Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
Since this is as official as it can get, this suggestion is unlikely to happen.
I had not realised that trade had anything to do with it: the prompt I received from Steam was to do with logging in. I can certainly see why they would want to use their own app to verify trades.
So why not have the Steam Authenticator providing 2FA for logging in and trading, and allow the Google Authenticator to provide 2FA for logging in only as an alternative. Personally I have no interest in trading, so this would suit me nicely :)
Their logic seems flawed. They've conflated the need for 2FA with the need for acknowledgement of a trade. I see the value of trade acknowledgement in reducing fraud, but getting as many people using two-factor authorization as possible would make a measurable impact on overall account security, wouldn't it?
I suppose that they've tied the two together, despite all the downsides that entails, means trade acknowledgement is of higher importantance to Valve.
If it was up to me, I'd implement vanilla TOTP and require all Steam users to use it. Anyone who didn't have a mobile device, I'd send out a hardware token. This feels like a simpler solution than the one they've implemented.
I assume they assuming that traders are in bigger risk, but i do agree that enabling it on more ways like Google Auf, or what ever is possible will likely be better for most users
Most other services just require another TOTP token whenever you do something sensitive, just to make sure your session wasn't hijacked. TOTP works in both cases, and if users wanted their phone to buzz whenever another TOTP token is required, they can install the Steam app. Other users can just use a TOTP client and type in another token as part of the trade process.
If someone does have your auth device, then yes, you're screwed. But you can still defend against individual codes being man-in-the-middled/phished.
The reality is that accounts are hijacked due to their items. The way to move said items via trading. Unless you can confirm the trade you essentially get
1) log into phishing site
2) You 'trade' with me
3) You 'see' a trade that looks even
4) In reality i sent you a trade that empties your inventory
5) you send me the 'confirmation' TOTP code
6) the site input the TOTP code into the trade confirmation
7) you've now traded your entire inventory away and 'confirmed' it
No google authenticator.
No facebook authenticator.
When you show the trade that looks even, the code is like 327892
The trade that empties your inventory has a code like 289472
Even if I enter the even trade in my authenticator and then enters the confirmation code on phising site, the trade would fail, because when your phishing site tries to use the response code calculated out of 327892 with the empty-inv-trade that is generated using 289472, on valves server, the challenge code 289472 wouldnt calculate to the same TOTP code that the even trade does, whose response code was inputted for.
The challenge code could just be a code that is calculated using a hash of trader party, your account name, a hash of all items in "give", a hash of all items in "get", and date/time when the trade request was created.
Your proposed scheme doesn't work because the trading UI is a fake one provided by the phishing site, not the real UI. As far as the Steam servers are concerned, there is no even trade. It's just a facade, a fake. As part of this fake trade UI, they can provide you with the confirmation code from the real empty-inventory trade that they're conducting behind the scenes.
When you enter the response code into the fake trade, they then use that code behind the scenes to authorise the real trade.
The authenticator app protects you from that because it definitely shows the real trade, because we can safely assume that the authenticator app is not tainted.
In general 2FA only weakly protects you against phishing; you can be tricked into authorising specific actions, but you can't give up the secret from which the OTP is generated.
I'm going to assume the your impassioned response is due to a mislike of the two companies you mentioned, and not a reaction against 2 factor authentication per se.
If that is the case, I would like you to know that I also thoroughly mislike Google (and Facebook); luckily Google Authenticator is an open standard, and in no way has to rely on Google.
To illustrate this: I use "Google Authenticator" 2 factor authentication on various sites. However, the app on my phone is written by a third party, and I have no Google account.
This is partly why I feel it would be a useful addition, as it is an open standard for which many third-party phone apps and Windows programs are available; this makes it available to everyone, no matter what phone/device they may or may not have.