引用自 z_mcq：

It needs improving. The fact that it hasn't been breached doesn't imply that it'll never be breached, and the onus is on us to call out these practices so they can be fixed before they become a problem.

You deeming it needs improving does not make it flawed. You believing it may become a problem again has no relevance to fact.

Fact: users giving away their account name, password and the key to the door, the Steam Guard Mobile code because that is the only way to access a secure Steam account.

https://www.escapistmagazine.com/gabe-newell-gives-away-personal-steam-password/

Gabe Newell's login details are on the article, now all you need is the Steam Guard Mobile code which changes every 30 seconds.

Good luck.

引用自 Nx Machina：

Fact: users giving away their account name, password and the key to the door, the Steam Guard Mobile code because that is the only way to access a secure Steam account.

That's very true until it's breached. Again, the fact that nobody has breached Steam Guard yet does not mean it'll never happen. Blind reliance on closed door security has gotten plenty of companies (and users) into bad situations in the past and I'm simply raising a flag on this before it becomes a problem.

引用自 z_mcq：

That's very true until it's breached. Again, the fact that nobody has breached Steam Guard yet does not mean it'll never happen. Blind reliance on closed door security has gotten plenty of companies (and users) into bad situations in the past and I'm simply raising a flag on this before it becomes a problem.

If Steam Guard can be breached, then so can all the others authenticators. The Steam Authenticator uses the same standards and technology as the other authenticators. The only differences is how they look.

MFA/2FA technology hasn't really been changed since it's implementation. The only really difference is the way codes are entered, where some are manual, some are push and others use a USB device as a key.

Sounds less about security and more about you wanting to use a different authenticator, honestly. That would also bring about the issue with how and why the authenticator is integrated into trading.

引用自 Spawn of Totoro：

If Steam Guard can be breached, then so can all the others authenticators. The Steam Authenticator uses the same standards and technology as the other authenticators. The only differences is how they look.

I genuinely don't understand why this is a controversial stance for me to take. How do you know about the tech behind Steam Guard/authenticator? It's not open source so I don't see how you can comment on the tech that runs on the backend.

引用自 Spawn of Totoro：

MFA/2FA technology hasn't really been changed since it's implementation.

That's just not true.

引用自 Spawn of Totoro：

Sounds less about security and more about you wanting to use a different authenticator, honestly. That would also bring about the issue with how and why the authenticator is integrated into trading.

Lol you got me, I definitely want to use another authenticator for both security and convenience. And again, I don't see why you're bringing up trading as that's a software feature implemented into an app and is fully separate from authn. Valve can improve authentication security & convenience with zero impact to trading or any other app features. (edited for phrasing)

引用自 z_mcq：

引用自 Spawn of Totoro：

If Steam Guard can be breached, then so can all the others authenticators. The Steam Authenticator uses the same standards and technology as the other authenticators. The only differences is how they look.

I genuinely don't understand why this is a controversial stance for me to take. How do you know about the tech behind Steam Guard/authenticator? It's not open source so I don't see how you can comment on the tech that runs on the backend.

引用自 Spawn of Totoro：

MFA/2FA technology hasn't really been changed since it's implementation.

That's just patently untrue.

引用自 Spawn of Totoro：

Sounds less about security and more about you wanting to use a different authenticator, honestly. That would also bring about the issue with how and why the authenticator is integrated into trading.

Lol obviously I want to use another authenticator, for both security and convenience. And again, I don't see why you're bringing up trading as that's a software feature implemented into an app and is fully separate from authn. Valve can improve authentication security & convenience with zero impact to trading or any other app features.

https://csrc.nist.gov/glossary/term/Multi_Factor_Authentication

MFA is using two or more ways to authenticate a user. That is the standard from the industry.

You are free to look it up, and yes it is true.

Argue for what you really want. Don't beat around the bush and dismiss valid points of the discussion.

Unless Valve decouples trading from their authenticator, there is no chance that another authenticator will be usable on Steam.

I wish you luck.

引用自 Spawn of Totoro：

https://csrc.nist.gov/glossary/term/Multi_Factor_Authentication

MFA is using two or more ways to authenticate a user. That is the standard from the industry.

You are free to look it up, and yes it is true.

I'm very familiar with the NIST standards for MFA, that's what I'm here to talk about. I'd rather use and trust a security factor that integrates with other proven security standards, not a homegrown solution that I need a special app for.

引用自 Spawn of Totoro：

Argue for what you really want. Don't beat around the bush and dismiss valid points of the discussion.

Trading is not a valid reason for Valve to create an enforce their own MFA solution. Other companies (banks, hospitals, email providers, IDAAS companies, etc.) all handle highly secure communications in their own apps without each building their own MFA code generators. I just want Valve give us the option to use something other than their app, that's all I'm asking for.

引用自 Spawn of Totoro：

Unless Valve decouples trading from their authenticator, there is no chance that another authenticator will be usable on Steam.

I wish you luck.

Thanks? That's what I'm here on the Valve suggestion forums to do: suggest an improvement.

引用自 z_mcq：

That's very true until it's breached. Again, the fact that nobody has breached Steam Guard yet does not mean it'll never happen. Blind reliance on closed door security has gotten plenty of companies (and users) into bad situations in the past and I'm simply raising a flag on this before it becomes a problem.

But it hasn't been breached although you deem it may does not make it fact.

You are raising the wrong flag simply because you keep ignoring due your want, need, desire for alternatives - Fact: users giving away their account name, password and the key to the door, the Steam Guard Mobile code because that is the only way to access a secure Steam account.

As a sidenote how are you progressing with Gabe Newell's account?

Alternatively feel free to breach my Steam Guard mobile authenticator.

引用自 Nx Machina：

引用自 z_mcq：

That's very true until it's breached. Again, the fact that nobody has breached Steam Guard yet does not mean it'll never happen. Blind reliance on closed door security has gotten plenty of companies (and users) into bad situations in the past and I'm simply raising a flag on this before it becomes a problem.

But it hasn't been breached as although you deem it may does not make it fact.

You are raising the wrong flag simply because you keep ignoring due your want, need, desire for alternatives - Fact: users giving away their account name, password and the key to the door, the Steam Guard Mobile code because that is the only way to access a secure Steam account.

As a sidenote how are you progressing with Gabe Newell's account?

Alternatively feel free to breach my Steam Guard mobile authenticator.

Weirdly confrontational tone there, internet stranger

引用自 z_mcq：

Weirdly confrontational tone there, internet stranger

Odd that you do not deem your own confrontational.

Typing "breach" is easy to do. Proving it can be breached is an entirely different scenario.

引用自 z_mcq：

It needs improving. The fact that it hasn't been breached doesn't imply that it'll never be breached, and the onus is on us to call out these practices so they can be fixed before they become a problem.

It has 100% protection rate so far. How can you possible improve on that?
The only reason people lose access is because they important stuff away.

I see you mentioned "WebAuth" and that can be access through a website and it even promotes it.
How is that safe if your PC where to get infected with maleware? They would easily be able to read whatever is said on the site if you where to visit it.

引用自 Nx Machina：

引用自 z_mcq：

Weirdly confrontational tone there, internet stranger

Odd that you do not deem your own confrontational.

Typing "breach" is easy to do. Proving it can be breached is an entirely different scenario.

If the title of this thread were "I can breach valve security" I'd agree with you. However, this is a suggestion forum where I've suggested an improvement to Valve's MFA stance. The reason you're asking me to prove security holes is beyond me.

引用自 Edifier：

It has 100% protection rate so far. How can you possible improve on that?
The only reason people lose access is because they important stuff away.

I see you mentioned "WebAuth" and that can be access through a website and it even promotes it.
How is that safe if your PC where to get infected with maleware? They would easily be able to read whatever is said on the site if you where to visit it.

Lots of secure services have 100% protection rates before they're breached! Also, you should look a bit deeper into WebAuthn first, it's not that simple.

引用自 z_mcq：

If the title of this thread were "I can breach valve security" I'd agree with you. However, this is a suggestion forum where I've suggested an improvement to Valve's MFA stance. The reason you're asking me to prove security holes is beyond me.

Your the one who keeps typing "breach" therefore you must surely be confident it can be a reality while ignoring Gabe Newell's account (you have the details), mine and countless other accounts who have not given away their details remain SECURE.

Secondly it just a word you chose to push your want, need, desire for alternatives.

And finally they need the KEY to the door, the Steam Guard Mobile code BUT more importantly they need your actual phone as the codes generated by the app are unique to each account.

引用自 Spawn of Totoro：

MFA/2FA technology hasn't really been changed since it's implementation. The only really difference is the way codes are entered, where some are manual, some are push and others use a USB device as a key.

引用自 Spawn of Totoro：

https://csrc.nist.gov/glossary/term/Multi_Factor_Authentication

MFA is using two or more ways to authenticate a user. That is the standard from the industry.

Wow. That argument holds about as much water as a sieve.
I.e. none.

If you are going to use the essential definition of what an MFA system entails to argue that technical specifications - i.e. the actual thing people are referring to when they state 'standards' - and implementation haven't been improved and hardened,

then by logical extension you also argue that HTTPS hasn't changed since the 90s.
After all: unencrypted traffic gets encrypted by the server, gets shipped to the browser, which decrypts it. That's been true since then and it still is essentially how it works now.

So why bother using anything better than SSL 3.0, because that was good enough back then so it's good enough now - right?

引用自 Edifier：

I see you mentioned "WebAuth" and that can be access through a website and it even promotes it.
How is that safe if your PC where to get infected with maleware? They would easily be able to read whatever is said on the site if you where to visit it.

Part of WebAuthn and the FIDO UDF protocols it leans on, requires manual user attestation by physically interacting with the security key. E.g pressing a button, or putting a registered finger on a print scanner pad embedded in the key.

The protocols will also only answer challenge requests for URI domains that actually are registered with the key; and only to those actual domains. Malware-hosting websites or phishing websites hosted on other domains cannot steal credentials. Period. The protocol is engineered to exclude the possibility wholesale.

When the key does exchange data, this data is communicated between your web browser and the security key via dedicated security modules that are kept segregated from the normal user-mode OS environment.

Moreover, neither the browser itself nor anything running on your system will even see the actual raw non-encrypted data. Because the security key itself already encrypts it using an asynchronous key-pair encryption system, using public keys provided by the website as part of the auth challenge.

It's literally doing what HTTPS is doing to secure communication over the internet, except it starts directly inside the USB security key. Or in the secure enclave co-processor of your phone. Since both Android phones and iPhones are FIDO-compatible authenticators that can directly be used with Webauthn.

That's actually the main reason why Webauthn was created: to simplify MFA authentication with website-based services on your phone by relying on the phone's own secure enclave as the second factor; and not needing dedicated apps for everything or have users rely on manually entering one-time codes - which is a dumb mechanism that can very easily be phished. (Proven by how often it happens with Steam accounts.)

引用自 RiO：

straight gospel

Looks like an actual security nerd has joined the chat! Welcome to the party

Especially with the advent of FIDO Passkeys this is an especially important time to consider improvements to authentication policy. I just want to shine a light on Valve's stance on MFA and how it should be improved.