and explain from that point of view why the proposed change won't actually provide a better experience. That takes more effort than simply assuming bad faith and attacking someone but even the Valve employees in charge of reading these change requests will find it more convincing if you put in the effort.

Bumping this thread. Would really like to use own authenticator instead of the Steam's mobile app. Earlier it was possible to extract the secret key, but it is no longer possible. Requesting possibility to do so. I, and many others, have no use for other steam mobile app functionalities.

Ursprungligen skrivet av Radicus:

Bumping this thread. Would really like to use own authenticator instead of the Steam's mobile app. Earlier it was possible to extract the secret key, but it is no longer possible. Requesting possibility to do so. I, and many others, have no use for other steam mobile app functionalities.

Bumping isn't really allowed anymore due to automated enforcement here.

With that said, is the key extraction vulnerability not still present in the fallback numeric Steam Guard code option?

Today, FIDO2 and Passkeys are more secure methods of authentication.

Ursprungligen skrivet av Radicus:

Bumping this thread. Would really like to use own authenticator instead of the Steam's mobile app. Earlier it was possible to extract the secret key, but it is no longer possible. Requesting possibility to do so. I, and many others, have no use for other steam mobile app functionalities.

By allowing an outside program to manage account security that opens up more vectors for attacks on user accounts.
Also if there is an account issue that results in you getting locked out, Steam support cannot help you if your not using THEIR security.