SMS or hardware tokens as other options for two factor authentication

Όλες οι συζητήσεις > Φόρουμ Steam > Suggestions / Ideas > Λεπτομέρειες θέματος

Tarvos 8 Μαρ 2016, 11:39

Hey guys!

I was wondering why Steam does not allow us to use SMS as an authenticator. I mean it would be rather logical. We already have to provide a cell phone or smart phone number in order to activate the mobile authenticator or in order to connect a phone number to our steam account.

Other services like Guild Wars 2 and EA's Origin platform even allow to use SMS as an authenticator.

In the case that you live in a region with at least average cell phone net, this method could be more reliable than the mobile authenticator. Further more, it would grant more freedom to the users of Steam.

On the other side, it would probably be more difficult to accept trade agreements via SMS codes. You would have to tip a lot :D Either Valve would need to implement another trade accepting solution for the SMS verfication or the solution would only appeal to people who don't trade that much.

Furthermore, Steam does not provide another quite useful two factor authenticator.
Hardware tokens like the Yubikey are probably the most secure authenticator. There is no way to infect these things with a virus. As long as their cryptograhic features are implemented well, they are completely bulletproof.

What do you think about these two points?

Greetings

< >

Εμφάνιση 1-7 από 7 σχόλια

RiO 8 Μαρ 2016, 11:48

Αναρτήθηκε αρχικά από Tarvos:
What do you think about these two points?

That they're exactly what I've been saying since the first 3-day escrow implementation on trades.

Tito Shivan 8 Μαρ 2016, 13:07

http://store.steampowered.com/news/19618/

We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.

Satoru 8 Μαρ 2016, 14:27

Αναρτήθηκε αρχικά από RiO:
Αναρτήθηκε αρχικά από Tarvos:
What do you think about these two points?

That they're exactly what I've been saying since the first 3-day escrow implementation on trades.

And again those systems do not address the core problem that the CONTENTS of the trade are more important than the code itself. You cant verify the CONTENTS which makes any standard TOTP for trade authorizations useless.

Tarvos 9 Μαρ 2016, 9:58

Αναρτήθηκε αρχικά από Tito Shivan:
http://store.steampowered.com/news/19618/

We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.

edit: I have deleted some redundant parts of my post :D By the way, thanks for your answers.

This sounds logical. It makes understandable, why Steam hesitates creating other 2FA options. Nonetheless, the mobile authenticator of steam is still vulnerable. Whenever a smartphone is breached, it looses a lot of its security potential.

In the end, when Steam shouldn't find alternatives for trading security. Then they should remain their politics of making the mobile authenticator mandatory for trading.

Nevertheless, they should allow other 2FA options for account security, since they would increase the overall account security of all steam users.
Maybe Steam should work on separated solutions.

Τελευταία επεξεργασία από Tarvos; 9 Μαρ 2016, 10:47

RiO 9 Μαρ 2016, 11:26

Αναρτήθηκε αρχικά από Tito Shivan:
http://store.steampowered.com/news/19618/

We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.

Αναρτήθηκε αρχικά από Satoru:
And again those systems do not address the core problem that the CONTENTS of the trade are more important than the code itself. You cant verify the CONTENTS which makes any standard TOTP for trade authorizations useless.

Make the market or store value of the traded items one of the control numbers you have to enter into the authenticator to generate the signing code. Problem solved. This is what banks that rely on 'random reader' devices also do and it has served them well over the years.

Or issue your own physical authenticator with a built-in LCD screen that can show the transaction contents. And while you're at it; base it on photoTAN, like the Rabobank's new authenticator, so you can snap a picture of a QR-code like encrypted datagram instead of having to enter a series of control numbers.

See; it's not at all hard to come up with viable alternatives, now is it?

CatsWithShoes 26 Δεκ 2016, 12:15

I would buy a hardware authenticator np.. people are buying your gamepads through steam and .. heck i even used winauth.exe for guildwars 2..

+1 for some alternative to cell phone.

Darren 26 Δεκ 2016, 14:09

Αναρτήθηκε αρχικά από RiO:
Αναρτήθηκε αρχικά από Tito Shivan:
http://store.steampowered.com/news/19618/

Αναρτήθηκε αρχικά από Satoru:
And again those systems do not address the core problem that the CONTENTS of the trade are more important than the code itself. You cant verify the CONTENTS which makes any standard TOTP for trade authorizations useless.

Make the market or store value of the traded items one of the control numbers you have to enter into the authenticator to generate the signing code. Problem solved. This is what banks that rely on 'random reader' devices also do and it has served them well over the years.

Or issue your own physical authenticator with a built-in LCD screen that can show the transaction contents. And while you're at it; base it on photoTAN, like the Rabobank's new authenticator, so you can snap a picture of a QR-code like encrypted datagram instead of having to enter a series of control numbers.

See; it's not at all hard to come up with viable alternatives, now is it?

Which value? Your item value? His item value? A combination of the two? Remember a trade has two sides.

Note whatever you pick has to be able to on it's own tell you the entire content of the trade as the point of having the contents able to be verified on the phone is if I have hijacked your PC I can make it tell you whatever I want is in the trade, and provide you with whatever the authentication number is for the real trade.

< >

Εμφάνιση 1-7 από 7 σχόλια

Ανά σελίδα: 1530 50

Όλες οι συζητήσεις > Φόρουμ Steam > Suggestions / Ideas > Λεπτομέρειες θέματος

Ημ/νία ανάρτησης: 8 Μαρ 2016, 11:39

Αναρτήσεις: 7

Αρχή νέας συζήτησης

Κανόνες συζητήσεων και οδηγίες

Αναφορά ανάρτησης