Add FIDO2 / U2F Support to steam :: Suggestions / Ideas

Todas as discussões > Fóruns Steam > Suggestions / Ideas > Detalhes do tópico

Este tópico foi trancado

Zex 21/mai./2018 às 9:24

Add FIDO2 / U2F Support to steam

Is there any plans on updating Steam Guard to support more standards such as FIDO2, U2F, OTP, or maybe just updating the way it functions on the Mobile app period? The app is pretty clunky when it comes to approving things such as Trade Offers, and the Login notification likes to bug out on Android.

While Supporting Hardware Keys that use FIDO2, U2F, OTP to allow confirming said actions without having to use another device would be a very nice for people who have them, also updating the app to support things like approving the transaction / Login via notifications (Like how Battle.net's Authenticator does it) would alleviate at least some of the issues.

< >

Exibindo comentários 1–11 de 11

Spawn of Totoro 21/mai./2018 às 9:28

You can't confirm trades on another authenticator, so the use of a 3rd party one is not likely to happen. The Steam authenticator already uses one of those standards as well.

I never had an issue with the log-in notifications or trade offers.

I don't really view the appoval process and cluncky either, but that is just my personal opinion.

Zex 21/mai./2018 às 9:33

Escrito originalmente por Spawn of Totoro:
You can't confirm trades on another authenticator, so the use of a 3rd party one is not likely to happen. The Steam authenticator already uses one of those standards as well.

I never had an issue with the log-in notifications or trade offers.

I don't really view the appoval process and cluncky either, but that is just my personal opinion.

Me & multiple people I know have had a ton of issues with the mobile app refusing to load trade offers & just not plain loading sometimes.

And it's not about how clunky it is, but more about just how dated it is now, most authenticators now allow accepting the request straight from the notification.

an example of this would be the "- Faster 2FA" snip from this case study [www.behance.net]

Satoru 21/mai./2018 às 11:03

Escrito originalmente por Zexion:
Me & multiple people I know have had a ton of issues with the mobile app refusing to load trade offers & just not plain loading sometimes.

That isnt relevant

And it's not about how clunky it is, but more about just how dated it is now, most authenticators now allow accepting the request straight from the notification.

And again not relevant because the Steam mobile authenticator is designed for a single purpose

Trade CONTENT CONFIRMATION

Its NOT for user authentication

Its for CONTENT CONFIRMATION

Something no standard TOTP or U2F can do

Standard TOTP and U2F would allow for instantaneous draining of your entire inventory and you would have 'approved' it.

Última edição por Satoru; 21/mai./2018 às 11:03

NeXuS23 7/jun./2018 às 13:09

I also would very welcome U2F Support as 2FA for all logins and also the new FIDO2 passwordless authentication of course. The later is now supported for Windows 10 logins and the next update will add U2F too.

I have four U2F Security Keys and already ordered two FIDO2 capable ones to use with all my Windows 10 machines and future services that needs it.

Because the future now clearly goes towards passwordless authentications.

And to avoid any misunderstandings, i only care for the 2FA and Logins, not for the the pushed trade confirmations, unlike the 2FA/logins those are ok.

Satoru 7/jun./2018 às 14:33

Escrito originalmente por NeXuS23:
I also would very welcome U2F Support as 2FA for all logins and also the new FIDO2 passwordless authentication of course. The later is now supported for Windows 10 logins and the next update will add U2F too.

Again thses systems cannot provide for trade or market content verifiation and as such are not useful for the intended purpose

Push 2FA is already a thing and doesnt require specialized hardware taht is notn-exportable either. Implementing somethign similar to Blizzards bnet app is a better approach and more scalable.

Dr. House 20/mar./2019 às 3:53

Doing some research I found that all employees at Google, Facebook, Microsoft and other companies are forced to use FIDO2 devices for their corporate accounts. Seems like it's not that bad as some try to make it.

So the question is, is this being worked on?

NeXuS23 20/abr./2019 às 14:41

Escrito originalmente por Dr. House:
Doing some research I found that all employees at Google, Facebook, Microsoft and other companies are forced to use FIDO2 devices for their corporate accounts. Seems like it's not that bad as some try to make it.

So the question is, is this being worked on?

Seems they are working on it, because today for the first time I was able to at least authenticate the Youtube login with my FIDO U2F Security Dongle in Steam.

This till today always failed and i always had to use the alternative and weaker Google Authenticator which i also had enabled only because FIDO U2F didn't work in Steam .

But at least this now seem to work.

If they now also support it for Steam Logins instead the Steam Guard Code, I finally won't need to search my mobile anymore and simply login with a touch.

Última edição por NeXuS23; 20/abr./2019 às 14:41

Cathulhu 20/abr./2019 às 14:49

You would still need it for trade confirmations.

NeXuS23 20/abr./2019 às 15:02

Escrito originalmente por Cathulhu:
You would still need it for trade confirmations.

Yeah but those are at least rare.

And the trade confirmations are push authenticated which is more secure, I always wondered why they not also do the login authentication pushed, I mean if they already do the trade notifications like this.

Because push authentications are at least phishing proof, while the generated code isn't.

Última edição por NeXuS23; 20/abr./2019 às 15:03

aiusepsi 20/abr./2019 às 16:06

Escrito originalmente por NeXuS23:
Because push authentications are at least phishing proof, while the generated code isn't.

I wouldn't say phishing-proof; if they include some contextual information (like, for example, location you're logging in from, something like that) then you're more likely to spot a phish-in-progress, but they're not 100% phishing-proof.

#10