+1 on that ^^^^

Especially considering that Google Authenticator and SteamGuard are both completely standard implementations of TOTP. There's no technical reason Valve couldn't enable 2FA via any TOTP-compliant app; instead, you have to install all of steam on your phone (if your phone can run it) rather than a tiny open-source 2FA code generator.

Originally posted by georgedorn:

Especially considering that Google Authenticator and SteamGuard are both completely standard implementations of TOTP. There's no technical reason Valve couldn't enable 2FA via any TOTP-compliant app; instead, you have to install all of steam on your phone (if your phone can run it) rather than a tiny open-source 2FA code generator.

If this thread is to be believed, the reason to not use other authentication features was made so the trade could be viewed and confirmed on another device.

Since this is as official as it can get, this suggestion is unlikely to happen.

Originally posted by Fox:

If this thread is to be believed, the reason to not use other authentication features was made so the trade could be viewed and confirmed on another device.

I had not realised that trade had anything to do with it: the prompt I received from Steam was to do with logging in. I can certainly see why they would want to use their own app to verify trades.

So why not have the Steam Authenticator providing 2FA for logging in and trading, and allow the Google Authenticator to provide 2FA for logging in only as an alternative. Personally I have no interest in trading, so this would suit me nicely :)

I think Microsoft have a pretty good implementation of 2-factor authentication. Instead of having to type in a code off your phone, it just pops up as a notification to confirm or dismiss. Something like this would be useful.

Originally posted by gypsythief:

I had not realised that trade had anything to do with it: the prompt I received from Steam was to do with logging in. I can certainly see why they would want to use their own app to verify trades.

So why not have the Steam Authenticator providing 2FA for logging in and trading, and allow the Google Authenticator to provide 2FA for logging in only as an alternative. Personally I have no interest in trading, so this would suit me nicely :)

I do agree something like that may be good for some users

Originally posted by Fox:

If this thread is to be believed, the reason to not use other authentication features was made so the trade could be viewed and confirmed on another device.

Since this is as official as it can get, this suggestion is unlikely to happen.

Their logic seems flawed. They've conflated the need for 2FA with the need for acknowledgement of a trade. I see the value of trade acknowledgement in reducing fraud, but getting as many people using two-factor authorization as possible would make a measurable impact on overall account security, wouldn't it?

I suppose that they've tied the two together, despite all the downsides that entails, means trade acknowledgement is of higher importantance to Valve.

If it was up to me, I'd implement vanilla TOTP and require all Steam users to use it. Anyone who didn't have a mobile device, I'd send out a hardware token. This feels like a simpler solution than the one they've implemented.

Originally posted by dcoke22:

Their logic seems flawed. They've conflated the need for 2FA with the need for acknowledgement of a trade. I see the value of trade acknowledgement in reducing fraud, but getting as many people using two-factor authorization as possible would make a measurable impact on overall account security, wouldn't it?

I suppose that they've tied the two together, despite all the downsides that entails, means trade acknowledgement is of higher importantance to Valve.

If it was up to me, I'd implement vanilla TOTP and require all Steam users to use it. Anyone who didn't have a mobile device, I'd send out a hardware token. This feels like a simpler solution than the one they've implemented.

Over all i do agree
I assume they assuming that traders are in bigger risk, but i do agree that enabling it on more ways like Google Auf, or what ever is possible will likely be better for most users

There's no real need to do trade confirmation; if somebody has your auth device, they have the ability to change your trade confirmation settings.

Most other services just require another TOTP token whenever you do something sensitive, just to make sure your session wasn't hijacked. TOTP works in both cases, and if users wanted their phone to buzz whenever another TOTP token is required, they can install the Steam app. Other users can just use a TOTP client and type in another token as part of the trade process.

Originally posted by georgedorn:

There's no real need to do trade confirmation; if somebody has your auth device, they have the ability to change your trade confirmation settings.

The trade confirmations are against phising attacks, e.g. fake trade websites. Valve want to be sure that when you do confirm the trade, the trade details that you're shown are real.

If someone does have your auth device, then yes, you're screwed. But you can still defend against individual codes being man-in-the-middled/phished.

Originally posted by dcoke22:

Their logic seems flawed. They've conflated the need for 2FA with the need for acknowledgement of a trade.

The reality is that accounts are hijacked due to their items. The way to move said items via trading. Unless you can confirm the trade you essentially get

1) log into phishing site
2) You 'trade' with me
3) You 'see' a trade that looks even
4) In reality i sent you a trade that empties your inventory
5) you send me the 'confirmation' TOTP code
6) the site input the TOTP code into the trade confirmation
7) you've now traded your entire inventory away and 'confirmed' it

ABSOLUTELY NOT!!!!

No google authenticator.

No facebook authenticator.

Satoru: That could be prevented by having a challenge-response. Eg, on the trade there is a code you need to enter in authenticator (using standarized OCRA - OATH Challenge Response Algoritm), and then you get a response, you have to enter in the trade window.

When you show the trade that looks even, the code is like 327892
The trade that empties your inventory has a code like 289472
Even if I enter the even trade in my authenticator and then enters the confirmation code on phising site, the trade would fail, because when your phishing site tries to use the response code calculated out of 327892 with the empty-inv-trade that is generated using 289472, on valves server, the challenge code 289472 wouldnt calculate to the same TOTP code that the even trade does, whose response code was inputted for.

The challenge code could just be a code that is calculated using a hash of trader party, your account name, a hash of all items in "give", a hash of all items in "get", and date/time when the trade request was created.

@Sebastian Nielsen, the point is that if you're being phished, what you're looking at isn't a real trade, it's a fake.

Your proposed scheme doesn't work because the trading UI is a fake one provided by the phishing site, not the real UI. As far as the Steam servers are concerned, there is no even trade. It's just a facade, a fake. As part of this fake trade UI, they can provide you with the confirmation code from the real empty-inventory trade that they're conducting behind the scenes.

When you enter the response code into the fake trade, they then use that code behind the scenes to authorise the real trade.

The authenticator app protects you from that because it definitely shows the real trade, because we can safely assume that the authenticator app is not tainted.

In general 2FA only weakly protects you against phishing; you can be tricked into authorising specific actions, but you can't give up the secret from which the OTP is generated.

Originally posted by INVISIBLE BRAIN:

ABSOLUTELY NOT!!!!

No google authenticator.

No facebook authenticator.

I'm going to assume the your impassioned response is due to a mislike of the two companies you mentioned, and not a reaction against 2 factor authentication per se.

If that is the case, I would like you to know that I also thoroughly mislike Google (and Facebook); luckily Google Authenticator is an open standard, and in no way has to rely on Google.

To illustrate this: I use "Google Authenticator" 2 factor authentication on various sites. However, the app on my phone is written by a third party, and I have no Google account.

This is partly why I feel it would be a useful addition, as it is an open standard for which many third-party phone apps and Windows programs are available; this makes it available to everyone, no matter what phone/device they may or may not have.