Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
Discussions Rules and Guidelines
Report this post
It has been discussed many times before.
The SMA primary function isn't 2FA
Its primary function is a trade/market authorization tool
That is someting a normal 2FA token cannot do
Also why on earth would you recommend that hunk of junk software. Duo is pretty awful
What is the difference for you? The point is ensuring that the person claiming to access a function or perform an action is indeed the correct person. And why Duo? Because it is used widely by very large organisations with extreme safety requirements - not just by private people.
The complaints about it all are subjective and typically it's either scammers or wanna be trade businessmen who complain. If you are unhappy with it, you are free to go to a different platform.
I'm neither of those things. I use DUO Mobile on a daily basis. I use it daily at work, and I have EVERYTHING else that uses 2FA setup within it. Google 2FA, Microsoft 2FA, everything else I use frequently. I should not be forced to install a specific application on my phone to setup 2FA.
Steam Mobile Authenticator's primary function IS 2FA. It's detailed in all of their online material. Sure, they "use" it to "protect your trades"... But lets be realistic. If you type in a password and then have to generate a random code that is tied to a backend process someplace that would guarantee the holder of said code is the person that should be logging in, that's literally the definition of 2 Factor Authentication. RTFM, they call it that themselves.
https://support.steampowered.com/kb_article.php?ref=8625-WRAH-9030#bestway
It's not new, businesses used to use physical RSA keys synced to an RSA server to perform the very same function just a few years ago (before the world "discovered" 2 Factor Authentication via Microsoft and Google's implementation of same, which they INSTANTLY opened up to Duo Mobile when it started taking 2FA to the next level).
Duo is just plain better. It's more reliable as an application, contains 0 bloat or other junk I don't care to see, and now it backs up accounts to Google Drive. There's nothing to not like about it.
Frankly, I've never even looked at SMA at all, until today when I tried to look into selling off a lot of my "trading card" nonsense. When I found out I had to install their app, I googled how to add Steam into Duo, and landed here. When I read this and realized all the terrible information contained within, I figured I owed a bit of a contribution to clear the air some. If they're using 2FA correctly, then anytime a key is required of you, the website or desktop client should just prompt you for a new PIN. Then it doesn't matter WHERE you generate the code from as long as whatever code generation application you're using is properly linked to your account during the setup process. This is the way MS and Google both use 2FA. If they're doing anything other than that (IE, your first login requires a pin, and trades require that you approve them in the app on your phone) they are literally just shoving bloatware down our collective throats and need to reconsider their implementation. No HTTP traffic needs to be sent across the webs from my computer, through Steams servers, through my cell carrier/ISPs network to reach my phone. That's just poor design. You pop a box, ask for a pin, I punch one in ANYTIME you need that second form of authentication. If the PIN I give you matches what you are expecting to see on your end, then boom, my activity is completed. Otherwise a notification email gets sent to the account on file. That, to me, is the proper implementation of 2FA, and keeps the process client-agnostic which should be everyone's goal.
You’ve not fully groked the threat model here. In the before times, a big problem with Steam trading was phishing attacks.
People would get redirected to a fake Steam site and shown a fake favourable trade. The fake site would ask for a 2FA code, and use that code to authorise a different trade, one which is bad for the user (e.g. one that steals their items).
The point of showing trade details in the Steam app is that the app will always show you the real trade details, so you can’t be hoodwinked. You then authorise or decline the trade by pressing a button in the app, not by typing a code from the app in the website.
This relies on there being a secure connection to the Steam backend.
It’d be great if there was a generic standard method for doing this sort of thing, but as far as I’m aware there isn’t, so for the time being, it has to be the Steam mobile app.
You go to the DUO Mobile Autheticator and get the 2FA code but this code doesn't have anything to do with the specific content. And now I have all your stuff.
Banks have the same problem and need their own system that you enter a transaction specific code into to get a 2FA code specific to the transaction to prevent these kinds of issues.
The problem isn't to ascertain that you are you. The problem is to ascertain you actually want to do this specific action you are attempting.
Again an odd claim without any substantiating argument about WHY. I use Duo Mobile daily too for work to confirm processes and I say it does. So what now?
That just shows that you don't understand what Duo Mobile can and does do. It is used all the time to give people access to sensitive websites with details they can confirm. So it would be used to allow people access to the Steam trade access page by ensuring it is THEM and then they can confirm. Again zero need for their own private app.
No misleading webpages or fishing.
Actually all it shows is that he doesn't care what Duo Mobile does - neither do I and I'll explain why.
Aiusepsi and I are both IT people - well, he's current IT and I'm retired from it - so we both understand the business side of things. Here's the rub with what you're suggesting - you're asking Valve to reinvent the wheel. What do I mean by that? I'll explain.
All the work on the SMA has already been done, right? Well, that's more than just coding. As it's a security feature it has to be tested to destruction - unit testing, QA testing and any appropriate compliance and penetration testing for the SMA itself, the server back end and everything else that could possibly be affected.
Let's say Valve tweak the system to finally give a tiny number of people the TOTP options they've been clamouring for. All of that testing will have to be completely rerun - ALL OF IT. That's a lot of time and effort for no financial gain to the company, therefore it ain't getting done.
That's the business reality of the situation - read it and weep.