Support Security Keys and Passkeys for 2FA Sign-In
They are really convenient. Username, password, and then either touch a fingerprint sensor or touch a security key. No need to pull out your phone, unlock the phone, open an app, unlock the app, press approve… it takes seconds to set one up, and seconds to verify with one.

They're flexible, too! Windows 10 and 11, iOS, Android, some Linux distros, and all the major browsers support both passkeys and security keys! Even SteamOS and the SteamDeck could be made to support them, if Valve wanted to, Passkey and security key functionality could be added to SteamOS, and the SteamDeck has a USB-C port and has NFC too.

They are both resistant against phishing, require verification to use, security keys are secure against malware, and passkeys are difficult to accidentally give away to someone to use, and there's no qr code forwarding shenanigans that can be done. For more targeted, high-profile users, the mere fact that they are not being prompted for security key or passkey 2fa may be a red flag in itself that they are being targeted and should change their password.

They are secure, convenient, easy and quick to set up and use, and take less steps than the Steam Guard app. It would be a wonderful addition to Steam.



Now, that said, I wish to address a couple points of contention that plagued the previous threads regarding this topic:

It is clear to me that Valve and countless Steam users love Steam Guard, and that replacement is a deal-breaker. So unlike others who have brought up security keys in the past, or participated in the threads thereof, I will say up front that no, I am not advocating to have Steam Guard deprecated in favor of security keys (and before any of y'all reply saying this defats the point of security key authentication or whatever, bite your tongue or Valve will never add them at all!).

Steam Guard can still remain as fallback for sign-in, as well as remain for trade confirmations. Steam Guard could be required to be enabled, and only then allow you to add security keys and passkeys. "But muh precious Steam Guard" is easy to remedy — don't get rid of it!

Also, because I can already hear those old Dell keyboards clacking away, I will say now, I am also not advocating for making security keys mandatory. Every time 2fa is brought up anywhere on the internet, a brigade of old timers always butts in saying it shouldn't be added because they don't want to use it and ohhh I'll get locked out of my account. Okay, don't use it then, it's not gonna be mandatory! I shouldn't even have to bring this up, but there you go. (And to anyone who does want to demand mandatory security keys, bite your tongue too!)



please don't maul me for suggesting security keys and passkeys please 🥺
< >
Showing 1-15 of 31 comments
Originally posted by Damariobros:
Steam Guard can still remain as fallback for sign-in, as well as remain for trade confirmations.

Valve want their own solution which they are entitled to do because it is their system, just like Blizzard and my Bank have their own mobile app.

As for phishing end users need to stop giving away all their account details, because in 20+ years i have never lost access to my account and that includes before Steam Guard Email and Steam Guard Mobile existed.
Originally posted by Nx Machina:
As for phishing end users need to stop giving away all their account details, because in 20+ years i have never lost access to my account and that includes before Steam Guard Email and Steam Guard Mobile existed.

Please don't take the high ground and patronize people for falling for scams. You've lasted 20 years without being phished, good for you! But others aren't so lucky, and losing their accounts can be devastating.

Phishing is becoming more and more convincing as time goes on. Attackers utilize convincing fake login pages on typosquatter domain or from fake security alert emails to steal login credentials in real time. People think they're logging into Steam when in reality it's a script on the other end inputting login details into the real Steam website.

Just because you've gone 20 years without falling for it, doesn't mean that everyone else is a complete idiot for falling for it. Any tools to help reduce these attacks should be embraced and appreciated.
Last edited by Damariobros; May 26 @ 4:11am
Originally posted by Nx Machina:
Originally posted by Damariobros:
Steam Guard can still remain as fallback for sign-in, as well as remain for trade confirmations.

Valve want their own solution which they are entitled to do because it is their system, just like Blizzard and my Bank have their own mobile app.

Also I literally just said Valve can keep their proprietary app? In the actual part you quoted???
Ettanin May 26 @ 4:15am 
Adding more 2FA solutions means adding more maintenance. Alternative solutions are redundant as Steam's own solution is adequate with regards to security.

ALL 2FAs can be phished. It just takes a fake UI that directs the phished inputs to the real UI, interactively communicates between user and server and stores the generated session token. It doesn't matter how the key looks if the home owner is willing to give it away.
Originally posted by Damariobros:
Please don't take the high ground and patronize people for falling for scams. You've lasted 20 years without being phished, good for you! But others aren't so lucky, and losing their accounts can be devastating.

I take my account security seriously hence why i have never lost access, whereas those who have lost access gave away all their account details voluntarily. Hopefully they will learn from that experience.

Originally posted by Damariobros:
Just because you've gone 20 years without falling for it, doesn't mean that everyone else is a complete idiot for falling for it. Any tools to help reduce these attacks should be embraced and appreciated.

There is no gold at the end of the rainbow, greed overrules commonsense and they compromised their own account despite it being secured behind Steam Guard Mobile.

As a sidenote Steam Guard Mobile has biometrics.


So we go back to:

Valve want their own solution which they are entitled to do because it is their system, just like Blizzard and my Bank have their own mobile app.

In turn we go to:

https://store.steampowered.com/subscriber_agreement

C. Your Account (snipped)

You may not reveal, share or otherwise allow others to use your password or Account except as otherwise specifically authorized by Valve.

You are responsible for the confidentiality of your login and password and for the security of your computer system.

Valve is not responsible for the use of your password and Account or for all of the communication and activity on Steam that results from use of your login name and password by you, or by any person to whom you may have intentionally or by negligence disclosed your login and/or password in violation of this confidentiality provision.


This particular part is not just applicable to Steam:

You are responsible for the confidentiality of your login and password and for the security of your computer system.

But also to Ubisoft, EA, Blizzard, Epic, GOG, Rockstar, Bank, Credit Card, Pension, Insurance etc accounts.
Last edited by Nx Machina; May 26 @ 5:33am
Originally posted by Damariobros:
Also I literally just said Valve can keep their proprietary app? In the actual part you quoted???

How generous to suggest that Valve can keep their solution while ignoring:

Valve want their own solution which they are entitled to do because it is their system, just like Blizzard and my Bank have their own mobile app.
Originally posted by Nx Machina:
Originally posted by Damariobros:
Also I literally just said Valve can keep their proprietary app? In the actual part you quoted???

How generous to suggest that Valve can keep their solution while ignoring:

Valve want their own solution which they are entitled to do because it is their system, just like Blizzard and my Bank have their own mobile app.

I understand that Valve is entitled to come up with their own solution. That goes for ALL steam products. But if that alone is reason enough to shut down any discussion of improving, changing, adding to, or cutting from the systems maintained by Valve, then why the hell does the "Suggestions/Ideas" forum exist at all?

That argument makes me think you're just trying to shut me down for the sake of shutting me down because you're a contrarian.
Originally posted by Nx Machina:
Originally posted by Damariobros:
Please don't take the high ground and patronize people for falling for scams. You've lasted 20 years without being phished, good for you! But others aren't so lucky, and losing their accounts can be devastating.

I take my account security seriously hence why i have never lost access, whereas those who have lost access gave away all their account details voluntarily. Hopefully they will learn from that experience.

As a sidenote Steam Guard Mobile has biometrics.

Originally posted by Damariobros:
Just because you've gone 20 years without falling for it, doesn't mean that everyone else is a complete idiot for falling for it. Any tools to help reduce these attacks should be embraced and appreciated.

There is no gold at the end of the rainbow, greed overrules commonsense and they compromised their own account despite it being secured behind Steam Guard Mobile.

So we go back to:

Valve want their own solution which they are entitled to do because it is their system, just like Blizzard and my Bank have their own mobile app.

In turn we go to:

https://store.steampowered.com/subscriber_agreement

C. Your Account (snipped)

You may not reveal, share or otherwise allow others to use your password or Account except as otherwise specifically authorized by Valve.

You are responsible for the confidentiality of your login and password and for the security of your computer system.

Valve is not responsible for the use of your password and Account or for all of the communication and activity on Steam that results from use of your login name and password by you, or by any person to whom you may have intentionally or by negligence disclosed your login and/or password in violation of this confidentiality provision.


This particular part is not just applicable to Steam:

You are responsible for the confidentiality of your login and password and for the security of your computer system.

But also to Ubisoft, EA, Blizzard, Epic, GOG, Rockstar, Bank, Credit Card, Pension, Insurance etc accounts.
You say you've kept your accounts secure for 20 years by being vigilant, and that people who get phished should just do better, making phishing out to be an obvious attack that you're dumb or greedy (what?) if you fall for it. Yet, you then immediately contradict yourself by saying anything can be phished, even security keys, making phishing out to be something that is highly successful and that can get into any account. Pick one. You're contradicting yourself to both make yourself feel superior, to patronize others, and to also attack security keys from both sides of the argument.
Last edited by Damariobros; May 26 @ 4:39am
Originally posted by Damariobros:
I understand that Valve is entitled to come up with their own solution. That goes for ALL steam products. But if that alone is reason enough to shut down any discussion of improving, changing, adding to, or cutting from the systems maintained by Valve, then why the hell does the "Suggestions/Ideas" forum exist at all?

It exists for end users to discuss suggestions not to affirm them and Valve to look at.

Originally posted by Damariobros:
That argument makes me think you're just trying to shut me down for the sake of shutting me down because you're a contrarian.

Did you forget you posted:

Originally posted by Damariobros:
Every time 2fa is brought up anywhere on the internet, a brigade of old timers always butts in saying it shouldn't be added because they don't want to use it and ohhh I'll get locked out of my account.
Originally posted by Damariobros:
You say you've kept your accounts secure for 20 years by being vigilant, and that people who get phished should just do better, making phishing out to be an obvious attack that you're dumb or greedy (what?) if you fall for it. Yet, you then immediately contradict yourself by saying anything can phished, even security keys, making phishing out to be something that is highly successful and that can get into any account. Pick one. You're contradicting yourself to both make yourself feel superior, to patronize others, and to also attack security keys from both sides of the argument.

You are the one stating phishing is an issue and Valve needs to adopt other solutions and that those other solutions are resistant to phishing, so how do accounts get phished that use those other solutions? The answer is because despite the security offered end users will always find a way to break it.

So we go back to:

This particular part is not just applicable to Steam:

You are responsible for the confidentiality of your login and password and for the security of your computer system.

But also to Ubisoft, EA, Blizzard, Epic, GOG, Rockstar, Bank, Credit Card, Pension, Insurance etc accounts.


As a sidenote Steam Guard Mobile has biometrics.
Last edited by Nx Machina; May 26 @ 4:57am
Originally posted by Nx Machina:
Originally posted by Damariobros:
I understand that Valve is entitled to come up with their own solution. That goes for ALL steam products. But if that alone is reason enough to shut down any discussion of improving, changing, adding to, or cutting from the systems maintained by Valve, then why the hell does the "Suggestions/Ideas" forum exist at all?

It exists for end users to discuss suggestions not to affirm them and Valve to look at.

Originally posted by Damariobros:
That argument makes me think you're just trying to shut me down for the sake of shutting me down because you're a contrarian.

Did you forget you posted:

Originally posted by Damariobros:
Every time 2fa is brought up anywhere on the internet, a brigade of old timers always butts in saying it shouldn't be added because they don't want to use it and ohhh I'll get locked out of my account.

You are grasping at straws to argue against security keys, as I predicted would happen! You are literally the brigade of old-timers I knew would show up!

Mel Brooks could make a movie out of these forums I swear…
Originally posted by Damariobros:
You are grasping at straws to argue against security keys, as I predicted would happen! You are literally the brigade of old-timers I knew would show up!

Mel Brooks could make a movie out of these forums I swear…

You were not here for discussion as can be seen in the quote above. You are here for affirmation of your suggestion.

Then there are other examples:

Originally posted by Damariobros:
you're just trying to shut me down for the sake of shutting me down because you're a contrarian.

And of course:

Originally posted by Damariobros:
Every time 2fa is brought up anywhere on the internet, a brigade of old timers always butts in saying it shouldn't be added because they don't want to use it and ohhh I'll get locked out of my account.

Because god-forbid others actually find the security offered by Valve, secure. Those selfsame old timers as you refer to them who have never lost access to their account.
Last edited by Nx Machina; May 26 @ 4:53am
Originally posted by Nx Machina:
Originally posted by Damariobros:
You say you've kept your accounts secure for 20 years by being vigilant, and that people who get phished should just do better, making phishing out to be an obvious attack that you're dumb or greedy (what?) if you fall for it. Yet, you then immediately contradict yourself by saying anything can phished, even security keys, making phishing out to be something that is highly successful and that can get into any account. Pick one. You're contradicting yourself to both make yourself feel superior, to patronize others, and to also attack security keys from both sides of the argument.

You are the one stating phishing is an issue and Valve needs to adopt other solutions and that those other solutions are resistant to phishing, so how do accounts get phished that use those other solutions? The answer is because despite the security offered end users will always find a way to break it.

So we go back to:

This particular part is not just applicable to Steam:

You are responsible for the confidentiality of your login and password and for the security of your computer system.

But also to Ubisoft, EA, Blizzard, Epic, GOG, Rockstar, Bank, Credit Card, Pension, Insurance etc accounts.


As a sidenote Steam Guard Mobile has biometrics.

Just because Valve is not responsible for people giving away their username and password, does not in itself rule out any possible proactive measures to reduce the rate of successful phishing attacks.

Going on a tangent, but you ever heard of section 230? It says that websites are not responsible for the content their users post. So why do all forums have a moderator team? Because that does not preclude them from being able to still keep the community safe. They can take proactive measures even though there is a law saying they're not responsible for users causing trouble,

Same concept would apply here. Valve might not be responsible for users getting phished, but that doesn't mean we can't suggest something here that would help with the problem.

Btw you mentioned that Steam Guard has biometrics; that still requires you to pull out your phone and open the app, and in fact adds another step to logging in. That is not the same as passkeys and security keys, which only require one tap, fingerprint scan, or pin entry, and don't require getting out your phone and switching apps.

Also as a side note, this whole thread has been ignoring the rest of my post, all the other reasons in favor of passkeys and security keys — the convenience and flexibility of security keys and passkeys are also points of consideration.
Originally posted by Damariobros:
Just because Valve is not responsible for people giving away their username and password, does not in itself rule out any possible proactive measures to reduce the rate of successful phishing attacks.

Successful because end users give away all their account details.

So how do accounts get phished that use those other solutions you deem secure?

Originally posted by Damariobros:
Btw you mentioned that Steam Guard has biometrics; that still requires you to pull out your phone and open the app, and in fact adds another step to logging in.

And that is the great thing. To get on my account you need my phone and a finger and not just for Steam but also the Blizzard app and the Bank app on my phone. Not one of those accounts have being compromised and yet here you are stating valve has to have additional options, when it basically comes down to you do not want to pull out your phone.
Last edited by Nx Machina; May 26 @ 5:02am
Originally posted by Nx Machina:
Originally posted by Damariobros:
You are grasping at straws to argue against security keys, as I predicted would happen! You are literally the brigade of old-timers I knew would show up!

Mel Brooks could make a movie out of these forums I swear…

You were not here for discussion as can be seen in the quote above. You are here for affirmation of your suggestion.

Then there are other examples:

Originally posted by Damariobros:
you're just trying to shut me down for the sake of shutting me down because you're a contrarian.

And of course:

Originally posted by Damariobros:
Every time 2fa is brought up anywhere on the internet, a brigade of old timers always butts in saying it shouldn't be added because they don't want to use it and ohhh I'll get locked out of my account.

Because god-forbid others actually find the security offered by Valve, secure. Those selfsame old timers as you refer to them who have never lost access to their account.
If Valve had another way to suggest stuff to them I'd gladly use it. Same thing happened over on GameFAQs where a bunch of people who were either not properly informed about 2fa, stuck up in opposition to 2fa, or didn't want to read the thread, flooded the thread with opposition that wasn't actually grounded in any substantial points, and I ended up having to skip the community discussion and go straight to opening a ticket (which got a response in the affirmative from the admins, btw --- won't happen soon but it's on the to-do list).

Alas, here on Steam, I have to make a forum post.
< >
Showing 1-15 of 31 comments
Per page: 1530 50

Date Posted: May 26 @ 3:44am
Posts: 31