引用自 cSg|mc-Hotsauce：

引用自 Smuggles：

Of course it is valves choice, just letting them know, i would appreciate the option.
From what i know it is not hard to implement and there shouldn't be anything wrong with giving users more options.

With the new mobile app beta being tested right now, they decided not to add this type of support.

:qr:

Which is all kinds of hilarious and quintessential shortsightedness on Valve's part, once more.

All major players in big tech are converging on FIDO authentication standards. Microsoft; Apple; and Google all surface it in their OSes and want to use its open-ended nature of pluggable authenticators to push people away from weak passwords to whatever stronger alternative login mechanism is a good fit for them; whether that be a dedicated hardware key; a key stored in the device TPM; or some kind of biometrics like fingerprint or eyescan.

In addition to their own services they provide in their role as industry leading digital service providers, other service providers in the digital domain such as Meta as well as e.g. major financial service providers have also adopted FIDO or are in the process of doing so.

Give it a year.
Eventually Valve is going to find itself being dragged into implementing support for it anyway, because it's going to be the norm.

引用自 cSg|mc-Hotsauce：

引用自 Smuggles：

Of course it is valves choice, just letting them know, i would appreciate the option.
From what i know it is not hard to implement and there shouldn't be anything wrong with giving users more options.

With the new mobile app beta being tested right now, they decided not to add this type of support.

:qr:

And....?

Like if its a beta test right now, why would they add more problems to their workload? There's literally no reason for them to add more to the existing project unless its involved with the beta item entirely

Well, let's see this as a "temporary fact" that valve has chosen to do so.
What is interesting to me at this moment is : "Why did valve go this way, which incentives drove them to this decision". From what i know it can not be to create "the securest way" / a very secure way. But as other people stated, i do not see it is the easiest or cheapest way either, so i am kind of confused.

To the other comments above i can say, that i agree with them, but just because many others do things, it is not the best way to go there. The main reason is, that all arguments that matter point in the direction of FIDO authentication. At least according to "my facts".

Maybe someone can share some insight on what is the thinking here on valves side ?

U2F has less overhead since it requires less infrastructure to operate. It's also more secure against phishing attacks, which Steam has an issue with to this day.

However, U2F should be optional (like it is for other online accounts, this weakens the standard against phishing however) since not everyone is going to buy a hardware key and hardware keys are incredibly easy to lose.

Having said all that, skip U2F altogether and go straight to FIDO2 which requires an additional pin entry (working example on Cloudflare), this effectively removes the need to use and store passwords, regardless of encryption level.

Don't see a problem with confirming trades optionally via FIDO2 either, a modal would just appear asking to insert the hardware key and enter in the pin code, there's already native support for this across many desktop and mobile operating systems.

u2f or fido2 for trade onfirmation isnt really a great thing since you dont see what you sign.

but for steam login fido2 would be awesome.

引用自 Battlebrother Minimalk：

Implement support for the FIDO universal two factor protocol when logging into Steam. While it requires that the end user buys a compatible authenticator (like the YubiKey), it is safer, easier and simpler than steam guard. It is an open protocol supported by companies like Google & Facebook and is supposedly fairly straightforward to implement.

----- Edit:
The title and text used to suggest implementing this as an alternative to Steamguard, also for trades

I agree I use a yubikey with fido support it would be great to see this implemented giving users ease of use to login to steam services.

引用自 My1：

u2f or fido2 for trade onfirmation isnt really a great thing since you dont see what you sign.

The various FIDO standards do support transmitting additional data to be presented on a secure screen. But it's an optional feature that not all FIDO-compatible authenticators have to support.

That said; the FIDO standards also require as a mandatory feature that an authenticator can be queried for which features it supports. Meaning hypothetically Steam could allow the same instant completion of trades when confirming them via a FIDO authenticator that supports a secure screen to show the trade contents; and fall back on the 15 day escrow that currently also accompanies e-mail confirmation, when a user employs a FIDO authenticator that doesn't support a secure screen.

sure there is a standard for that but aside from the only FIDO2 capable device which even HAS a screen I know is the 300€ Trezor T, and even that doesnt play the txAuth (and WebAuthn Clients apparently not forwarding authenticator extensions they dont know even if there was a FIDO device that does it, it wouldnt work).

so yeah while I love the idea currently that's not practical. you'd need to at least convince Microsoft (as they run the WebAuthn Client on Windows 10/11) to actually pass it, as well as get makers of Devices which could theoretically run FIDO2 to ACTUALLY incorporate it, that would lower the ceiling at least far enough that a Ledger Nano S (for those that have one, as it's no longer being made) or a Trezor One would be enough as those are the Cheapest devices I am aware that play U2F while having a screen, and they still are 60€-ish.

I'd definitely would love for them to implement U2F, FIDO2 or even just authenticator app standards for steamguard and i could definitely see ways to implement them for trading as well(without a "secure screen").

It would also be great if they allowed getting backup codes without a phone number(SMS), they're the only company that i know of that has backup codes behind one, really annoying.

This thread was quite old before the recent post, so we're locking it to prevent confusion.