This topic has been locked
QuestNewt Dec 6, 2015 @ 3:02am
Google Authenticator as an Alternative to Steam Guard Mobile Authenticator
I like two factor authentication, and use it for many websites. I would use it on Steam as well, but they do not use the (extremely widely available) Google Authenticator, but rather their own custom app.

Unfortunately, this is not available on my phone; Google Authenticator is.

It would be nice if Google Authenticator was offered as an authentication option, alongside the existing SMS / Steam Mobile Authenticator options.
< >
Showing 1-15 of 32 comments
Veins_Bulging Dec 6, 2015 @ 3:28am 
+1 on that ^^^^
georgedorn Dec 9, 2015 @ 7:12pm 
Especially considering that Google Authenticator and SteamGuard are both completely standard implementations of TOTP. There's no technical reason Valve couldn't enable 2FA via any TOTP-compliant app; instead, you have to install all of steam on your phone (if your phone can run it) rather than a tiny open-source 2FA code generator.
Fox Dec 9, 2015 @ 11:40pm 
Originally posted by georgedorn:
Especially considering that Google Authenticator and SteamGuard are both completely standard implementations of TOTP. There's no technical reason Valve couldn't enable 2FA via any TOTP-compliant app; instead, you have to install all of steam on your phone (if your phone can run it) rather than a tiny open-source 2FA code generator.
If this thread is to be believed, the reason to not use other authentication features was made so the trade could be viewed and confirmed on another device.

Since this is as official as it can get, this suggestion is unlikely to happen.
QuestNewt Dec 10, 2015 @ 9:20am 
Originally posted by Fox:
If this thread is to be believed, the reason to not use other authentication features was made so the trade could be viewed and confirmed on another device.

I had not realised that trade had anything to do with it: the prompt I received from Steam was to do with logging in. I can certainly see why they would want to use their own app to verify trades.

So why not have the Steam Authenticator providing 2FA for logging in and trading, and allow the Google Authenticator to provide 2FA for logging in only as an alternative. Personally I have no interest in trading, so this would suit me nicely :)
LilyInMotion Dec 10, 2015 @ 9:25am 
I think Microsoft have a pretty good implementation of 2-factor authentication. Instead of having to type in a code off your phone, it just pops up as a notification to confirm or dismiss. Something like this would be useful.
Black Blade Dec 12, 2015 @ 6:04pm 
Originally posted by gypsythief:
I had not realised that trade had anything to do with it: the prompt I received from Steam was to do with logging in. I can certainly see why they would want to use their own app to verify trades.

So why not have the Steam Authenticator providing 2FA for logging in and trading, and allow the Google Authenticator to provide 2FA for logging in only as an alternative. Personally I have no interest in trading, so this would suit me nicely :)
I do agree something like that may be good for some users
dcoke22 Dec 19, 2015 @ 7:30pm 
Originally posted by Fox:
If this thread is to be believed, the reason to not use other authentication features was made so the trade could be viewed and confirmed on another device.

Since this is as official as it can get, this suggestion is unlikely to happen.

Their logic seems flawed. They've conflated the need for 2FA with the need for acknowledgement of a trade. I see the value of trade acknowledgement in reducing fraud, but getting as many people using two-factor authorization as possible would make a measurable impact on overall account security, wouldn't it?

I suppose that they've tied the two together, despite all the downsides that entails, means trade acknowledgement is of higher importantance to Valve.

If it was up to me, I'd implement vanilla TOTP and require all Steam users to use it. Anyone who didn't have a mobile device, I'd send out a hardware token. This feels like a simpler solution than the one they've implemented.
Black Blade Dec 19, 2015 @ 8:11pm 
Originally posted by dcoke22:
Their logic seems flawed. They've conflated the need for 2FA with the need for acknowledgement of a trade. I see the value of trade acknowledgement in reducing fraud, but getting as many people using two-factor authorization as possible would make a measurable impact on overall account security, wouldn't it?

I suppose that they've tied the two together, despite all the downsides that entails, means trade acknowledgement is of higher importantance to Valve.

If it was up to me, I'd implement vanilla TOTP and require all Steam users to use it. Anyone who didn't have a mobile device, I'd send out a hardware token. This feels like a simpler solution than the one they've implemented.
Over all i do agree
I assume they assuming that traders are in bigger risk, but i do agree that enabling it on more ways like Google Auf, or what ever is possible will likely be better for most users
georgedorn Dec 20, 2015 @ 4:57pm 
There's no real need to do trade confirmation; if somebody has your auth device, they have the ability to change your trade confirmation settings.

Most other services just require another TOTP token whenever you do something sensitive, just to make sure your session wasn't hijacked. TOTP works in both cases, and if users wanted their phone to buzz whenever another TOTP token is required, they can install the Steam app. Other users can just use a TOTP client and type in another token as part of the trade process.
aiusepsi Dec 20, 2015 @ 5:45pm 
Originally posted by georgedorn:
There's no real need to do trade confirmation; if somebody has your auth device, they have the ability to change your trade confirmation settings.
The trade confirmations are against phising attacks, e.g. fake trade websites. Valve want to be sure that when you do confirm the trade, the trade details that you're shown are real.

If someone does have your auth device, then yes, you're screwed. But you can still defend against individual codes being man-in-the-middled/phished.
Last edited by aiusepsi; Dec 20, 2015 @ 5:49pm
Satoru Dec 20, 2015 @ 11:20pm 
Originally posted by dcoke22:
Their logic seems flawed. They've conflated the need for 2FA with the need for acknowledgement of a trade.

The reality is that accounts are hijacked due to their items. The way to move said items via trading. Unless you can confirm the trade you essentially get

1) log into phishing site
2) You 'trade' with me
3) You 'see' a trade that looks even
4) In reality i sent you a trade that empties your inventory
5) you send me the 'confirmation' TOTP code
6) the site input the TOTP code into the trade confirmation
7) you've now traded your entire inventory away and 'confirmed' it
HOT DOG Dec 20, 2015 @ 11:23pm 
ABSOLUTELY NOT!!!!

No google authenticator.

No facebook authenticator.
Sebastian Nielsen Dec 21, 2015 @ 1:04am 
Satoru: That could be prevented by having a challenge-response. Eg, on the trade there is a code you need to enter in authenticator (using standarized OCRA - OATH Challenge Response Algoritm), and then you get a response, you have to enter in the trade window.

When you show the trade that looks even, the code is like 327892
The trade that empties your inventory has a code like 289472
Even if I enter the even trade in my authenticator and then enters the confirmation code on phising site, the trade would fail, because when your phishing site tries to use the response code calculated out of 327892 with the empty-inv-trade that is generated using 289472, on valves server, the challenge code 289472 wouldnt calculate to the same TOTP code that the even trade does, whose response code was inputted for.

The challenge code could just be a code that is calculated using a hash of trader party, your account name, a hash of all items in "give", a hash of all items in "get", and date/time when the trade request was created.
aiusepsi Dec 21, 2015 @ 1:56am 
@Sebastian Nielsen, the point is that if you're being phished, what you're looking at isn't a real trade, it's a fake.

Your proposed scheme doesn't work because the trading UI is a fake one provided by the phishing site, not the real UI. As far as the Steam servers are concerned, there is no even trade. It's just a facade, a fake. As part of this fake trade UI, they can provide you with the confirmation code from the real empty-inventory trade that they're conducting behind the scenes.

When you enter the response code into the fake trade, they then use that code behind the scenes to authorise the real trade.

The authenticator app protects you from that because it definitely shows the real trade, because we can safely assume that the authenticator app is not tainted.

In general 2FA only weakly protects you against phishing; you can be tricked into authorising specific actions, but you can't give up the secret from which the OTP is generated.
QuestNewt Dec 22, 2015 @ 2:31am 
Originally posted by INVISIBLE BRAIN:
ABSOLUTELY NOT!!!!

No google authenticator.

No facebook authenticator.

I'm going to assume the your impassioned response is due to a mislike of the two companies you mentioned, and not a reaction against 2 factor authentication per se.

If that is the case, I would like you to know that I also thoroughly mislike Google (and Facebook); luckily Google Authenticator is an open standard, and in no way has to rely on Google.

To illustrate this: I use "Google Authenticator" 2 factor authentication on various sites. However, the app on my phone is written by a third party, and I have no Google account.

This is partly why I feel it would be a useful addition, as it is an open standard for which many third-party phone apps and Windows programs are available; this makes it available to everyone, no matter what phone/device they may or may not have.
< >
Showing 1-15 of 32 comments
Per page: 1530 50

Date Posted: Dec 6, 2015 @ 3:02am
Posts: 32