Originally posted by My1:

just because gabe never has been phished doesnt mean that steam guard isnt something that can be improved upon.

Ah! the improved upon argument.

So basically you cannot prove Steam Guard is flawed, flounder around and IGNORE Gabe Newell has NOT lost control of his account to make a moot point about improvement.

Your "want" does not equate to an improvement and the world is full of disappointments.

As with all things Valve - "want" never guarantees implementation and a 3rd party app is not required unless VALVE deem it so and Valve time has NO limits.

16+ years and like Gabe NEVER logged into phishing sites, NEVER clicked on links offering freebies and more importantly NEVER given away my Steam Guard CODE - the key to unlocking and accessing a Steam account.

Steam Guard works unless of course you can prove it does not.

Originally posted by My1:

Originally posted by Nx Machina:

And?

Still awaiting proof Gabe Newell lost control of his account and Steam Guard is flawed and Valve need to adopt a 3rd party app. I'll wait......................

As a sidenote NO ONE needs a sales pitch for 3rd party apps, so why bother.

just because gabe never has been phished doesnt mean that steam guard isnt something that can be improved upon.

on the side of login steam guard is literally the same as TOTP.

the same TOTP which google used for years but in fact for their employees apparently still wasnt optimal yet.

https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

also I am not saying that steam guard should be entirely dropped, it's awesome for trade and does something in its current state fido authenticators cant accomplish, also users who dont wanna use FIDO can also stay on steam guard.

also I dont think its that easy to phish gabe because
1) the steam administration likely uses different places to login likely even behind a VPN
2) if gabe also has a "normal" steam account and he accidentially got phished, he can just admin himself the control back.
3) the way phishing in general likely doesnt even apply to gabe as these campaigns are usually made in way to attract many people quickly, and usually just wont hit a point where even if gaben was at a state of mind where he could carelessly click on a wrong like, just sees no need to do it as why should gabe care about a trade suggestion or whatever?

also a lot of steam is compised of third party. steam guard codes for login are basically a modified TOTP, the steam client is a glorified webbrowser for the store and community which uses http/s and html, there's oauth for using your steam login outside, these are all things made by third parties already. lol.

nope. you do not get to play it that way

"i bet nobody has done it because...."

or we get to make stuff up to back up our postition

gabe has not had a breach because he does not give out his auth codes. it has been shown over and over on this thread, by people that have been here for years and not been phished, that your account is only going to stay safe if you properly use the tools given.

you keep saying

steam guard is literally the same as TOTP

so what? as long as you do not give out your info to someone else you will not lose your account. there is no need to use anything else when this works so well.

Originally posted by kalcuey-freehk:

so what? as long as you do not give out your info to someone else you will not lose your account. there is no need to use anything else when this works so well.

And therein lies the rub:
Phishing is getting better and better to the point that you end up in situations where a genuine third-party federated login to Steam is becoming hard to distinguish from a fake one that attempts to gain access to and/or steal accounts.

There may rightfully be cases where the account holder did in fact believe they were dealing with Valve's actual authentication prompts. Browser vendors are even playing 'straight into these malicious parties' hands' with 'stupid stunts' like hiding the certificate information or even the domain in the address bar. As some would say.

But why do they do that?
Well; in part because it's valuable screen real-estate that can be put to better use.
But also for security purposes. Having users rely on checking the certificate or checking the domain name simply is no longer a suitable security boundary.

It's trivial to obtain certificates (in particular non EV certificates) that are look-alikes for the real thing. Same for domain names, thanks to allowing the full breadth of Unicode look-alike characters in them nowadays.

What's needed is stronger, better authentication strategies that are secure-by-default. Strategies designed in such a way that they completely prevent credentials from ever being sent to non-trusted parties and remove the user -- the weakest link in the chain; and the one susceptible to phishing -- from the equation by eliminating the need for manual interactions such as manually providing a code from another process running on another device.

FIDO U2F is set up precisely to work in such a way. And WebAuthn is the set of browser APIs to enable web developers to build login experiences that leverage it and can connect to compatible hardware auth keys plugged into a USB port on the end-user's system.

It reduces the required user interaction to a simple press of a button on the hardware key, which tells the key to process the pending authentication challenge. The key in combination with the software interface that is part of the web browser, then decide whether the recipient is genuine and may receive the reply to the challenge. It cannot be phished via the user.

exactly. that is the point and I dont even see why there's so much pushback. it's not too hard to do and no user is forced to use it.

My two cents for what they are worth.

It does not really matter why people get phished. All that matters is that they do. Phishing is a problem, both for the people who get phished and Steam for having to help people that got phished.

When there is a problem caused by people, wishing for smarter people is the least useful solution.

The keyfob is not meant to be a replacement for Steam Guard but a supplement. People have a lot of money in the form of games and marketplace items on Steam. Asking for Steam to support a protocol that offers convenience, security advantages, and is supported by multiple other large companies does not seem like an unreasonable request to me.

If Steam wants you to use their app for selling on the marketplace, then do so, although from the comments here it sounds like that could be secured with a keyfob too. But for logging in it would both be safer and easier for the people who has such a keyfob.

All of the problems with what if you loose it etc. is already a problem covered by the sites that implement the protocol, no need for Steam to reinvent anything. I have no idea how difficult it would be to add support, but given that Steam is already supporting some forms of 2FA, and is already largely built as/on a website it is surely not outside the scope of what a company the size of Valve can manage.

Originally posted by Battlebrother Minimalk:

When there is a problem caused by people, wishing for smarter people is the least useful solution.

QFT. There's a very, very famous quote that applies here:

There is a race between mankind and the universe. Mankind is trying to build bigger, better, faster, and more foolproof machines. The universe is trying to build bigger, better, and faster fools. So far the universe is winning.

-- Albert Einstein

Originally posted by My1:

exactly. that is the point and I dont even see why there's so much pushback. it's not too hard to do and no user is forced to use it.

There is no pushback - just you not liking replies which do not confirm what you require.

It is Valve's decision to implement a 3rd party app or not and as Steam Guard works so well - Gabe's account not been accessed - there is no reason to do so.

Just because you want something does not make it either necessary, required nor an improvement on the current system.

After all this is the suggestion and ideas forum - not the "implement it, we want it" forum.

Originally posted by Nx Machina:

Originally posted by My1:

exactly. that is the point and I dont even see why there's so much pushback. it's not too hard to do and no user is forced to use it.

There is no pushback - just you not liking replies which do not confirm what you require.

It is Valve's decision to implement a 3rd party app or not and as Steam Guard works so well - Gabe's account not been accessed - there is no reason to do so.

I think Gabe's account is not what we should base anything on. I very much Doubt that Gabe's account even was the reason for Steam Guard be it the original E-Mail or the later App Method.

also some people read it as if we want to force people to actually use it which is NOT the case.

Originally posted by My1:

I think Gabe's account is not what we should base anything on. I very much Doubt that Gabe's account even was the reason for Steam Guard be it the original E-Mail or the later App Method.

also some people read it as if we want to force people to actually use it which is NOT the case.

Oh but we should because Gabe Newell gave his account details away to demonstrate Steam Guard and look where we are - no one has accessed his account. When Gabe's account is compromised then you may have a case for a 3rd party solution.

You cannot force something that is not an option.

I am for the option to just implement U2F as an additional option.

There is no reason to force people to pick a special one, just let everyone chose for themselves which option they want to use.

At the moment there is NO Option to use U2F for simple steam login stuff, which people should agree is way safer than the other options.

Originally posted by Smuggles:

I am for the option to just implement U2F as an additional option.

There is no reason to force people to pick a special one, just let everyone chose for themselves which option they want to use.

At the moment there is NO Option to use U2F for simple steam login stuff, which people should agree is way safer than the other options.

Valve's platform, Valve's choice.

steam is already u2f compatible.

here is an open source version of the auth
https://github.com/winauth/winauth
(dont use this its just an example, and an outdated one at that)

Originally posted by eram:

steam is already u2f compatible.

here is an open source version of the auth
https://github.com/winauth/winauth
(dont use this its just an example, and an outdated one at that)

That's not U2F but a simple TTOP/HTOP provider.

Of course it is valves choice, just letting them know, i would appreciate the option.
From what i know it is not hard to implement and there shouldn't be anything wrong with giving users more options.

Originally posted by Smuggles:

Of course it is valves choice, just letting them know, i would appreciate the option.
From what i know it is not hard to implement and there shouldn't be anything wrong with giving users more options.

With the new mobile app beta being tested right now, they decided not to add this type of support.