引用自 Brockenstein：

I've got it. 5-factor authentication!

Or remove user to user trading. No trading, no reason to use one's log-in on a shady 3rd party site.

引用自 Spawn of Totoro：

引用自 Brockenstein：

I've got it. 5-factor authentication!

Or remove user to user trading. No trading, no reason to use one's log-in on a shady 3rd party site. :lunar2019coolpig:

Exactly, that is the only secure solution to this. Stupid will be stupid as long they think they get shiny stuff for free.

引用自 Ninjah Koda：

引用自 Suicidal Monkey：

Doesn't matter what Valve does stupid people will always do stupid things. Adding 100000000 extra steps will make you feel more secure but it won't make you or anyone else more secure. It'd be an illusion as Scammers and Phishers would just update their methods and stupid users would continue to provide access to their accounts by giving the scammers and phishers what ever they ask for.

The human is always the weakest link in any security measure.

If users checked sites before login in or use the one click in they'd be safe but plenty don't. They also don't read any of the warnings so no amount of extra stuff will help them.

According to you, since there are bad or stupid people around, security is a curse word ?

As I said before, it's not because people can be stupid that they don't deserve proper security, that's a nonsense. On my opinion, the purpose of the security is to avoid theses dumb people getting tricked, cause wether you like it or not, most of people aren't web masters.

You completely missed the point.

No matter what Valve adds. Scammers and phishers will adapt and stupid people will do stupid things no matter the warnings. If they used things correctly there wouldn't be so many compromises every day.

You propose something new but whats to say those users will use it safely? Those same users will hand over the new key the same way they already do because the scammers/phishers ask them to and because they IGNORE all warnings. Nothing Valve can add will solve stupid users will do stupid things. It'd just be one more thing the rest of use need to but up with while at the same time Phishers sites and methods will be updated to get from users.

引用自 Ninjah Koda：

For all of those reckless and careless people who share it with someone else, that's another problem that nothing can fix, not even the best security.

But this security is only purposed to keep safe people which actually care about the privacy of their logs, by making sure the only place where people fill theses informations are steam and steam only.

Right there you even make your whole argument pointless.

For the reckless nothing will be fixed even with your added security. As for those that value their privacy this would help? That's what privacy settings are for and new system really would improve that. As for protecting them from dodgy sites these users care about their account security and would login safely to any site.

So you have group 1 the reckless new measures wouldn't help and group 2 that are already careful to not need even more protection. Thus time spent developing this would be a waste of time.

引用自 M-A-X-E™：

To secure the mobile authenticator further?

1. It should not function unless the pc you try login too, is approved via sms or by the phone itself first.

2. Lowering the timer on wich you have to enter the code before it changes, it needs to change faster to be more secure.

3. You can only enter the code attempt once, then you need a new one from the authenticator.

4. Make the authenticator only to work with the pc registered by sms ?

5. Enforce all accounts to have this kind of login to be able to use and play on steam ?

6. Dont allow thirdparty websites to be able to use the authenticator or have direct access to the accounts on steam, its better if Valve automatic makes a tempoary ghost account number for thous kind of logins to thirdparty websites to protect the users real account & login informations !

Well there is alot of gaps and holes still in this form of security level Valve tryes to give us, that can and are being abused by the hackers at the moment.

But the above suggestions i just gave you here can close some of thous gaps in the security to make it more safe for the users in the future.

have a nice day.

引用自 Spawn of Totoro：

引用自 Brockenstein：

I've got it. 5-factor authentication!

Or remove user to user trading. No trading, no reason to use one's log-in on a shady 3rd party site. :lunar2019coolpig:

That is wrong tho, all 3rd party site aren't all about trading, if it was, valve wouldn't give a ♥♥♥♥ about this problem.

引用自 Ninjah Koda：

引用自 Spawn of Totoro：

Or remove user to user trading. No trading, no reason to use one's log-in on a shady 3rd party site.

That is wrong tho, all 3rd party site aren't all about trading, if it was, valve wouldn't give a ♥♥♥♥ about this problem.

We're pretty sure most scams and hijacks revolve around vacuuming up valuable inventory items and that's being done through user trades... it's certainly a big facet of the current landscape at any rate.

引用自 Suicidal Monkey：

No matter what Valve adds. Scammers and phishers will adapt and stupid people will do stupid things no matter the warnings. If they used things correctly there wouldn't be so many compromises every day.

You propose something new but whats to say those users will use it safely? Those same users will hand over the new key the same way they already do because the scammers/phishers ask them to and because they IGNORE all warnings. Nothing Valve can add will solve stupid users will do stupid things. It'd just be one more thing the rest of use need to but up with while at the same time Phishers sites and methods will be updated to get from users.

Wait, how can you use that method not safely? xD The point of that method is making harder for scammers and phishers to gain the control over an account, as if this system is adopted, they won't be able to get the logins since no one will ever have an excuse to use their logs outside of steam ever again (if they do, they'll be apart of the stupid community we can't do anything about).

So yes, maybe the thiefs will adapt and find new ways to trick people into thinking that they're filling the real steam survey even tho it's not the case.

They can also use spying malware to get the keyboard input of a user or any other software method, who ever is a confirmed computer user will know that it can't be 100% effective, but even if it's 5% more effective, that will still be a security achievement.
And honestly, if it comes to that far, I don't think steam will be the first worry of theses infected computer.

引用自 Suicidal Monkey：

Right there you even make your whole argument pointless.

For the reckless nothing will be fixed even with your added security. As for those that value their privacy this would help? That's what privacy settings are for and new system really would improve that. As for protecting them from dodgy sites these users care about their account security and would login safely to any site.

So you have group 1 the reckless new measures wouldn't help and group 2 that are already careful to not need even more protection. Thus time spent developing this would be a waste of time.

I disagree with you, the only solution for reckless people (group 1) would be to forbid them from using this 3rd party system since they don't know how it works, which is never gonna happen for sure, so we can't really do much about them anyway.

And about the cautious users (group 2), as I consider myself one of them, you can be careful and try to inform yourself about any risks, that won't make you 100% safe, but you can get safer as the security system evolves with that time, as the malicious method evolve as well.

One of the biggest difficulty in security is to predict how the frauders will evolve to prevent the security breach raising in the future, that will never be 100% effective since time machine is not an actual thing, but that doesn't mean getting ready for it would be useless, that's even the opposite, the longer a system stay the same, the easier it is to break.

And devolepping that kind of stuff is so ez for Valve, you have no idea.
Since they already built up the same kind of security as the trading links for example, it would only be about addind features to a system that already exist anyway, and will be a win of time and ressource if effective (wether you believe it will be or not). That would be a win win to every users.

引用自 Ninjah Koda：

I was thinking about an issue that concern a lot of people using steam : scams and phising.

Scams and phishing happens because users disregard all the warnings and enter their details on those sites. This is not a Steam issue is a user issue.

I have been with Steam 15+ years and my account has never been compromised.

Adding extra layers of security would not remove user interaction because the current layers are disregarded because Johnny, Jim, Jenny, Sue, and Forrest are blinded to by a promise and commonsense goes out of the window.

引用自 Kusa：

引用自 Ninjah Koda：

I was thinking about an issue that concern a lot of people using steam : scams and phising.

Scams and phishing happens because users disregard all the warnings and enter their details on those sites. This is not a Steam issue is a user issue.

I have been with Steam 15+ years and my account has never been compromised.

Adding extra layers of security would not remove user interaction because the current layers are disregarded because Johnny, Jim, Jenny, Sue, and Forrest are blinded to by a promise and commonsense goes out of the window.

I've never blamed steam for their system, it is definitely a user issue, but that doesn't mean steam can't do anything about it.

So yes, that's exactly the problem, and what I'm suggesting is to make a system that let people use 100% of 3rd party, without having to ever compromise their logs even if they log on a phising website.

And as I keep saying, yes reckless people will keep getting tricked by filling their logs on theses websites. But if you can log with a simple authkey generated by steam which would gives you the control of what you share with a proper panel, malicious people might have that link, but won't be able to do much with it.

引用自 Ninjah Koda：

And about the cautious users (group 2), as I consider myself one of them, you can be careful and try to inform yourself about any risks, that won't make you 100% safe, but you can get safer as the security system evolves with that time, as the malicious method evolve as well.

No you and they won't. More security will just mean users will get lazy because the extra security lulls them into a sense of thinking nothing can happen because of all the security features.

Valve introduce Steam Guard to help and people still gave the code away without thinking because they had Steam guard and believed it would protect them. Mobile Authenticator with Steam guard. Mobile Authenticator to confirm trades. It's the same thing time and time again. Users get lazy and believe their accounts are impervious because of all the extra security.

Adding more security will just increase their ignorance and belief nothing can possible happen to their accounts. Adding more security is great but not when that security makes users over confident and doesn't do anything new to protect them. Your suggestion would literally just waste Valves time coding and Crooks would simple update their method in a fraction of the time and users would still continue to compromise their accounts.

Just a cycle that adds no benefits.And as they'd be no benefits valve won't waste time and money implementing something that won't help. And saying the cautious user would benefit does mean anything as they'd already be cautious and knowledgable enough to not login on dodgy sites as they'd use the safe one click method. Or at least check the sites first. https://www.scamadviser.com/ is a prime example of ways to check sites .....Not just for Steam either.

引用自 Ninjah Koda：

So yes, that's exactly the problem, and what I'm suggesting is to make a system that let people use 100% of 3rd party, without having to ever compromise their logs even if they log on a phising website.

Those sites are not associated with Steam.

Using those sites is a choice made by the user.

Again users already ignore all the warnings and will continue to always do so.

The weakest link in security is the user.

引用自 Ninjah Koda：

So yes, that's exactly the problem, and what I'm suggesting is to make a system that let people use 100% of 3rd party, without having to ever compromise their logs even if they log on a phising website.

Burt we have it already. We don't need another system when it already exists!

Your new system

A) Will not help those that would NEED it
B) Be pointless to those that would not need it

How can you not grasp that?

By all means make suggests to improve security but listen to the criticism detailing issues with it. As said before your system would take a little time for Valve to implement. Then it'd take a little time for the crooks to update their methods. Vulnerable users would still compromise their accounts and other never needed it in the first place. We'd be right back where we were before the your new Security feature began

引用自 M-A-X-E™：

引用自 cSg|mc-Hotsauce：

There is going to be some updates to the mobile authenticator in the future. In "ValveTime" right now with other pressing issues to deal with but we'll see if it helps any.

To secure the mobile authenticator further?

1. It should not function unless the pc you try login too, is approved via sms or by the phone itself first.

2. Lowering the timer on wich you have to enter the code before it changes, it needs to change faster to be more secure.

3. You can only enter the code attempt once, then you need a new one from the authenticator.

4. Make the authenticator only to work with the pc registered by sms ?

5. Enforce all accounts to have this kind of login to be able to use and play on steam ?

6. Dont allow thirdparty websites to be able to use the authenticator or have direct access to the accounts on steam, its better if Valve automatic makes a tempoary ghost account number for thous kind of logins to thirdparty websites to protect the users real account & login informations !

Well there is alot of gaps and holes still in this form of security level Valve tryes to give us, that can and are being abused by the hackers at the moment.

But the above suggestions i just gave you here can close some of thous gaps in the security to make it more safe for the users in the future.

have a nice day.

What we know so far...

What's next?

We’re already working on improvements to the Steam Chat app, including voice chat. With Steam Chat moving to its own dedicated app, the original Steam Mobile app will see significant upgrades focused on account security. Our plans include better Steam Guard options to help securely log into your Steam account, such as QR codes and one-touch login, and improved app navigation.

https://steamcommunity.com/games/593110/announcements/detail/1621770561065348220

Steam Mobile App - The mobile app is getting a refresh to add more login types and help users secure their accounts.

https://steamcommunity.com/groups/steamworks/announcements

siema