Originally posted by Pumpinho:

Google Authenticator and Face ID

Hey Valve,

I would recommend highly of ant sorts of Authenticator as an extra layer of protection for the account as well for the big investors as CS2 skins that are worth alot of money.

And the 2nd protection Face ID as an extra protection for confirming trades together with Authenticator such as Google Auth.

Lets make Steam great again ;)

The mobile app supports biometric authentication.

It already supports that in the app

Settings -> Security - > Enable Face ID

This forces FaceID. You can enable to open the app at all. Or only for SteamGuard and Trade Confirmations

You can also set a separate timeout to re-enable FaceID either on app exit, or after 5/10/15 minutes

Note that most hijacks remove the existing authenticator and make a new one. Very few people are getting their phones stolen and then having their inventory emptied. This only protects against a pretty small subset of problems.

GOOD

Originally posted by cSg|mc-Hotsauce:

The mobile app supports biometric authentication.

The mobile app is no 2FA, but the very opposite of it.

Talking of which: can we please get 2FA again, valve?

Originally posted by Auftragsmoerder:

Originally posted by cSg|mc-Hotsauce:

The mobile app supports biometric authentication.

The mobile app is no 2FA, but the very opposite of it.

Talking of which: can we please get 2FA again, valve?

How exactly it isn't? It requires you to add additional code, that you have only on your authenticator app.

Originally posted by Zarineth:

How exactly?

Stop me if i'm wrong, but last time i checked you

1. need to log into steam mobile app
   
2. can't log out from steam mobile app (while you want to use it as "2FA")
   
3. can chat and even spend money on mobile app
   
4. that you still cant log out (as you still want to use it for desktop steam)

This is an attack vector, not a security measurement. If you value your steam account, you stopped using it about a year ago (or was it 2, i am getting old)

Originally posted by Auftragsmoerder:

Originally posted by Zarineth:

How exactly?

Stop me if i'm wrong, but last time i checked you

1. need to log into steam mobile app
   
2. can't log out from steam mobile app (while you want to use it as "2FA")
   
3. can chat and even spend money on mobile app
   
4. that you still cant log out (as you still want to use it for desktop steam)

This is an attack vector, not a security measurement. If you value your steam account, you stopped using it about a year ago (or was it 2, i am getting old)

Have to be logged into other authenticators too.
Correct, you remain logged in like other authenticor apps.

How is this an attack vector, other than you losing your phone/device?

Originally posted by Pumpinho:

Hey Valve,

I would recommend highly of ant sorts of Authenticator as an extra layer of protection for the account as well for the big investors as CS2 skins that are worth alot of money.

And the 2nd protection Face ID as an extra protection for confirming trades together with Authenticator such as Google Auth.

Lets make Steam great again ;)

Stop giving away all your account details solves the problem.

You need my finger and mobile phone to get on my account.

Originally posted by Auftragsmoerder:

The mobile app is no 2FA, but the very opposite of it.

Talking of which: can we please get 2FA again, valve?

It is 2FA.

As for:

Originally posted by Auftragsmoerder:

Stop me if i'm wrong, but last time i checked you

1. need to log into steam mobile app
   
2. can't log out from steam mobile app (while you want to use it as "2FA")
   
3. can chat and even spend money on mobile app
   
4. that you still cant log out (as you still want to use it for desktop steam)

This is an attack vector, not a security measurement. If you value your steam account, you stopped using it about a year ago (or was it 2, i am getting old)

Google Authenticator and Battlenet app are always online to name just two.

Attack vector? Feel free to try to access my account.

The reality is accounts are PHISHED not hacked because the end user gave away all their account details.

The account name, the password and the KEY to the door, the Steam Guard Mobile code, or scanning the QR code or authorising via fingerprint giving them access to the account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on Discord, free knife click the link, signing in through a fake login window etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't, therefore any action taken on your account is seen as you doing said actions.

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.

The weakest link is the end user, not the security offered.

Originally posted by Komarimaru:

How is this an attack vector, other than you losing your phone/device?

Well this is the very point. When your phone gets lost/stolen/hacked steam is totally vulnerable.

Originally posted by Nx Machina:

The weakest link is the end user, not the security offered.

If i am not wrong in any of the 4 points i stated in the beginning, the weakest point is STILL the damn mobile app. If i made no mistake there then it is apparently NO second factor involved.

It is not even called anything "authenticator". It was called that back in the days when it was only that, an authenticator actually acting as the second factor for steam. Back then i could not buy stuff there (not sure if i could chat via that authenticator). After that the mobile app was published, that provided authentication AND access to chat and the shop while forcing you to stay logged in. Permanent access to your full account. No second factor. No security provided, but lost.

If you value your account, get rid of steam mobile app asap AND support the OP.

Originally posted by Auftragsmoerder:

If i am not wrong in any of the 4 points i stated in the beginning, the weakest point is STILL the damn mobile app. If i made no mistake there then it is apparently NO second factor involved.

Feel free to prove your claim by accessing my account because as already stated.

Originally posted by Nx Machina:

The weakest link is the end user, not the security offered.

As for:

Originally posted by Auftragsmoerder:

If you value your account, get rid of steam mobile app asap AND support the OP.

Being here 20+ years and I have never lost access to my account and that includes before Steam Guard Email and Steam Guard Mobile existed.

As for supporting the OP, gain access to my account, prove you have by writing something on my profile and turning it from private to public.

Originally posted by Auftragsmoerder:

Originally posted by cSg|mc-Hotsauce:

The mobile app supports biometric authentication.

The mobile app is no 2FA, but the very opposite of it.

Talking of which: can we please get 2FA again, valve?

The mobile app is 2fa, you using it incorrectly doesn't change that.

Originally posted by Auftragsmoerder:

Well this is the very point. When your phone gets lost/stolen/hacked steam is totally vulnerable.

And if your home keys get stolen your house is.

And whoever is stealing your phone couldn't be less interested in your Steam items.

Besides I've yet to see after years of this 'threat vector' being brought someone who got 'hacked' out of a stolen or hacked phone.

Originally posted by Tito Shivan:

Originally posted by Auftragsmoerder:

Well this is the very point. When your phone gets lost/stolen/hacked steam is totally vulnerable.

And if your home keys get stolen your house is.

And whoever is stealing your phone couldn't be less interested in your Steam items.

Besides I've yet to see after years of this 'threat vector' being brought someone who got 'hacked' out of a stolen or hacked phone.

Apple has this in their new iOS updates via "Stolen Phone Protection" since the iPhone can be used to reset a user's password. Actors usually working as a groiup, will target someone, and basically watch them input their passcode. This isn't particularly hard to pull off depending on the user. Some people dont use FaceID or biometrics so they always put in their passcode. If a user is FaceID centric the gang simply looks for a different victim. Once they do so, the gang distracts the user and steals the phone. THey then immediately use the passcode to lock the AppleID out. The device can then be disabled from things liek Find My IPhone and then sold off. The Stolen Phone Protection prevents security stuff like your password being changed outside of certain areas you designate.

But like these gangs arent looking to steal people' phones for their Steam inventory. They're using it to steal phones for resell. They're just going to remove it from Find my iPhone and then wipe the deivce so its 'clean'.

This again requires a lot of coordination from a gang. A stolen phone without this level of attack, can be mitigated by simply having a lock screen on your phone. On the steam app enable faceID for "on app open" which further mitigates a 'snatch and grab' of your phone while unlocked. since the app isn't accessable without faceid.

People sort of imagine way too much like they're going to be victims of some kind of highly sophisticated theft ring , when that's really just not the case. And again why do that when you can spend literally $5 to get a SaaS phishing website and tell people you're running an Elden Ring stress test and peop[le will sign up using their steam account in droves, because people are extremely dumb. This requires zero effort, and lets me get thousands of steam accounts in my sleep. Why would I try to do a high risk stealing of someone's phone by *gasp* going outside.