Does Epic have item trading and can Yubikey see which items you are trying to trade through Steam?

引用自 FFL2and3rocks：

Does Epic have item trading and can Yubikey see which items you are trying to trade through Steam?

Not everyone trades, forgo trading as an option to allow physical keys.

I see why people want physical keys but this should be due noted that I speak as someone who got perished attacked by my own hands in the past, I agree on the basis that security is vital for our accounts but due to a lack of understanding the difference between 2Auth and a Physical Auth key, I would simply ask for some context for what these provide over 2Auth (or their differences if you may)

I know I can google the details but I feel having a better idea of how it may protect Steam users is better

TOTP Generated or (a regular two factor that generates numbers like steam) via TOTP device (smart phone app, key fob, etc.). TOTP codes are generated offline, so no vulnerability to interception/spoofing of the TOTP code itself. Provides no protection against phishing.

Security key (e.g., U2F). Generated via key fob and similar. Protects against phishing, since the challenge-response step uses a signed challenge; the phishing site won't have the key, so the response step will fail. According to google, security keys are highly effective at thwarting phishing attacks, including targeted phishing attacks.

Basically though TOTP is good, it is still open to phishing, whereas a physical key is not.

引用自 Mal：

Basically though TOTP is good, it is still open to phishing, whereas a physical key is not.

Not directly, but still open to it.

What happens if you lose/break the FOB? There needs to be a way to disable it until you get a new one, so you now have a new line of phishing.

The weakest link in any security chain is the user.

引用自 Spawn of Totoro：

引用自 Mal：

Basically though TOTP is good, it is still open to phishing, whereas a physical key is not.

Not directly, but still open to it.

What happens if you lose/break the FOB? There needs to be a way to disable it until you get a new one, so you now have a new line of phishing.

The weakest link in any security chain is the user.

Its why you have multiple keys, nothing is ever perfect, but you should always have a backup for these kinds of things.

引用自 Mal：

TOTP Generated or (a regular two factor that generates numbers like steam) via TOTP device (smart phone app, key fob, etc.). TOTP codes are generated offline, so no vulnerability to interception/spoofing of the TOTP code itself. Provides no protection against phishing.

Security key (e.g., U2F). Generated via key fob and similar. Protects against phishing, since the challenge-response step uses a signed challenge; the phishing site won't have the key, so the response step will fail. According to google, security keys are highly effective at thwarting phishing attacks, including targeted phishing attacks.

Basically though TOTP is good, it is still open to phishing, whereas a physical key is not.

Gotcha, since I'm not to well versed I'll remain on the sideline here to just listen in, while I see the perks to it in a way, I'm not a cyber security expert (or to be frank, that well versed in it to start with) so I don't have much I can add here thats not bee said (or may be said).

Still, thanks for informing me of what the difference is, I heard of these keys before but just didnt have context on what they did different

引用自 Mal：

引用自 Spawn of Totoro：

Not directly, but still open to it.

What happens if you lose/break the FOB? There needs to be a way to disable it until you get a new one, so you now have a new line of phishing.

The weakest link in any security chain is the user.

Its why you have multiple keys, nothing is ever perfect, but you should always have a backup for these kinds of things.

That does not solve the phishing part. Even if you have a back-up, they still have to have a way to disable it.

Most people won have a back up anyways as that would cost them more money.

引用自 Spawn of Totoro：

引用自 Mal：

Its why you have multiple keys, nothing is ever perfect, but you should always have a backup for these kinds of things.

That does not solve the phishing part. Even if you have a back-up, they still have to have a way to disable it.

Most people won have a back up anyways as that would cost them more money.

Explain, how do they disable it if you have a physical key? how do you get phished? i am ope to learning here. If the off chance you are unlucky or are just not confident by having a physical key then by all means keep using steam guard, nothing wrong with that, if a person wants to use a key then there should be an option to do so, again epic of all things allows this.

引用自 Mal：

Explain, how do they disable it if you have a physical key? how do you get phished? i am ope to learning here. If the off chance you are unlucky or are just not confident by having a physical key then by all means keep using steam guard, nothing wrong with that, if a person wants to use a key then there should be an option to do so, again epic of all things allows this.

Think about what you do if you forgot your password. There is a password recovery process, right?

There is a process to disable the 2 factor authentication as well, in case your phone is lost or stolen, otherwise you would not be able to access your account ever again.

A physical key can be lost, stolen or break. There needs to be a process to remove the need for such a device in order to access the account in such a situation.

As there needs to be a process to remove or bypass such security features, even on a temporary basis, then a phisher can trick a user into giving them the information needed to do so.

For example, there is a way to remove the 2 factor authentication stated here:
https://help.steampowered.com/en/faqs/view/7EFD-3CAE-64D3-1C31

And it would be a similar process for a physical key as well.

A fake password recovery e-mail, a fake Steam site that says you can't log in and need to disable X security feature to get access, ect. There are many ways a phisher can trick a user and they usually try them all, en-mass. They wouldn't do it if it hasn't shown to work for them.

I am not saying not to use a physical key, just that this isn't true:

引用自 Mal：

Basically though TOTP is good, it is still open to phishing, whereas a physical key is not.

Because a physical key IS still open to phishing. In this case, the phishing is used to disable the key or change to one in the phishers possession.

If the only acceptable improvements needs to perfect, we wouldn't have gone passwords. Hell, we wouldn't even have passwords.

FIDO2 is supposed to stop the most common form of hacking currently: phishing. And it does a damn fine job. It will be broken at some point, too. It already was by Chrome for some time. Anyway, that's not a reason for Steam to not implement a better security option for those who want to.

引用自 Spawn of Totoro：

Because a physical key IS still open to phishing. In this case, the phishing is used to disable the key or change to one in the phishers possession.

No it's not. The user is still open to being socially engineered. That will never change. The user and their common sense will always be the weakest link. That's why protocols like FIDO2 try to eliminate them as much as possible.

Do you have a deadbolt and a security lock on your door? Why? You can still be tricked opening it. Again: the point is to provide *better* security. Not perfect one.

引用自 cinedine：

引用自 Spawn of Totoro：

Because a physical key IS still open to phishing. In this case, the phishing is used to disable the key or change to one in the phishers possession.

No it's not. The user is still open to being socially engineered. That will never change. The user and their common sense will always be the weakest link. That's why protocols like FIDO2 try to eliminate them as much as possible.

Do you have a deadbolt and a security lock on your door? Why? You can still be tricked opening it. Again: the point is to provide *better* security. Not perfect one.

Yes, called phishing. Doesn't matter the device. A physical key can still be phished.

Otherwise 2FA isn't phished either, as it still requires the user's interaction. Neither 2FA, nor a physical authenticator is directly phished.

Also:
https://www.inverse.com/input/tech/googles-titan-physical-security-key-can-be-cloned-to-covertly-access-your-accounts

FIDO2 isn't foolproof either and the issue is more likely to grow, so best not to give false expectations.

Then there is this:
https://fidoalliance.org/news-your-google-android-7-phone-is-now-a-fido2-security-key/

Most would opt to use their phone, instead of a physical key. That opens up other possibilities for being compromised/phished.

A dead bolt is pointless, honestly, if they can just come through the window, bypassing the door completely. But if you turn your house into a fortress, even you will have a hard time getting in or out. O'h, and deadbolts can still be picked. Like the saying goes: "A lock does no more than keep an honest man, honest." -Robin Hobb

引用自 Spawn of Totoro：

Also:
https://www.inverse.com/input/tech/googles-titan-physical-security-key-can-be-cloned-to-covertly-access-your-accounts

FIDO2 isn't foolproof either and the issue is more likely to grow, so best not to give false expectations.

Nothing is ever completely bulletproof, but for reference for anyone not clicking through to the article, the attack mentioned there involves getting physical access to the key, and having several hours alone with it to dismantle the key with a hot air gun and a scalpel, then extracting a chip from it and using sophisticated diagnostic equipment to extract the secrets from the chip.

Oh, and then for it to be 'covert' they have to make sure that in the process of dismantling the key that it's not damaged, otherwise you'd notice. The picture in the article shows the key very much damaged by the process of opening it up.

This is the kind of thing you worry about only if a state-level actor wants to get past your security. Even considering needing an attack of this level of sophistication is a point in favour of the thing.

Then there is this:
https://fidoalliance.org/news-your-google-android-7-phone-is-now-a-fido2-security-key/

Most would opt to use their phone, instead of a physical key. That opens up other possibilities for being compromised/phished.

At worst, it's no worse protected than the secrets in the Steam mobile app. In general, likely much better, because the OS will be directly enforcing their security.

Don't get why you are so opposed for more options for account security, more options for this kind of thing is always a good thing.

Bottomline unless the hackers have a forensics lab they are not dismantling a physical key to get the chip inside. If a hacker has the resources for that then they are unlikely going after someone's steam, they are most likely going after governments or big corporates.

Taking that into account a typical steam hacker will always go after the user in a attempt to socially engineer them; have a friend who fell victim to that by hijacking their app and thus their code..something a physical key would of prevented mind you.

引用自 Spawn of Totoro：

Otherwise 2FA isn't phished either, as it still requires the user's interaction. Neither 2FA, nor a physical authenticator is directly phished.

You really should know better.
Standard OTP integration means the user inputs the code. The user can input the code in a malicious website.
FIDO2 you only have to accept the login. The communication is between the devices and you have no part in it. A malicious website cannot feasibly be mistaken for the real thing and authentication will fail.

That alone will resolve account hijacking on Steam as it is currently done.

There is no perfect security. There never will be. But that is not a reason not to provide the more secure option. And it is certainly not a reason to argue against it. Doing so is plain and simple stupid. You gain nothing by not having it. You lose nothing by having it.
So, apart from the usual reason on these forums, why argue against it? Or even badmouthing it?

#onlyonsteam