I am always fascinated why others can always come up with a reason Valve should whilst ignoring 2FA on other clients.

Anyway if you had searched you would have found discussions referencing Yubikey

https://steamcommunity.com/discussions/forum/search/?q=Yubikey


Steam guard is REQUIRED for the verification of trades, account security and Valve are not going to remove that in favour of a 3rd party app, hardware key etc as Valve want to retain control over their systems.

In the same way I have seperate security hardware keys for Blizzard and Square Enix because I do not want all my accounts in one place. I also have seperate 2fa for all other clients and email addresses, passwords.

Theoretically, all confirmations can be done with a hardware token as well. The only benefit of Steam Guard in the current implementation has is showing you the trade details you are going to confirm on a separate device.
I never second guessed my choice for steam guard until my phone broke. Luckily, the Steam Support could remove Steam Guard and switch it to "confirm via email". Having a second 2FA linked to my account, I wouldn't have to bother the support and would just have used my token to login. I would be ok with having no community market access then, just for logging in, an alternative would be welcome.
I rather think, that it is a "political" (as in corporate-politics, not government-politics) decision and not a technical one.
I guess, if enough people of the community wish for other 2FA methods, maybe Valve considers it.

EDIT: Edited some strange sentences and made grammatical improvements.

DBX12 a écrit :

Theoretically, all confirmations can be done with a hardware token as well. The only benefit of Steam Guard in the current implementation has is showing you the trade details you are going to confirm on a separate device.
I never second guessed my choice for steam guard until my phone broke. Luckily, the Steam Support could remove Steam Guard and switch it to "confirm via email". Having a second 2FA linked to my account, I wouldn't have to bother the support and would just have used my token to login. I would be ok with having no community market access then, just for logging in, an alternative would be welcome.
I rather think, that it is a "political" (as in corporate-politics, not government-politics) decision and not a technical one.
I guess, if enough people of the community wish for other 2FA methods, maybe Valve considers it.

EDIT: Edited some strange sentences and made grammatical improvements.

Ii is both for account security and trading, whether you trade or not.

If you want a differing options you also need to ask Ubisoft, CDPR, Blizzard, etc who have their own 2FA to allow the use of YubiKey, after all why does Valve need to be the only one to change.

I think this is a misunderstanding, I would be cool with "Login with Yubikey but you cannot trade until you authenticate with Steam Guard", basically splitting the 2FA options based on what I want to do.

That about Ubisoft, CDPR, Blizzard etc distracts from the topic at hand. I don't want to change the whole market segment, I'm merely providing a suggestion / idea to a single company (basically that what the subforum topic says).
It is possible for one company to be the leader in a field. Providing another means of 2FA could be marketed as unique feature.

Nx Machina a écrit :

I am always fascinated why others can always come up with a reason Valve should whilst ignoring 2FA on other clients.

Anyway if you had searched you would have found discussions referencing Yubikey

https://steamcommunity.com/discussions/forum/search/?q=Yubikey


Steam guard is REQUIRED for the verification of trades, account security and Valve are not going to remove that in favour of a 3rd party app, hardware key etc as Valve want to retain control over their systems.

In the same way I have seperate security hardware keys for Blizzard and Square Enix because I do not want all my accounts in one place. I also have seperate 2fa for all other clients and email addresses, passwords.

And why couldn't a 2FA token be integrated into Steam Guard?

Crashed a écrit :

And why couldn't a 2FA token be integrated into Steam Guard?

Why does it need to be?

Nx Machina a écrit :

Crashed a écrit :

And why couldn't a 2FA token be integrated into Steam Guard?

Why does it need to be?

Not sure what problem you have with FIDO2? To make a trade you provide your current 2FA code, right? Couldn't it be feasible to have the player confirm with their 2FA key, or if trading on mobile put it up against their phone's NFC reader? Since the key would be paired to Valve's servers and not the scammers they wouldn't be able to complete a FIDO2 authentication to confirm a fraudulent trade.

Nx Machina a écrit :

Crashed a écrit :

And why couldn't a 2FA token be integrated into Steam Guard?

Why does it need to be?

It doesn't.
Steam likely doesn't want any other company involved for legal reasons, plus it gives them full control of everything without allowing anyone to have a single idea what their internal systems/coding is like.

DBX12 a écrit :

Providing another means of 2FA could be marketed as unique feature.

Except if it's not unique then you would have people screaming about false advertising especially EU users.

DBX12 a écrit :

I've seen there is already a discussion about the pro and ♥♥♥♥ of other TOTP providers like Google Authenticator or Duo (never heard of the latter, tbh).

Then why re-create it? You clearly see that in that thread, it's still active as of days ago so there was literally no point in remaking an active thread.

Crashed a écrit :

Nx Machina a écrit :

Why does it need to be?

Not sure what problem you have with FIDO2? To make a trade you provide your current 2FA code, right? Couldn't it be feasible to have the player confirm with their 2FA key, or if trading on mobile put it up against their phone's NFC reader? Since the key would be paired to Valve's servers and not the scammers they wouldn't be able to complete a FIDO2 authentication to confirm a fraudulent trade.

I don't have a problem. It is those suggesting Steam should do something whilst ignoring no one has cracked Gaben's password or that other clients also have their own version of 2FA that also do not use 3rd party apps etc.

So again why does it need to when it is not needed?

Mr. Gentlebot a écrit :

Nx Machina a écrit :

Why does it need to be?

It doesn't.
Steam likely doesn't want any other company involved for legal reasons, plus it gives them full control of everything without allowing anyone to have a single idea what their internal systems/coding is like.

DBX12 a écrit :

Providing another means of 2FA could be marketed as unique feature.

Except if it's not unique then you would have people screaming about false advertising especially EU users.

DBX12 a écrit :

I've seen there is already a discussion about the pro and ♥♥♥♥ of other TOTP providers like Google Authenticator or Duo (never heard of the latter, tbh).

Then why re-create it? You clearly see that in that thread, it's still active as of days ago so there was literally no point in remaking an active thread.

You can host your own FIDO2 server - https://github.com/StrongKey/fido2
Even YubiKey can be self-hosted. All Valve would need to do is provision secure storage for the private keys, but they probably already know how to do that as they use HTTPS.

Users' keys have their own private keys that do not leave the device.

Snapjak a écrit :

Nx Machina a écrit :

So again why does it need to when it is not needed?

The most likely reason is they don't want to use the mobile app but still want a 2fa token of some kind.

I want is never a good reason for Valve to compromise on its own security app but then again others always find reasons why Valve should do something simply because it does not conform to what they want, need, desire.

Nx Machina a écrit :

Crashed a écrit :

And why couldn't a 2FA token be integrated into Steam Guard?

Why does it need to be?

I explained why just relying on a single smartphone is a bad idea previously (theft, damage, breaking suddenly). As almost everywhere in IT (and life) redundancy is key. If one thing is unavailable, another can fill the gap.

So a (fictional) example: I have a bank vault I store valuables in. The bank owner tells me, that nobody gets in, but me.This is secured by the bank owner having to unlock the vault with his own fingerprint (assume a perfect world where biometrics are 100% safe and biometric devices cannot be fooled). To make sure it is really me who he opens the safe for, I have to say my name and a secret phrase we agreed on. To add security we established a secret handshake, only known to the bank owner and me (this is not a perfect substitute for a timebased secret but good enough to work as second factor).
Now I had a bad accident with my bike, leaving one arm in a cast and me unable to do the handshake. Luckily, the bank owner and I agreed, that he also can be sure that it is really me when I show him the picture of us on a fishing trip, which I keep in a small locket around my neck (again, assume it is impossible to forge the locket with the image).
If I hadn't have the agreement about the locket, I wouldn't be able to enter my vault until my cast is off.

So, using differing means of authentication is always better. And it worked and is secure because the bank owner and I agreed, that the locket is sufficient in case I cannot do the secret handshake.
If a thief overheard my secret phrase, he would still have to come to me to steal my locket or force me to show the secret handshake. A thief determined enough (and armed) will have success with that. So neither handshake nor locket are secure.

With the Steam Guard app it is similar, my smartphone can be stolen and so can a hardware token. I would argue, that the hardware token is even more secure, as I carry my smartphone around all day, but would leave the hardware token for Steam at home.

Using a bank is a rather poor example since if you're in the US, Deposits are insured up to $250,000 per depositor/account/bank, so even if an armed person gets your stuff it'll be up to that amount that can be given back to you.

Also since banks dont use handshakes but use banking cards, keys for lockboxes, and other verifiable proof of ownership including ID; the example is really bad. Access to an account for game licenses or trading/market items on a video game license account is different than access to all of someones finances.

People can also break into a home and take anything electronic or expensive looking, often forms of ID or things of interest are taken as well so if you have a unique looking piece of hardware; high chance it's gone. So if that's taken how are you going to get access without the key? Does the 3rd party keep the keys/algorithm for each device in case of loss/theft? If so, that is another reason why Steam is unlikely to trust a 3rd party. Sony for the longest time used plain-text password storage until they were breached and that information happened to get out.

You are right, the bank was a poor example for the reasons you mentioned. The point I was trying to get across is that two different ways of authentication are better than a single one.

DBX12 a écrit :

I explained why just relying on a single smartphone is a bad idea previously (theft, damage, breaking suddenly). As almost everywhere in IT (and life) redundancy is key. If one thing is unavailable, another can fill the gap.

And beyond your personal preference give a single viable reason why Valve need to add an additional layer when Gaben's password has not been cracked.

What about all those other clients which have 2FA? Have you contacted Blizzard etc?

I assume the answer is no, so it is obviously not needed otherwise you would included all and sundry including your bank.

So the question is - Does the gap need filling? No it does not.