I don't see how these offer any improvement over the current system, Google Authenticator generates a 6 digit code which has to be typed in. And isn't these just a means for additional data harvesting by Google?

İlk olarak heitoo tarafından gönderildi:

...find Steam Guard tab...

You only need to open the app. The code is right there. You don't even need to log into it to see it.

İlk olarak MrL0G1C tarafından gönderildi:

Google Authenticator generates a 6 digit code which has to be typed in.

Not really. You can just copy-paste the code from Authy app. It's much faster and more convenient than the current system.

The best pratice in the industry for 2FA is to either use a standard app like Google Authenticator (and by extension, Authy) or prompt the user for confirmation in the notification area, or do both. For example, Microsoft and Blizzard offer approve button in their 2FA apps by default and an additional option to manually type the code. With Microsoft, you can also use third party 2FA app like Google Authenticator.

İlk olarak heitoo tarafından gönderildi:

İlk olarak MrL0G1C tarafından gönderildi:

Google Authenticator generates a 6 digit code which has to be typed in.

Not really. You can just copy-paste the code from Authy app. It's much faster and more convenient than the current system.

It doesn't offer the same functionality. The Steam app allows you to see what items are being traded

İlk olarak Pheace tarafından gönderildi:

It doesn't offer the same functionality. The Steam app allows you to see what items are being traded

I've heard this excuse on several occasions but that functionality is unrelated to 2FA.

Like, I am a professional developer myself and that Steam 2FA needs to be held hostage due to trading functionality doesn't make much sense to me other that they explicitly chose to do so for some business reasons. They could have easily had both, it's not rocket science.

Valve won't change it. They want it all to be in their app, which is primarily for confirmations.

İlk olarak heitoo tarafından gönderildi:

Like, I am a professional developer myself

Then surely you can understand that they'd rather spent time developing a single app than two?

Google doesn't recommend to use those deprecated authenticator apps for 2FA anymore and recommends to use FIDO U2F instead and to remove the Google Authenticator Option from Accounts.

İlk olarak Pheace tarafından gönderildi:

Then surely you can understand that they'd rather spent time developing a single app than two?

It's not two apps. TOTP is an open standard. That's why you can take, say Twitter account 2FA and use it with any app out there (Google Authenticator, FreeOTP, Authy etc).

İlk olarak NeXuS23 tarafından gönderildi:

Google doesn't recommend to use those deprecated authenticator apps for 2FA anymore and recommends to use FIDO U2F instead and to remove the Google Authenticator Option from Accounts.

Why bring it up now? FIDO U2F has little to no adoption. The only ones obnoxious enough to suggest authenticating via USB keys and other physical devices nowadays are government agencies. It won't fly with consumers any time soon.

Also, I seriously doubt Google Authenticator is deprecated. That is probably SMS codes you are talking about. I'll wecome a link to your source though.

İlk olarak heitoo tarafından gönderildi:

İlk olarak Pheace tarafından gönderildi:

It doesn't offer the same functionality. The Steam app allows you to see what items are being traded

I've heard this excuse on several occasions but that functionality is unrelated to 2FA.

Like, I am a professional developer myself and that Steam 2FA needs to be held hostage due to trading functionality doesn't make much sense to me other that they explicitly chose to do so for some business reasons. They could have easily had both, it's not rocket science.

The business reasons are far more important from Valve's perspective than any technical considerations. That functionality is the SOLE REASON that 2FA was effectively made mandatory for trading, etc. As such, your argument is basically invalid no matter how many people hold up technical alternatives saying "But this will work too!".

Full disclosure: I'm an ex-developer who (unlike you) also understands and appreciates business needs.

I think the main reason for the 2FA is to protect traders, and there for its main function is for the trading not as much for the 2FA it self
On that matter, a standard one is somewhat unhelpful for this case
Honestly if you do not do trading I think even using simple email should be enough for most users

İlk olarak Brujeira tarafından gönderildi:

The business reasons are far more important from Valve's perspective than any technical considerations. That functionality is the SOLE REASON that 2FA was effectively made mandatory for trading, etc. As such, your argument is basically invalid no matter how many people hold up technical alternatives saying "But this will work too!".

Full disclosure: I'm an ex-developer who (unlike you) also understands and appreciates business needs.

No, you don't. Because you haven't so far explained how trading is even related to 2FA. 2FA is just a way to secure account sign-in.

To approve the item for trading, you confirm the transaction via Steam app by clicking the "Confirm" button. There is no text codes or any 2FA involved in the matter. Moreover, because Steam mobile app itself is used for 2FA, Valve is forced to employ another (email) authentication method when singing you in on your device. Which doesn't make much sense, unless your existing 2FA workflow is flawed.

So I don't know what the heck you guys are talking about.

İlk olarak heitoo tarafından gönderildi:

İlk olarak Brujeira tarafından gönderildi:

The business reasons are far more important from Valve's perspective than any technical considerations. That functionality is the SOLE REASON that 2FA was effectively made mandatory for trading, etc. As such, your argument is basically invalid no matter how many people hold up technical alternatives saying "But this will work too!".

Full disclosure: I'm an ex-developer who (unlike you) also understands and appreciates business needs.

No, you don't. Because you haven't so far explained how trading is even related to 2FA. 2FA is just a way to secure account sign-in.

To approve the item for trading, you confirm the transaction via Steam app by clicking the "Confirm" button. There is no text codes or any 2FA involved in the matter. Moreover, because Steam mobile app itself is used for 2FA, Valve is forced to employ another (email) authentication when singing you in on your device. Which is techincally a clutch.

So I don't know what the heck you guys are talking about.

OK, I'll explain it in terms even you'll understand.

You start the trade from your PC. This is the first factor.
You authorise the trade from the authenticator. This is the second factor.

There you go, 2FA. Is that any clearer? Who said it was anything to do with codes? It's not - the codes are an irrelevance, all that matters is authentication. The fact that you claim that 2FA is only to do with logins shows that you have a serious case of tunnel vision and, as such, you're only seeing one tiny part of the problem.

Ever heard the Indian parable about the blind wise men trying to describe an elephant from just touching one part of it?

https://en.wikipedia.org/wiki/Blind_men_and_an_elephant

In this case you could say that you're one of the blind wise men. You're only seeing part of the problem but we're seeing the bigger picture.