Add FIDO2 / U2F Support to steam :: Suggestions / Ideas

모든 토론 > Steam 포럼 > Suggestions / Ideas > 제목 정보

이 토론은 잠겼습니다.

Zex 2018년 5월 21일 오전 9시 24분

Add FIDO2 / U2F Support to steam

Is there any plans on updating Steam Guard to support more standards such as FIDO2, U2F, OTP, or maybe just updating the way it functions on the Mobile app period? The app is pretty clunky when it comes to approving things such as Trade Offers, and the Login notification likes to bug out on Android.

While Supporting Hardware Keys that use FIDO2, U2F, OTP to allow confirming said actions without having to use another device would be a very nice for people who have them, also updating the app to support things like approving the transaction / Login via notifications (Like how Battle.net's Authenticator does it) would alleviate at least some of the issues.

< >

전체 댓글 11개 중 1~11개 표시 중

Spawn of Totoro 2018년 5월 21일 오전 9시 28분

You can't confirm trades on another authenticator, so the use of a 3rd party one is not likely to happen. The Steam authenticator already uses one of those standards as well.

I never had an issue with the log-in notifications or trade offers.

I don't really view the appoval process and cluncky either, but that is just my personal opinion.

Zex 2018년 5월 21일 오전 9시 33분

Spawn of Totoro님이 먼저 게시:
You can't confirm trades on another authenticator, so the use of a 3rd party one is not likely to happen. The Steam authenticator already uses one of those standards as well.

I never had an issue with the log-in notifications or trade offers.

I don't really view the appoval process and cluncky either, but that is just my personal opinion.

Me & multiple people I know have had a ton of issues with the mobile app refusing to load trade offers & just not plain loading sometimes.

And it's not about how clunky it is, but more about just how dated it is now, most authenticators now allow accepting the request straight from the notification.

an example of this would be the "- Faster 2FA" snip from this case study [www.behance.net]

Satoru 2018년 5월 21일 오전 11시 03분

Zexion님이 먼저 게시:
Me & multiple people I know have had a ton of issues with the mobile app refusing to load trade offers & just not plain loading sometimes.

That isnt relevant

And it's not about how clunky it is, but more about just how dated it is now, most authenticators now allow accepting the request straight from the notification.

And again not relevant because the Steam mobile authenticator is designed for a single purpose

Trade CONTENT CONFIRMATION

Its NOT for user authentication

Its for CONTENT CONFIRMATION

Something no standard TOTP or U2F can do

Standard TOTP and U2F would allow for instantaneous draining of your entire inventory and you would have 'approved' it.

Satoru 님이 마지막으로 수정; 2018년 5월 21일 오전 11시 03분

NeXuS23 2018년 6월 7일 오후 1시 09분

I also would very welcome U2F Support as 2FA for all logins and also the new FIDO2 passwordless authentication of course. The later is now supported for Windows 10 logins and the next update will add U2F too.

I have four U2F Security Keys and already ordered two FIDO2 capable ones to use with all my Windows 10 machines and future services that needs it.

Because the future now clearly goes towards passwordless authentications.

And to avoid any misunderstandings, i only care for the 2FA and Logins, not for the the pushed trade confirmations, unlike the 2FA/logins those are ok.

Satoru 2018년 6월 7일 오후 2시 33분

NeXuS23님이 먼저 게시:
I also would very welcome U2F Support as 2FA for all logins and also the new FIDO2 passwordless authentication of course. The later is now supported for Windows 10 logins and the next update will add U2F too.

Again thses systems cannot provide for trade or market content verifiation and as such are not useful for the intended purpose

Push 2FA is already a thing and doesnt require specialized hardware taht is notn-exportable either. Implementing somethign similar to Blizzards bnet app is a better approach and more scalable.

Dr. House 2019년 3월 20일 오전 3시 53분

Doing some research I found that all employees at Google, Facebook, Microsoft and other companies are forced to use FIDO2 devices for their corporate accounts. Seems like it's not that bad as some try to make it.

So the question is, is this being worked on?

NeXuS23 2019년 4월 20일 오후 2시 41분

Dr. House님이 먼저 게시:
Doing some research I found that all employees at Google, Facebook, Microsoft and other companies are forced to use FIDO2 devices for their corporate accounts. Seems like it's not that bad as some try to make it.

So the question is, is this being worked on?

Seems they are working on it, because today for the first time I was able to at least authenticate the Youtube login with my FIDO U2F Security Dongle in Steam.

This till today always failed and i always had to use the alternative and weaker Google Authenticator which i also had enabled only because FIDO U2F didn't work in Steam .

But at least this now seem to work.

If they now also support it for Steam Logins instead the Steam Guard Code, I finally won't need to search my mobile anymore and simply login with a touch.

NeXuS23 님이 마지막으로 수정; 2019년 4월 20일 오후 2시 41분

Cathulhu 2019년 4월 20일 오후 2시 49분

You would still need it for trade confirmations.

NeXuS23 2019년 4월 20일 오후 3시 02분

Cathulhu님이 먼저 게시:
You would still need it for trade confirmations.

Yeah but those are at least rare.

And the trade confirmations are push authenticated which is more secure, I always wondered why they not also do the login authentication pushed, I mean if they already do the trade notifications like this.

Because push authentications are at least phishing proof, while the generated code isn't.

NeXuS23 님이 마지막으로 수정; 2019년 4월 20일 오후 3시 03분

aiusepsi 2019년 4월 20일 오후 4시 06분

NeXuS23님이 먼저 게시:
Because push authentications are at least phishing proof, while the generated code isn't.

I wouldn't say phishing-proof; if they include some contextual information (like, for example, location you're logging in from, something like that) then you're more likely to spot a phish-in-progress, but they're not 100% phishing-proof.

#10