This topic has been locked
bigyap Oct 28, 2022 @ 5:30pm
Account option to require 2FA when making purchases
Given the news of my account being compromised in something I've never seen before (resulting in an unauthorized user taking $158.51 from my wallet without needing to pass ANY authentication), I figured I'd make a post to suggest how steam can fix their platform.

Give us an option that, when checked, will require 2FA to make any new purchases. Such as buying games or ESPECIALLY steam community market items.

To turn this option off, you must enter the current 2FA code (to prevent someone unauthorized from simply unticking it).

Something went wrong while displaying this content. Refresh

Error Reference: Community_9734361_
Loading CSS chunk 7561 failed.
(error: https://community.fastly.steamstatic.com/public/css/applications/community/communityawardsapp.css?contenthash=789dd1fbdb6c6b5c773d)
< 1 2 >
Showing 1-15 of 24 comments
 KARR™ Oct 28, 2022 @ 5:35pm 
Surely if the user has already beaten your MFA in order to get into the account, they can also beat it to make the purchase? As happens with people who give it to gaming sites and they soon lose all their trade items? (And the trade items require a further MFA purchase already and it doesnt stop those)
Boblin the Goblin Oct 28, 2022 @ 5:39pm 
You are responsible for you account security.

This only happens when people are either clicking links sent to them, joining trading groups from 3rd party sites, or directly trading on those 3rd party sites.
bigyap Oct 28, 2022 @ 5:46pm 
Originally posted by KittenGrindr:
You are responsible for you account security.

This only happens when people are either clicking links sent to them, joining trading groups from 3rd party sites, or directly trading on those 3rd party sites.

Has nothing to do with being responsible for account security. I haven't visited any weird links. I'm in college and haven't been doing anything regarding steam for at least a few weeks prior to this happening. I don't login to my steam with other sites. I'm not stupid with computers. I keep my accounts very secure. I'm clueless as to how this happened and steam is incredibly unhelpful, that's why I'm asking for something to change.
bigyap Oct 28, 2022 @ 5:48pm 
Originally posted by  KARR™:
Surely if the user has already beaten your MFA in order to get into the account, they can also beat it to make the purchase? As happens with people who give it to gaming sites and they soon lose all their trade items? (And the trade items require a further MFA purchase already and it doesnt stop those)

That's what I'm suggesting, require another MFA to make the purchase. They also attempted to list items on my account but those were caught, needing confirmation on my mobile app, so even if they could make an option for purchases to require confirmation, that'd be perfect too.
Boblin the Goblin Oct 28, 2022 @ 5:53pm 
Originally posted by Zero:
Originally posted by KittenGrindr:
You are responsible for you account security.

This only happens when people are either clicking links sent to them, joining trading groups from 3rd party sites, or directly trading on those 3rd party sites.

Has nothing to do with being responsible for account security. I haven't visited any weird links. I'm in college and haven't been doing anything regarding steam for at least a few weeks prior to this happening. I don't login to my steam with other sites. I'm not stupid with computers. I keep my accounts very secure. I'm clueless as to how this happened and steam is incredibly unhelpful, that's why I'm asking for something to change.


Do you have Steam Guard already setup?
MagicMight Oct 28, 2022 @ 5:54pm 
Phishing site asks for your username, password, 2fa. You give those away and the phishing site displays on purpose a "Wrong 2FA" message and asks you to enter a new one. You do so. The phisher now has 2 OTPS - one to log in and one to either disable your suggested system or to make a purchase with your wallet money.

So what you are suggesting just won't work. I guess what you need is strong authentication in the sense that Steam will either let you know via push notification or via a specific SMS message what action is being taken in your account and for you to confirm it. That of course is possible -- after all banking apps do the same thing by allowing you to confirm any and all transactions exactly like that. Will it happen here? Who knows.

It would need to be opt-in obviously otherwise the average user's buying experience would be made worse.

Of course there would still be people falling for even more elaborate scam schemes... and remember, the people who fall for this type of stuff would have this feature turned off, which means they'll still lose their money at least once.
Last edited by MagicMight; Oct 28, 2022 @ 5:54pm
Thermal Lance Oct 28, 2022 @ 6:23pm 
Making your account secure would be a good step. I mean, the only way anybody could do that anyway if if you gave them the keys to the castle.

I remember Gaben even giving the name and password of his Steam account at some point. As far as I heard, nobody managed to break into it yet.
Boblin the Goblin Oct 28, 2022 @ 6:47pm 
Originally posted by Thermal Lance:
Making your account secure would be a good step. I mean, the only way anybody could do that anyway if if you gave them the keys to the castle.

I remember Gaben even giving the name and password of his Steam account at some point. As far as I heard, nobody managed to break into it yet.


Your account can get hijacked with Steam Guard even.

The catch is, it only happens from malware or malicious sites that pose as a legit login. Without those, they cannot hijack your account. So even if you don't go to shady trading sites,(let's be honest, they are all shady) unsafe usage of the internet in general can have your account hijacked.

But the common factor stays they same;

You.
AmsterdamHeavy Oct 28, 2022 @ 7:05pm 
Originally posted by Zero:
Originally posted by KittenGrindr:
You are responsible for you account security.

This only happens when people are either clicking links sent to them, joining trading groups from 3rd party sites, or directly trading on those 3rd party sites.

Has nothing to do with being responsible for account security. I haven't visited any weird links. I'm in college and haven't been doing anything regarding steam for at least a few weeks prior to this happening. I don't login to my steam with other sites. I'm not stupid with computers. I keep my accounts very secure. I'm clueless as to how this happened and steam is incredibly unhelpful, that's why I'm asking for something to change.

Well, you need to sort that out,. Until you do, your suggestion has literally no value. If they were able to get into your account, they they obviously could bypass this suggestion.

Also, youre in denial about the root cause being you.
Thermal Lance Oct 28, 2022 @ 7:09pm 
Originally posted by KittenGrindr:
Originally posted by Thermal Lance:
Making your account secure would be a good step. I mean, the only way anybody could do that anyway if if you gave them the keys to the castle.

I remember Gaben even giving the name and password of his Steam account at some point. As far as I heard, nobody managed to break into it yet.


Your account can get hijacked with Steam Guard even.

The catch is, it only happens from malware or malicious sites that pose as a legit login. Without those, they cannot hijack your account. So even if you don't go to shady trading sites,(let's be honest, they are all shady) unsafe usage of the internet in general can have your account hijacked.

But the common factor stays they same;

You.
Which is the point I was making.

I mean, Steam is already just as secure any many banksites and that's not even an overstatement. Just how much safety people need? It dosen't matter they will just "vote" for a CSGO team anyway.
RiO Nov 5, 2022 @ 10:50am 
Originally posted by Thermal Lance:
I remember Gaben even giving the name and password of his Steam account at some point. As far as I heard, nobody managed to break into it yet.

That's because that particular demo account was using an Intel-proprietary hardware security module which tied his account cryptographically to that one Intel CPU and/or motherboard chipset in the machine he signed in on.

That Intel tech went nowhere fast because the hardware lock was too stringent for broad adoption. But the ideas it introduced did eventually lead to the cryptography suites that power modern stand-alone hardware verification tokens, like you can use with e.g. FIDO U2F.

The "Gabe's account" show&tell has nothing, absolutely nada to do with the level of security we have today on 'consumer-grade' Steam which is far, far weaker.


Originally posted by AmsterdamHeavy:
Originally posted by Zero:

Has nothing to do with being responsible for account security. I haven't visited any weird links. I'm in college and haven't been doing anything regarding steam for at least a few weeks prior to this happening. I don't login to my steam with other sites. I'm not stupid with computers. I keep my accounts very secure. I'm clueless as to how this happened and steam is incredibly unhelpful, that's why I'm asking for something to change.

Well, you need to sort that out,. Until you do, your suggestion has literally no value. If they were able to get into your account, they they obviously could bypass this suggestion.

Also, youre in denial about the root cause being you.

As OP mentions they're in college, I'm wondering:
Are they using a shared PC, like with room mates?
And are they letting Steam remember their password?

Because... Steam actually is coded wrong and does not partition its data per individual Windows user, as has been proper since the '90s. Valve still dumps everything into Steam's own install folder and that means if you let Steam remember your password, any other valid Windows user can sign in to the PC, start Steam, and also be logged in as you...

And with that possibility brought up: an account option that requires explicit re-authentication to happen before any significant actions can be taken (including switching the option back off) would definitely nip this problem with casual local access in the bud.
(This is exactly why e.g. Sony does offer it on PSN, btw...)
Last edited by RiO; Nov 5, 2022 @ 10:59am
davidb11 Nov 5, 2022 @ 7:03pm 
Please don't blatantly lie about Gabe's password thing, Rio, it's not cool.
[N]ebsun Nov 6, 2022 @ 9:33am 
Originally posted by Zero:
Give us an option that, when checked, will require 2FA to make any new purchases. Such as buying games or ESPECIALLY steam community market items.

To turn this option off, you must enter the current 2FA code (to prevent someone unauthorized from simply unticking it).
Good idea, they should have a 2FA code to generate the API key as well as a few other places.
If they have 2FA requirement for trading already, then they should know the benefit of requiring codes even after authenticating / logging in - they should add it for purchases when using saved details or Steam wallet, and when generating an API key, or when disabling 2FA.
.geeK Nov 6, 2022 @ 9:40am 
I'm all for more security protections and this one would be great.

Steam already has a mechanism for using 2FA, so adding the ability to choose when to prompt for your password WITH 2fa would give another line of defense. :vulcansalute:

Great idea Zero!
bigyap Nov 6, 2022 @ 5:51pm 
Originally posted by RiO:
As OP mentions they're in college, I'm wondering:
Are they using a shared PC, like with room mates?
And are they letting Steam remember their password?

I use a MacBook and nobody else has access to it. I'm incredibly tight on my security and have been on the internet for years. I don't login to steam on anything shared or a system that I do not own. I let the steam application remember me but not the website, however.


Originally posted by -AM-BOT- Nebsun:
Good idea, they should have a 2FA code to generate the API key as well as a few other places.
If they have 2FA requirement for trading already, then they should know the benefit of requiring codes even after authenticating / logging in - they should add it for purchases when using saved details or Steam wallet, and when generating an API key, or when disabling 2FA.

I agree! More security can never hurt.


Originally posted by .geeK:
I'm all for more security protections and this one would be great.

Steam already has a mechanism for using 2FA, so adding the ability to choose when to prompt for your password WITH 2fa would give another line of defense. :vulcansalute:

Great idea Zero!

Thank you!
< 1 2 >
Showing 1-15 of 24 comments
Per page: 1530 50

Date Posted: Oct 28, 2022 @ 5:30pm
Posts: 24