Originally posted by 感时花溅泪:

Originally posted by L:

there are already solutions for that. reset tokens for example. 2FA was not invented by valve. they are using the same algorithm everyone else is using. other comanies (github for example) are able to implement it in such a way that you can use your app of choice and even recover your account after a device failure. given that you take responsibility. we're not saying force this on every user, but users who know what an authenticator app is, what it does and which one they prefer should be given a choice. chuck it in advanced options to hide it from normal people for all I care.

yes， I can save the rescue code in my space. If I lost my google authentication， I can use these codes

Valve tells you to do the exact same thing when you add the authenticator to your account. So do all 2FA apps.

it's all about valve getting your phone number.

Originally posted by Radene:

Google is not Steam. This is like asking my employer to give me access to all the company data via my Neopets account.

facebook is not google too， but I can use google guard。

Sorry, it makes more sense to use your own devices for security. Then you're not beholden to someone else and adding another possibly expoitable link in the chain.

All users should be able to choose their own protection method. Unless it has risks.

Originally posted by wez:

All users should be able to choose their own protection method. Unless it has risks.

You can to a point. You are free to use your own antivirus and so on, but with autheticators, you're beholden to whoever operates and owns the system.

It would be of no benefit to Valve to say, pay licence for Google's system when their own works fine. Never mind whether it's feasible or not.

https://github.com/google/google-authenticator

Originally posted by wez:

https://github.com/google/google-authenticator

So?

How does any of that refute my points?

Originally posted by Max Carrion:

At least if something happens to your 2-step authentication device, Steam can help you get your account back. They have for me already. If you used Google authenticator and say your phone gets lost or stolen, there goes your account for life.

I had this happen, all I had to do was give google the name of the device and my account got released and I added another password and put my new phone as 2fa, make sure to have backup codes too, which I did not have, but do now.

Originally posted by crunchyfrog:

Originally posted by wez:

https://github.com/google/google-authenticator

So?

How does any of that refute my points?

The reply isn't very good but what they are pointing out is that Valve does not have to pay a license to Google to use Google Authenticator. It is an open source implementation of the TOTP algorithm https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm. It happens to be one of the most popular implementations but there are many others by Microsoft, Facebook, Authy, OneLogin, Duo, Bitwarden, 1password, even one I wrote myself. All it is is an algorithm for generating a rotating code based on a seed value and the time, changing typically every 30 seconds.

Valve actually uses the TOTP protocol for their own authenticator to generate the codes and it would be as simple as allowing people to scan a QR code or enter the seed into their choice of app.

Originally posted by evilhamsterman:

Originally posted by crunchyfrog:

So?

How does any of that refute my points?

The reply isn't very good but what they are pointing out is that Valve does not have to pay a license to Google to use Google Authenticator. It is an open source implementation of the TOTP algorithm https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm. It happens to be one of the most popular implementations but there are many others by Microsoft, Facebook, Authy, OneLogin, Duo, Bitwarden, 1password, even one I wrote myself. All it is is an algorithm for generating a rotating code based on a seed value and the time, changing typically every 30 seconds.

Valve actually uses the TOTP protocol for their own authenticator to generate the codes and it would be as simple as allowing people to scan a QR code or enter the seed into their choice of app.

Oh in that case fair enough then. And my sincrest apologies if I confused by my erroneous response.

Thank you for taking the trouble to explain it.

Originally posted by evilhamsterman:

Originally posted by crunchyfrog:

So?

How does any of that refute my points?

The reply isn't very good but what they are pointing out is that Valve does not have to pay a license to Google to use Google Authenticator. It is an open source implementation of the TOTP algorithm https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm. It happens to be one of the most popular implementations but there are many others by Microsoft, Facebook, Authy, OneLogin, Duo, Bitwarden, 1password, even one I wrote myself. All it is is an algorithm for generating a rotating code based on a seed value and the time, changing typically every 30 seconds.

Valve actually uses the TOTP protocol for their own authenticator to generate the codes and it would be as simple as allowing people to scan a QR code or enter the seed into their choice of app.

The point being in that steamguard's primary function is not TOTP. Its as a trade/market verification app. Something that cannot be done with a standard TOTP implementation.

Originally posted by endrsgm:

it's all about valve getting your phone number.

this

Originally posted by huut {JESUS IS LORD}:

Originally posted by endrsgm:

it's all about valve getting your phone number.

this

Lol, no.

You ever bought ANYTHING online? Congrats they have your phone number, address and everything else.

Dear oh dear.

Originally posted by crunchyfrog:

Originally posted by huut {JESUS IS LORD}:

this

Lol, no.

You ever bought ANYTHING online? Congrats they have your phone number, address and everything else.

No, they not have, unless you are a fool who give private data everywhere. But who care about fools?