Originally posted by INVISIBLE BRAIN:

ABSOLUTELY NOT!!!!

No google authenticator.

No facebook authenticator.

TOTP has nothing to do with facebook or google. Google authenticator is an open-source project originally by some people that work at Google to implement TOTP on Android. Google makes no money on it and doesn't even get a chance to steal any of your data when you use it.

Originally posted by dcoke22:

Their logic seems flawed. They've conflated the need for 2FA with the need for acknowledgement of a trade.

Oh, their logic is flawed on a much more fundamental level than that. MUCH more.

To use the Steam 'two-factor' authenticator, you need to install the actual Steam app on your phone. That means people will actually be inclined to use it once every while and will sign into it with their credentials.

Being busy and always on the go, people also generally sign into and check their e-mail box on their phones. Probably checking the same e-mail account that is registered with Steam, because not that many users are prone to keeping multiple accounts. And even if they were the type of power user that does that, they'd usually sign into all of them from a personalized central application they always have access to... such as on their phone.

Lastly, you use your smart phone for well ... phone calls. And SMS messaging ofcourse. The same kind of SMS messaging for which you can sign with Valve to add security confirmation codes.

So really, this is not two-factor auth at all. It's just moving eee------verything onto a (generally poorly protected and easily stolen) smart phone and doing the old and flawed multi-step authentication dance there, instead of on a PC system.

Originally posted by dcoke22:

If it was up to me, I'd implement vanilla TOTP and require all Steam users to use it. Anyone who didn't have a mobile device, I'd send out a hardware token. This feels like a simpler solution than the one they've implemented.

What you are suggesting here; a vanilla generic TOTP solution, is already a bit better. It would not as easily be identified as a two-factor authentication mechanism dedicated to any one easily discovered platform and as long as no sensitive account data has to be stored for it on the device itself, you're genuinely quite well protected. Ofcourse, having everything set to remember your login credentials (and ease of personal use means lots and lots of users do so) and then having the e-mail box that receives e-mails from Steam registered on your phone kind of tosses a monkey wrench into that....

A hardware token that never leaves the house is a far better solution security-wise, especially if it has no need to ever be connected directly to the internet -- You simply cannot beat the added level of security of a physical air-gap. -- but conflcts with ease of use and will rub most users the wrong way if it becomes mandatory. Still, it's definitely what I'd favor.

Anyone with a criticism that relies on it being poor security because it's just moving credentials to the phone ought to tell that to Google, who have just started testing a way to log in to Gmail without having to use a password with just your phone: http://www.theverge.com/2015/12/22/10649396/google-login-without-password-mobile-security

Originally posted by aiusepsi:

Anyone with a criticism that relies on it being poor security because it's just moving credentials to the phone ought to tell that to Google, who have just started testing a way to log in to Gmail without having to use a password with just your phone: http://www.theverge.com/2015/12/22/10649396/google-login-without-password-mobile-security

Wonderful. One more feature to go on the 'not using, ever' list.

Originally posted by aiusepsi:

Your proposed scheme doesn't work because the trading UI is a fake one provided by the phishing site, not the real UI. As far as the Steam servers are concerned, there is no even trade. It's just a facade, a fake. As part of this fake trade UI, they can provide you with the confirmation code from the real empty-inventory trade that they're conducting behind the scenes.

Except, it's totally possible to have a user input the first or last few digits of unique IDs assigned to inventory items as part of the input to a multi-iteration production of a verification hash.

If a trade involves more than one item, use the digits of the three most valuable items in the trade (according to going Steam market rates) and incorporate as an additional check the total number of items involved in the trade.

Those are essential details that are hard-linked to the contents of the trade itself and those cannot be faked.

This is also how banks handle two-step hash signing for internet banking; they make the amounts transferred and the first or last few digits of the benefactor's bank account number part of the hash input. An additional control number supplied by the site itself has to also be entered by the user to ensure the user is talking to the correct website; an additional control number has to be generated via the chip on the bank card and the user's personal PIN; and finally a control number based on the current date and time has to be included to defeat replay attacks. (This is why many auth devices become useless once the battery is drained; their internal clock will lose sync.)

I didn't even know Facebook had an authenticator. Why would anyone ever use that? The Google one sounds like a good idea on our end, but my guess is that the Steam app gives Valve more control, which companies love, and more information to sell, which gives companies huge boners.

If you could have the option to do one or the other, I think that would be better

Originally posted by RiO:

Except, it's totally possible to have a user input the first or last few digits of unique IDs assigned to inventory items as part of the input to a multi-iteration production of a verification hash.

I've already got you on my phishing site. That means I can show you whatever 'unique' mult-digit code I want. Unles you're going to magically memorize every single 64-bit unique id for every item in your inventory any number I feed you is going to pass. The only way tht works is if you're comparing that # to a known good. If you're on my phishing site, hell I can pass you any number of 'fake' numbers I want to your screen.

Lets say you're some savant and have magically memorized hundreds of 64-bit numbers. You've already been phished, I have your credentials so I can already see the unique # anyway. I pass you the # for the scrap metal, in the back I actually make the trade for your Karmabit. You can send me whatever number you want, I already have the unique id for the 'real' item I'm stealing

I remember using google waaaaay back when...'99 or so (a lifetime ago). But these days I'd use askjeeves or aol before I'd use that monster of an international data collection agency known as google.

Who knew that in the future we'd be looking to google to "authenticate" ourselves while paired with cellphone tracking devices in order to make purchases of virtual trading cards. Or that google would be developing robots for Skynet, putting pictures of our houses online, and making self-driving cars. It's OS is called "android" for LOL.

The Borg have won. Our days are numbered. Long live the Borg.

Originally posted by Satoru:

Lets say you're some savant and have magically memorized hundreds of 64-bit numbers. You've already been phished, I have your credentials so I can already see the unique # anyway. I pass you the # for the scrap metal, in the back I actually make the trade for your Karmabit. You can send me whatever number you want, I already have the unique id for the 'real' item I'm stealing

You could also use part of the display name.

While a unique ID would be ideal for reduced number of collisions, the display name would in practice actually work better in thwarting an attacker's attempts to manage a deterministic collision.

Given the added entropy of the initial randomized challenge number that Steam would present, they'd already have to compute a collision both in near real-time, but basing it on the display name means a suitable collision would *also* have it make sense as the actual displayed name for the item...

Originally posted by RiO:

You could also use part of the display name.

Which is wholly irrelevant since I've alrady phished you and thus I have all the relevant 'info' you'd be using the authorize the trade anyway. I can show you random hashes, names, etc. Again I own your account, I own the trade, I own the interface. No amount of hashing/challenge response/2fa is going to help because you cannot exernally verify the contents of the trade.

Given the added entropy of the initial randomized challenge number that Steam would present, they'd already have to compute a collision both in near real-time, but basing it on the display name means a suitable collision would *also* have it make sense as the actual displayed name for the item...

You're not actually understanding the problem

I HAVE ALREADY PHISHED YOU

The 'trade' you see on screen is entirely fake. The 'real' trade is the one I'm creating. On your screen I can send you any number of nonsenical idioicy. You'd never know the trade was fake because I control everything about it. I can easily create the visual noise of a legit trade on the front end to you. You want hashes, uniqueID, names, etc? No problem, I own your account so I can show you all the accutrements of a legit trade until the dawn of time. In the back, I'm trading away all your items to me. You send me the TOTP code, and presto, your stuff is mine.

This is why Steam uses the external authenticator to SHOW you the actual trade. Even if I phish you on thbrowser, the authenticator will show the actual trade and then you realize something is wrong.

No amount of hashing and other nonsense will help once I've phished you. I control everything about the trade visually. Without external verification you cannot gurantee the trade you see in the browser is th eone you're actually doing.

Not to mention this means now every steam trader needs to bea mathematical savant and know all their tiems, thier names, their 64-bit ids and how to hash hem so they can be verified? I'm not seeing how this is is some kind of 'improvment' unless you're RainMan.

Lots of people don't care about trading so it would be nice to have a Google Authenticator option. The first (and only) time I tried to use the Steam mobile app it generated me a -blank- recovery key.

Originally posted by Satoru:

You're not actually understanding the problem

No. You are not understanding.

Originally posted by Satoru:

The 'trade' you see on screen is entirely fake. The 'real' trade is the one I'm creating. On your screen I can send you any number of nonsenical idioicy.

No, you cannot.

If auth-token computatation takes parts of the names of the traded items, then you will have to show those original names to the target user so that they can enter them as part of the auth token generation process. If you give the user forged names different from what the server is expecting the user to enter, then the user will end up generating a token that will not match with what the server is expecting.

yh

Originally posted by Strahd:

Lots of people don't care about trading so it would be nice to have a Google Authenticator option. The first (and only) time I tried to use the Steam mobile app it generated me a -blank- recovery key.

The number of errors I encountered during setup, the clumsyness of the app and the steam PC client in general, and the very fact that Valve is bucking the INDUSTRY STANDARD methods of doing up this type of 2 factor authentication doesn't bode well in my mind. There's a reason why Google, Facebook, and numerous other entities (some of them in the defense sector) all do 2 factor the same way

Hell, I can't wait until I forget to deregister my phone, turn around and try to log in to fix the problem with the SINGLE one time use code I was given, and the server has a hiccup after it's used, and I'm stuck begging tech support to give me my account back.

This system reeks of being half-assed.