Steam telepítése
belépés
|
nyelv
简体中文 (egyszerűsített kínai)
繁體中文 (hagyományos kínai)
日本語 (japán)
한국어 (koreai)
ไทย (thai)
Български (bolgár)
Čeština (cseh)
Dansk (dán)
Deutsch (német)
English (angol)
Español - España (spanyolországi spanyol)
Español - Latinoamérica (latin-amerikai spanyol)
Ελληνικά (görög)
Français (francia)
Italiano (olasz)
Bahasa Indonesia (indonéz)
Nederlands (holland)
Norsk (norvég)
Polski (lengyel)
Português (portugáliai portugál)
Português - Brasil (brazíliai portugál)
Română (román)
Русский (orosz)
Suomi (finn)
Svenska (svéd)
Türkçe (török)
Tiếng Việt (vietnámi)
Українська (ukrán)
Fordítási probléma jelentése
Hozzászólási szabályok és irányelvek
Hozzászólás jelentése
No you don't.
The phishing prevention is part of the protocol suite and the key exchange.
A compliant FIDO authenticator will not hand over key material for a registration that was created on the authenticator for domain A, to domain B.
Whether that authenticator is a separate piece of hardware; a piece of software running in a secure isolated hardware component (secure enclave in a phone; TPM in a PC); a piece of software running in a hypervisor or other means of secured software environment; or even a really dumb otherwise unprotected user-mode program has absolutely zero bearing on its ability to prevent phishing.
It only has a bearing on how resilient the authenticator is against an active man-in-the-middle attack launched from an already compromised system or network, to try and intercept the key exchange and hijack the authenticator to try and exfiltrate a valid token that it can then in turn use against the real service.
But even there FIDO's key exchanges are very hard to break in such a way. Not mathematically impossible; just thoroughly impractical for anyone but highly skilled threat actors as would e.g. be on the pay-roll of intelligence agencies.
Never claimed that it would stop people from giving out their info.
You don't seem to cover the costs of using that stuff, which you would need to do. There is no way that Valve could make 100+ million of them, ship them out to all the people and expect no one to lose them or break them or what ever. Valve wouldn't be able to cover those costs.
Then you have all the problems of all the extra support and forum spam from people screaming about how they can't get into their accounts because they lost the key or can't find it or left it at work/home/cottage.
And there are going to be a lot of people who can't/won't use them because they have to pay for them.
So Valve can't make it mandatory like Steam Guard is, because there will be a lot of people locked out of their accounts...
And of course the USB-A vs USB-C issue. Deck doesn't have USB-A, so it would need to be USB-C, but a lot of computers have only 1 USB-C that might be in use or don't have any USB-C at all. My system has 1 USB-C. I am not using it at the moment, but stuff I have looked at needs a USB-C connection. USB-C connectors are more expensive than USB-A.
But see I covered all this already, you just ignored most of it only pointing out the issue with one small part.
FIDO protocols might be more secure but if people can't or won't use it for any number of reasons even if you don't think those reasons are legit (but they are) then they do no good.
Again as mentioned these things are good for a business where someone can pop into IT department, pick up a new one. Not so good when you have 150 million to 1 billion people needing it around the world just to access their account.
Personally I wouldn't use one, I don't need it, I don't give out my info to anyone and I do very little trading with anyone. And no trading with people who haven't been on my friends list for a long while. So why should I be required to spend out money just to access my account to play games? I shouldn't and no one else should be.
I literally did cover that:
But does it have Bluetooth LE? Because that's all it really needs to temporarily pair a phone to be used as a FIDO authenticator.
You don't need any Yubico app on your phone and you don't need a Yubikey.
There's more to FIDO than Yubi.
Back in 2019[fidoalliance.org] Google already made Android 7+ capable of using the phone itself as a FIDO2 compatible authenticator. Android implements CTAP protocols including the Bluetooth LE transport, meaning the phone itself can serve as an authenticator paired to a laptop or PC over BLE.
Apple followed suit with iOS later.
So you want to add in something that they can already do... Steams requests that you put a key in, you get sent a 1 time use key, you put it in, it lets you in.
They could also just send the same thing via the steam app... "hey did you just log into this account? yes or no. hit yes, thats pretty much just sending the key... so ya it can already be done. No need to add anything else in.
Also not everyone has windows 10 or 11 or an android/apple phone. Lots of people still have land lines. Lots of people use flip phones that can't use apps at all. Lots of people still use older phones that can't use newer apps.
So again if they made this mandatory, it locks out a LOT of people. And if they don't make it mandatory, many people who need it won't use it.
How do you solve for these problems... you can't because humans without unlimited or even enough funds are still involved.
I don't want it, I don't need it. There are many who might want it, but won't be able to use their systems with it because they don't have the hardware for it.
We've already seen many people ask to allow them to trade without Steam Guard on.
It's the very reason why Steamguard is mandatory in order to use many of Steam's features. When it was first implemented a lot of people simply didn't bother using it 'because having to check the email for the code is a PITA'. Result: It didn't curb account theft.
Likewise for having to check your phone while gaming. That's why even as of today many people still resort to receive the Steamguard codes through their (more insecure) email. These people would still not use any kind of FIDO based device for the same reason they don't bother to use the actual app and only use 2Fa through email because it's absolutely obligatory.
And Steam cannot make mandatory for their users to use a hardware-based token generator.
Which brings back to implementing FIDO devices won't end phishing attacts, because there will be still people not using it for the same reasons they don't use the actual security measures.
And people who will adopt it most probably were the least likely to have their accounts targeted or phished.
All of it talking at a scenario where FIDO implementation would only mean marginal changes in the actual account theft/scam numbers.
I do agree with the most part of what you said, an hipotetichal solution to END PHISHING would be the mandatory use of the Security Key, and clearly it is out of question.
The "need" here is hard to understand, because what would be a user that needs it? Is the user that do not use others alternatives of 2FA or is the user that already has a profile that is "secure"?
If we are talking about the user who doesn't use the app, or that he doesn't really care about security, only for the ease of use, than yes, we can not solve his problem, because he himself don't recognize his need, for this kind of user ease of access will always be priority and it is the risk that them take.
Now, wouldn't it be positive to add this option of FIDO security keys for those who would use it? Event though their Steams already are safer than other regular users? I imagine that it is a small cost to implement something like FIDO protocol, since you don't have to develop it from zero.
Never said it was. In fact its far less secure because you are relying on another website to protect their login.
But as long as you have a net connection, you can access e-mail. If you don't have a net connection you're not going to be able to use the security key either.
Because very few people who make suggestions on these forums EVER think about worse case scenarios and yes worse case can and does happen more then you think.
Requiring people to pay for a piece of hardware to access their free account just will not happen. Add on top of this that it would be requiring kids to have something thats easily lost and kids are not exactly known for keeping track of stuff. Heck adults are not known to always keep track of stuff like this.
Imagine if you lost the key and need to order a new one. At least in some places, it takes more than a few days for something like this to be sent. Its also additional cost to have something like that sent. I never bother with paying for Amazon 2 day shipping, why? Because 2 day shipping always takes a week to get to me. If anything has to come across the boarder, tack on an extra week or 2 for it to show up.
So if I lost the key, I could be without my gaming account or trading (if I traded) for 2 to 3 weeks because I have to wait for the new key from Valve in the US to make it to me in Canada. Imagine how long someone on the other side of the world would have to wait.
Also think of the cost if you have 5 people in your home that would all require a key because having 1 key that could be used for 5 different accounts would not help security and also lose 1 key, 5 people can't login/trade.
Steam is more universal than the security key. All that is required is access to a PC. You don't even have to own the PC. Be it Apple, Linux or Windows you can use Steam on it. In many places people can just "rent" a PC for a few hours a day cheaper than they can buy a whole PC.
My friend that uses e-mail for Steam Guard, has an older PC that they have pieced together over the years, all used parts. They have a land line that cost them 20 bucks a month vs a smart phone that would cost them 50 to 80 dollars a month. They have an internet connection but thats it. Like me games that they buy they buy when they are super cheap, 75% or more off but they stick with a lot of free games. Heck they have an epic account just because of all the free games. There are lots of people around the world like them.
You don't have to buy games to have a Steam account.
Because most of the time, people want the easiest thing so yes my argument does make sense. Doesn't matter if they have 10 bucks worth of stuff or 100,000 bucks worth of stuff.
There has been lots of people who have made suggestions on these forums to make Steam Guard optional for trading, because it annoys them. Some of them had small inventories, some of them had large inventories, some of them I have no idea because they were set to private.
Again if its optional many will not use it. If its optional and they have to pay for it, even less will use it. Generally people who need it are the ones who won't use it, and by needing it, I mean they are easily fooled by stuff. They are the kind of people who put their info into those "trading sites" because they are promised a really good deal and then have their accounts hijacked. Or they are tricked and told that "their account was accidentally reported on Steam", and that a Steam Admin, who happens to be on discord at the time needs to log in to get rid of it, or check it or something. Or they are told by someone claiming to be an admin that "they have to log into someones account to make sure the items in their inventory are legit."
Its people that fall for stuff like that, that need the extra security, but won't use it for various reasons. New lines of cons will start like... "I'm a Steam admin, we believe items in your inventory are fake, we need to check them, to do that we need to log into your account, can you turn off your security key and give us your login and password and Steam Guard code."
And sadly you have no idea how many people will fall for something like that because there are too many that fall for something like that scam already.
Probably we've got lost in translation at some point of this thread. The key would be an extra (and non obligatory) measure of security. The marginal cost of implementing this measure would be minimal to Steam and would not affect people that doesn't wanna enable the security key. In this case, you wouldn't need to buy one.
As I have said... if its not mandatory, its useless to people who need it but don't want to deal with cost (no matter how minimal it is) or the time to get one.
And even if Valve pays for them, thats a LOT of money Valve has to put out because there are potentially 150 million to 1+ billion accounts that might want it. Even if you go with the lower number, at 150 million, its going to cost at least 5 to 10 times that because I can't see them making physical keys with USB-A and/or USB-C connectors on them for under 5 or 10 bucks and shipping them to people around the world.
The more you make the cheaper they are, but also the possibility comes with the more you make, the chances are you're just going to have 10s of millions of them sitting around doing nothing. Heck even if 1 million of them were ordered, thats 5 to 10 million dollars that you will not see back since you are giving them away, and what if only 10,000 people order them... then you have lots of e-waste on top of a bunch of wasted money.
No really telling how many people would actually want one even if they did a survey and asked how many people would actually use something like that. Lots of people say they will use something and then don't.
The Steam app isn't mandatory either. It's useless to people who need it, but don't want to deal with the cost (which definitely isn't minimal) of ownership of a smartphone that continues to receive security updates. (New phone every 2~3 years.) It's useless to people who need it, but don't want to deal with having another app that's harvesting personal data on their phone. It's useless to people who need it, but don't want to deal with nagware that keeps them in the Steam ecosystem 24/7 and doesn't allow for downtime. etc. etc. etc.
You know why it still works? Because the ups outweigh the downs. In no small part because Valve quite cleverly boosted the upsides by explicitly making the user experience for not using the app, far worse - e.g. through 15-day trade holds making it impossible to cut a good deal on anything on the Steam Marketplace.
Valve doesn't have to make any of that themselves. They don't have to invest one iota into consumer-market hardware for this. Nada. Zilch.
Supply is a solved problem; as FIDO is an open standard.
Google has their Titan branded security key; Yubico has many different offerings under the Yubikey brand; and there are many others. Next to that, both Android phones and iOS phones are already FIDO-compatible and certified authenticators themselves.
Once more, thank you. Obrigado.
... until the app stops supporting the version of the OS the phone is stuck at.
That has actually happened with some platform that used a paired dedicated app before, iirc.
But the name sadly escapes me, I must admit.
It works; but you still need to be very aware of the support life-cycles of the app rather than those of the security updates for the phone. Or you'd suddenly be caught with your pants down. Esp. if there's no way you can migrate the 2FA registration off of the no-longer-supported phone, and onto a new phone.
This is why a security standard that's actually a standard is a good idea. No vendor-lockin.