ReBoot původně napsal:

Well, from people working in different countries, I have heard of Russia bring, ihm, special in that regard.

Not the point I'm gettng at.

Obviously there's a reason why they introduced cameras as law, but what I'm getting at is how you can assume one thing incorrectly from the amount of cases you see.

Chalupabaras původně napsal:

Muppet among Puppets původně napsal:

The reason why you use 2fa is because of the company might get hacked.
You dont use it for much else (if you follow recommended security).

2fa is meant to give you more time than the decryption of the password database might need, if it gets stolen.

2FA is a good layer of protection, but Valve's authenticator app becomes useless if your device gets compromised.

Yes, i would not carry a phone with me that could let anyone log into steam.

They should let people use google auth or so. Its strange if you look at how important it is for steam to have an own app, and its basically less secure than account name and password were. If someone uses your phone.

"No matter how foolproof you make an internet/account security system, the world will always provide a better fool." Quite literally sits in the mind of ANYONE who does ANY sort of work in cybersecurity.

Leonardo Da Pinchi původně napsal:

"No matter how foolproof you make an internet/account security system, the world will always provide a better fool." Quite literally sits in the mind of ANYONE who does ANY sort of work in cybersecurity.

The qr code login is a good idea, if password was still required. But not just qr code.

Eagle_of_Fire původně napsal:

As a side note, which MIGHT be slightly off topic: I've noticed that most people who whine about this kind of problem are using Euros. So they are from Europe.

Something must be happening over there which is not happening elsewhere. Something regional. It could be just as ridiculous and seemingly as innocuous than a phone app which is very popular over there but secretly steal data... And with the popularity of accessing everything (including Steam) from phones... Well it is not outlandish to think that's a high possibility.

I'm mentioning this because OP is adamant about not using third party sites. Which is the first thing everybody think about but certainly not the only way to go.

That's not true at all.

People from china and US also have had their accounts stolen.

Muppet among Puppets původně napsal:

Chalupabaras původně napsal:

2FA is a good layer of protection, but Valve's authenticator app becomes useless if your device gets compromised.

Yes, i would not carry a phone with me that could let anyone log into steam.

They should let people use google auth or so. Its strange if you look at how important it is for steam to have an own app, and its basically less secure than account name and password were. If someone uses your phone.

Google authentication is the same thing, just gives you numbers to enter and verify.

THE LORD původně napsal:

Eagle_of_Fire původně napsal:

As a side note, which MIGHT be slightly off topic: I've noticed that most people who whine about this kind of problem are using Euros. So they are from Europe.

Something must be happening over there which is not happening elsewhere. Something regional. It could be just as ridiculous and seemingly as innocuous than a phone app which is very popular over there but secretly steal data... And with the popularity of accessing everything (including Steam) from phones... Well it is not outlandish to think that's a high possibility.

I'm mentioning this because OP is adamant about not using third party sites. Which is the first thing everybody think about but certainly not the only way to go.

That's not true at all.

People from china and US also have had their accounts stolen.

Of course they have. Duh.

I'm just saying something specific, local to the OP might have tagged him. There is dozains of different way to manage to get the login info of someone. Apps which are popular at one place but not at the other or even things like middle man hacks can happen anywhere. Just that I see a lot of Europeans in this boat lately.

Komarimaru původně napsal:

Muppet among Puppets původně napsal:

Yes, i would not carry a phone with me that could let anyone log into steam.

They should let people use google auth or so. Its strange if you look at how important it is for steam to have an own app, and its basically less secure than account name and password were. If someone uses your phone.

Google authentication is the same thing, just gives you numbers to enter and verify.

But if someone has your google auth, he can not log in though.

aiusepsi původně napsal:

I think what you're getting at here is that attacks will shift to the "Lost your passkey?" flow, which is analogous to the "Forgotten your password?" flow currently. That is something to bear in mind when implementing these things. But, those recovery flows aren't like typical logins, and can have additional protections.

For example, Steam already restricts you from trading and the market for 5 days if your password is reset. Adding/removing a mobile authenticator to/from a Steam account restricts you for 15 days. You can assume something similar for passkeys.

The other thing - not phishing related, but just in general for password-less security - if someone gains access to the PC while it's running then they would gain access to any password-less account as well.. maybe it asks for a username or email - but those are not generally private or sensitive info (eg: in case of email, everyone sees the email login since it is usually the same as the email address).

2FA is based on 2 factors - something you know (password), something you have (code generator or similar), or something you are (biometrics like retina scan, fingerprint, face id, etc). From what it looks like, that style of password-less security might be more secure from a "can it be faked / cracked / hacked" point of view, but seems less secure to me if it is removing the 2 from 2FA

I dumb it down for you OP.
Victim hands car keys to some rando.

Some rando Drives off with victim car.

Victim get upset.

Victim looking whom to blame, instead of using any logical sense that could've been avoided if simply did not give car keys to Rando to begin with, or to anyone for that matter.

Point of it, stop giving scammers your stuff, and you stop getting rob of your stuff it's that simple, look up what "phishing" means you understand more when you educate yourself.

Muppet among Puppets původně napsal:

Komarimaru původně napsal:

Google authentication is the same thing, just gives you numbers to enter and verify.

But if someone has your google auth, he can not log in though.

Same for steam authenticator, so not sure what point you're trying to make.

Komarimaru původně napsal:

Muppet among Puppets původně napsal:

But if someone has your google auth, he can not log in though.

Same for steam authenticator, so not sure what point you're trying to make.

With old steam authenticator, and even more the one with qr code scan to login,
anyone who uses your phone can log in.
Thats defenitely not the same.

Muppet among Puppets původně napsal:

Komarimaru původně napsal:

Same for steam authenticator, so not sure what point you're trying to make.

With old steam authenticator, and even more the one with qr code scan to login,
anyone who uses your phone can log in.
Thats defenitely not the same.

Anyone who uses my phone can also login to my accounts with Google authenticator.

Not seeing your point here.

Google Authenticator shows the 6 digit for my Google accounts, twitch, and several others.

Built right into any android phone.

Or did you not know, it was an app?

Komarimaru původně napsal:

Muppet among Puppets původně napsal:

With old steam authenticator, and even more the one with qr code scan to login,
anyone who uses your phone can log in.
Thats defenitely not the same.

Anyone who uses my phone can also login to my accounts with Google authenticator.

Not seeing your point here.

Google Authenticator shows the 6 digit for my Google accounts, twitch, and several others.

Then you set up your phone wrong. All accounts i have in google auth need still account name and password, if someone holds the phone and looks at the codes. There are just numbers, nothing can be concluded or done with them.

Muppet among Puppets původně napsal:

Komarimaru původně napsal:

Anyone who uses my phone can also login to my accounts with Google authenticator.

Not seeing your point here.

Google Authenticator shows the 6 digit for my Google accounts, twitch, and several others.

Then you set up your phone wrong. All accounts i have in google auth need still account name and password, if someone holds the phone and looks at the codes. There are just numbers, nothing can be concluded or done with them.

Same with Steam, you need the person's account name and password plus their authenticator code.

And you may want to look again. You can't screenshot the app, but it clearly says the email address for whatever Google account you have protected, clearly says account name for many sites, the only one that doest is Twitch, where it simply says Twitch (Twitch).

So again, not sure what you're trying to prove here.