All Discussions > Steam Forums > Steam Mobile > Topic Details
realHartman Feb 27, 2021 @ 7:44am
The needs of alternatives to Steam Mobile and Steam Guard
tl;dr: Steam please stop forcing me to install your semi-customized TOTP app with bloated functions which I don't use at all. Please align with other big techs like Google and Facebook and use a standard TOTP system which Google Authenticator or Authy can use.

----

I know the needs of the Steam Guard, but not everyone (at least me) wants to install an extra piece of app in their phone. There are multiple ways to solve the problem that Steam Guards aims to solve.

We already know Steam Guard uses the the RFC 6238[web.archive.org], which is the two step authentication we know that used in Google and Facebook, as base but rather returning digits, characters and digits are returned. Why modify a well used standards without providing additional benefits? Using a wider charset doesn't provide more security since Steam should lock the account if too many failed authentication in a row. Plus, it won't stop phishing in anyway. In fact, no TOTP systems can protect phishing from it. Then, why brother to used a modified system? And the trade system. Entering TOTP again from a universal app and hitting a confirm button on Steam Mobile provided the same level of security. If the phone is compromised, all data within are compromised.

Furthermore, better systems exists. FIDO and WebAuthn standard are design to work around the problem of phishing in TOTP. They based on asymmetric keys and It is way more secure then TOTP. Software and hardware based solution exists. IDmelon Key for Android and Krypton for iOS. Yubikey and SoloKey for hardware approach.

Yes, the email authentication exists. However, the Steam client log me out every time I close it.* And sending OTP to email means users are depending on the email provider, in availability and security. If that email provider is down for whatever reasons, users can't login and have absolutely no control over. If they have a security breach (including external and internal threats), that layer of security is gone. Read up on Why sending OTP in email is a bad idea.[security.stackexchange.com]

I really dislike Steam tie an essential security function to an app that bloats with other unwanted functionality. I hope Steam can listen on this and align itself to other online service.



* Maybe it is a bug, I'm not sure but happened after the customer service disabled the Steam Guard although I didn't ask for
Last edited by realHartman; Feb 27, 2021 @ 10:58pm
< >
Showing 1-7 of 7 comments
Sid Feb 28, 2021 @ 3:34am 
This.
I already have a FIDO stick, but cant use it with Steam.
When security is so important for Valve, why not implement FIDO/WebAuthn standard?:steamfacepalm:
#1
scrabs Mar 3, 2021 @ 6:25am 
yes I agree
#2
Wicked Sick Aug 1, 2022 @ 4:10pm 
I was just googling this. I would gladly remove the Steam App and use the Google Authenticator or the Microsoft Authenticator. The app is just useless for me beyond the code it gives when I need.
#3
op Aug 5, 2022 @ 1:40am 
i agree
#4
Thermal Lance Aug 6, 2022 @ 9:58am 
Personally I’m fine with how the security features are implemented. It’s what I am the most used to. And as long as you can follow ONE rule in particular, it’s secure. Which is that Steam will never ask for your credentials. They don’t need it to do what they want with your account. But, I really wouldn’t mind if people had different alternatives.
#5
Thermal Lance Aug 6, 2022 @ 10:00am 
Ok make it two. Don’t log into anything else but steam and sites that are OFFICIAL.
#6
Thermal Lance Aug 6, 2022 @ 10:02am 
Like seriously. If I tell those guys to not jump over 2 angry attack dogs that WILL rip his balls off.

Will they actually do it? Because to me, at this point the problem is a serious lack of self preservation.
#7
< >
Showing 1-7 of 7 comments
Per page: 1530 50

All Discussions > Steam Forums > Steam Mobile > Topic Details
Date Posted: Feb 27, 2021 @ 7:44am
Posts: 7
Start a New Discussion

Discussions Rules and Guidelines