For those folks wanting to use Steam Guard on a Windows Phone, this solution would work for that.

+1

It's a good system as far as I can tell, and it's developed and documented well enough that it shouldn't take a whole lot of resources to implement.

It would also work with 2FA clients like Authy[www.authy.com] that save 2FA info in the cloud for easy retrieval when you get a new device or reset your existing one.

I did recently come across this thread: http://steamcommunity.com/discussions/forum/0/494631873668954229/

It highlights some of Valve's logic behind their choice here. I'm not sure I agree with it all, but there it is.

Specifically, read the "How we can stop it" section.

I would like to vote for TOTP anyway, I understand their reasons but still would value not having yet another app.

+1

asnadfo

The Steam Team Needs to get on top of allowing proper open standard TOTP not their custom version in the steam app. This is a problem for people trying to do proper security hardening that simply does not need to exist.

It actively harms security by increasing the attack surface to for force people to install their app rather than use a single authenticator app for all their TOTP. For example Aegis, it is possible to extract the private key from the steam app on android and generate steam's custom codes with a reverse engineered open implementation of custom TOTP. This is far from ideal. It also does not extend to the push notification acknowledgements which is now a problem for updating account info.

Push notification MFA has been shown in a number of recent attacks to be a potential security liability. Attackers bombard people with MFA notifications until the hit one by accident or just to try and get rid of them. It should be possible to disable this and only allow TOTP acknowledgements not via notifications.

RFC 6238 TOTP is the minimum really, they should ideally also support the FIDO2 alliance's WebAuthn standards to allow authentication with hardware security tokens.

I don't find the logic in the "How we can stop it section" of the thread mentioned above
(https://steamcommunity.com/discussions/forum/0/494631873668954229/) very convincing. But if doing it this way is helpful for item trades it does not need to be done this way for any other authentications. Providing the option to use standard TOTP etc. even if you won't allow them to authenticate trades allowing them for everything else would be a big improvement over the current state of affairs. Especially If like me you have no interest in nor will ever have any interest in item trades, you should not have to compromise on security of anything else if you can't use the steam app.

There have been numerous threads with many comments on the support fora asking for this over the years - please steam take the feedback and let people authenticate their accounts securely and in a way that they choose.

+1

This option is also better from a privacy/GDPR standpoint as it would not require processing of our phone numbers during setup. Steam Guard OTPs can still be phished like RFC 6238, so why not allow the option for RFC 6238 or better, FIDO U2F/FIDO2 which has stronger phishing resistance? There is no one size fits all in security and these options would work better for some individuals' threat models.

Support for https://datatracker.ietf.org/doc/html/rfc6238 would be great. Also support for https://datatracker.ietf.org/doc/rfc8809/ so that windows users could outright use their windows device via WebAuthn to instantly authenticate, no phone needed.
(WebAuthn support if correctly implemented would also add support for FIDO keys, which means even Linux and such users would benefit from this.)

This thread was quite old before the recent post, so we're locking it to prevent confusion.