A keyfob can't show you the contents of a trade, which is the primary reason of the app.

Originally posted by Battlebrother Minimalk:

It is an open protocol supported by companies like Google & Facebook and is supposedly fairly straightforward to implement.

The Steamguard code is actually under that standard, it just displays the code differently.

That is good to hear, I was not aware that they were already under that standard, they don't show up on the FIDO homepage.
I am still having trouble seeing why adding a key fob would be problematic. Instead of having to authenticate via the phone, Steam would show you what you were selling and ask you to activate the key fob to authenticate the sale.

Originally posted by Battlebrother Minimalk:

I am still having trouble seeing why adding a key fob would be problematic. Instead of having to authenticate via the phone, Steam would show you what you were selling and ask you to activate the key fob to authenticate the sale.

The most frequent way of account theft is through infecting the victim computer. That means the thief has control about what you see in the computer.

Imagine you get the computer infected, you receive and are shown a good trade 'A' and asked to verify it through the keyfob. However the real trade 'B' (which you don't see) is actually you giving away all your items.
You put the keyfob code thinking you're verfiying trade 'A' when you're actually allowing trade 'B' to happen.

That's why showing you the contents of the trade on a different device is so important.

Note that SteamGuard is basically a TOTP implementation, with a different output hash

That's different than how U2F works. WHich is designed to overcome TOTP primary failings right now which is phishing attacks.

The authenticator is mostly designed to address the problems of seeing the contents of the trade itself so you can verify that. Its not really authorizing a trade, its authorizing and verifyhing the trade contents. As such that csant really be done in a U2F infrastructure

I see, since the protocol can be used to protect against man in the middle attacks I figured something similar could be done here, e.g verifying not only the intention to trade but also signing the contents of the trade against some secret owned by Steam.

Since that does not seem to be desirable/possible I would like to change my suggestion: Implement support for YubiKey (or similar) only for the purpose of logging in to Steam.
I have updated the title of the post to reflect this.

Since i use a Yubikey4Nano for over a year now for various Services (Google, Github, Facebook, Dropbox, Bitbucked and Local Clouds) and now purchased a additional Yubikey4 as backup and a YubikeyNeo that supports U2F for Mobile apps via NFC i definitely support this.

It's defintely time those ancient and insecure TOPT things gets replaced by the new secure U2F standard. Also steam already runs on chromium, so this should be a no-brainer.

It also could help to make that Steam App comply with the security standards, by removing the TOTP part in it and require U2F authentication via Mobile NFC instead. Because currently this app is a security risk and doesn't comply to standards. Because that app also has the full login info and even allows shopping which isn't allowed for TOTP apps anyway.

Of course a such change would require users to get U2F Keys and also preferable such ones that supports NFC which will need some time, but in long term it only hardens the security.

Meanwhile they at least could add the option to add U2F Security Keys and to use them instead Steam Guard TOTP. The next Step would be to add the NFC U2F Authentication Option to the Steam Mobile App. And in a final step TOTP should be removed completely from that app.

And Valve even could use ist for some advertising, imagine if they would sell their own steam branded yubikeys for a reduced price, that would be amazing. Who knows they perhaps even could get some deal with google and yubikey for helping U2F to proliferate more. Also even if steam branded, those keys could be used anywhere, so users would definitely profit.

Originally posted by Tito Shivan:

A keyfob can't show you the contents of a trade, which is the primary reason of the app.

TOTP is horribly insecure. Please add U2F support =)

Originally posted by TheOv3rminD:

TOTP is horribly insecure. Please add U2F support =)

Do you have any stats on how many Steam accounts are lost due to using the mobile authentication?

Because if people don't get their accounts outright stolen in the typical Hollywood hacker movie type of way I just don't see the point of getting the U2F support.

But exactly how is the mobile authentication so insecure? Suppose someone has it on his account, how would you go and get access to it?
Because if it's so insecure it should be a rather easy task.

Pretty easily unfortunately. All a person has to do is call the phone company and impersonate you. After they that they can transfer your account (with the phone company) to their SIM card. Even if you have add a password to your phone account, support agents are often willing to disregard it.

Originally posted by TheOv3rminD:

Pretty easily unfortunately. All a person has to do is call the phone company and impersonate you. After they that they can transfer your account (with the phone company) to their SIM card. Even if you have add a password to your phone account, support agents are often willing to disregard it.

They would have to know a lot about you to begin with, that and the security of the phone company needs to be improved.

It isn't a realistic scenario.

Either way, it isn't the mobile app that was compromised or that had failed. There is always a way around any security method

Only time I have heard of someone bypassing the Mobile Authenticator is when a user falls for malware and give them the name and password, two codes + the SMS code, allowing the other party to add the authenticator to their own device and access the account.

Even that is rare as it requires the user to get the malware and fall for the fake messages.

And even then, the issue of trades with U2F is still not addressed, such as it is with the mobile app.

Originally posted by Spawn of Totoro:

Originally posted by TheOv3rminD:

Pretty easily unfortunately. All a person has to do is call the phone company and impersonate you. After they that they can transfer your account (with the phone company) to their SIM card. Even if you have add a password to your phone account, support agents are often willing to disregard it.

They would have to know a lot about you to begin with, that and the security of the phone company needs to be improved.

It isn't a realistic scenario.

Either way, it isn't the mobile app that was compromised or that had failed. There is always a way around any security method

Only time I have heard of someone bypassing the Mobile Authenticator is when a user falls for malware and give them the name and password, two codes + the SMS code, allowing the other party to add the authenticator to their own device and access the account.

Even that is rare as it requires the user to get the malware and fall for the fake messages.

And even then, the issue of trades with U2F is still not addressed, such as it is with the mobile app.

It happens more than you would think. Ever had an account on LinkedIn or MySpace? They are some examples of where one could get all the information they would need. Why are you even arguing against better security?

Originally posted by TheOv3rminD:

It happens more than you would think. Ever had an account on LinkedIn or MySpace? They are some examples of where one could get all the information they would need. Why are you even arguing against better security?

Because what we have not is better security.

I don't have my account liked to any social media as such media is a huge security issue in and of it's self. If a user posts such information there that someone can use it to fake being them, then that is not an issue with Valve's security, but the lack of security on the user's end and neither type of authenticator would help against that.

And from what I can find, it is only slightly better (most likely not enough to justify the cost to switch) and it does not allow for the trade verification that Valve wants to use.

Besides, I can't find anything showing it happens more then I have seen stated and only in the way I have stated I have heard it happening.

There also seems to be a lack of ways to use U2F, plus other issues seem to be a factor:

https://medium.com/@nparlante/the-unofficial-fido-u2f-faq-9201fa5cb4da

Q: What are the disadvantages of U2F?

You have to carry around a token to complete your login. This is also what makes U2F secure — the bad guy can get your password, but they don’t have the secret key locked away in the U2F token, and the token can be locked down in a way that is difficult for a cell phone.

U2F is pretty new, so many sites do not support it as an option yet. U2F is most likely to be supported by sites that are technological leaders and where security is important (google, facebook, dropbox, github). The next time your bank is wasting your time with their multiple-step, insecure 2FA system, ask them why they don’t support U2F.

Only Chrome, Opera and (with an add on) Firefox support U2F currently.

So it is browser based, then Valve would have to change how Steam works with it's log-in. Not an easy change to make.

Lack of support currently for it.

A physical device that can get broke, lost or stolen. Then you lack the token in order to access the accounts. That means contacting support when a user has lost it, instead of being able to use a code to reset it or get a new phone you can use to fix the issue. Because even if you can use a phone to remove the token, then that brings up the same issue you stated with the current system, where someone can clone the SIM or have the number transferred to a diffrent phone.

Some things may be more secure, but at the same time, there are other issues at play. Enough to make it seem as U2F may not be the best choice for a Steam Account.

There is more to consider then just security and overall, the current Authenticator looks like the best balance between security and convenience for the user.

Do you know what's the greatest risk of TOTP? Phishing sites!

We did found one with multiple urls in the last days and reported it to Valve and also Google, the sites now have been added to steam link filter and google did block them all.

But there are already 600 victims of it, also already reported to Valve.

Those sites was really well made even with a valid SSL Certificate and everything and they did not only ask for steam credentials but also the TOTP and them automaticly hijacked the accounts!

This is a such case that would be absolutely impossible with U2F because it's impossible to enter the U2F authentication to phishing sites like it's soo easy to do with TOTP.

Originally posted by Tito Shivan:

A keyfob can't show you the contents of a trade, which is the primary reason of the app.

Originally posted by Battlebrother Minimalk:

It is an open protocol supported by companies like Google & Facebook and is supposedly fairly straightforward to implement.

The Steamguard code is actually under that standard, it just displays the code differently.

but can't maybe at least one use U2F for logging in? that already would be a major help.