Better to necro than to start a new thread when the topic's exactly the same. A new thread just disconnects history and anybody following.

And Valve's complaint isn't about people not using 2FA; I use it on over twenty websites. And I'll use it on Steam as soon as they let it be number twenty-one in my Authy database.

I really wish someone at Valve would step up and explain why they feel it's better that you and I don't use 2FA than switching the standard 2FA system.

Category Theory původně napsal:

I really wish someone at Valve would step up and explain why they feel it's better that you and I don't use 2FA than switching the standard 2FA system.

They already did:
http://store.steampowered.com/news/19618/

KillahInstinct původně napsal:

Category Theory původně napsal:

I really wish someone at Valve would step up and explain why they feel it's better that you and I don't use 2FA than switching the standard 2FA system.

They already did:
http://store.steampowered.com/news/19618/

That says absolutely nothing about why they use a proprietary interface in front of TOTP that prevents the use of standard multi-site TOTP authenticators such as Authy, Google Authenticator, 1Password, the Tray Totp plugin for KeePass 2, or many others.

As I said, I do this sort of authentication on a couple of dozen different web sites, and for every one of them I use Authy on my phone and in Chrome browsers, and KeePass2 on PCs. Steam is the only one that decided to make their system incompatible with this, so that you need a special, separate app on your phone and you can't do it at all on PCs. Given that the underlying authentication system is the same, there's no good reason for this except to encourage heavy 2FA users not to use it with Steam. It's just dumb.

Perhaps actually read the provided link?

We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.

Even if you read it it still doesn't explain the need to use a proprietary TOTP algorithm for login.

KillahInstinct původně napsal:

Perhaps actually read the provided link?

Yup, I did. That explained why they need a proprietary app for trades. They also need other features beyond that, such as Internet connectivity on the confirmation device.

However, for login, they need neither of these.

I'd just like to bring up the fact that if you don't have a data plan on your phone, you can't trade outside of anywhere you have WiFi.

Using a separate authenticator app has at least the following advantages:

• it doesn't show codes on the lock screen. Arguably, this is a bug in the Steam app in that it doesn't mark 2FA notifications as having sensitive content…
  
• It can be present on multiple devices. This is good for backup purposes.

Not Mr Flibble původně napsal:

Using a separate authenticator app has at least the following advantages:

• it doesn't show codes on the lock screen. Arguably, this is a bug in the Steam app in that it doesn't mark 2FA notifications as having sensitive content…

It works as designed.

Treat authenticator codes just like you would treat a password; never share them with anyone

I don't believe it's wise to show passwords on a lock screen.

No it's not a good idea. If it's by design then it's a bad design. Period.

I already have an RFC6238-compliant authenticator installed. I'm not going to install Valve's proprietary, non-standards-based authenticator. Valve, if it's important to you that you protect your users' account safety then you need to revisit the design space and figure out how to work within the existing internet standards instead of pulling a Microsoft.

Guurzak původně napsal:

I already have an RFC6238-compliant authenticator installed. I'm not going to install Valve's proprietary, non-standards-based authenticator. Valve, if it's important to you that you protect your users' account safety then you need to revisit the design space and figure out how to work within the existing internet standards instead of pulling a Microsoft.

They've explained here why that solution didn't work in this usecase.

KillahInstinct původně napsal:

They've explained here why that solution didn't work in this usecase.

No, they explained why it doesn't work for the trades use case, which is not what we're talking about here. For simple confirmation of login, standard TOTP works fine, and their system would work fine if they would not make what are essentially cosmetic changes to standard TOTP to make sure that, though that's what they're using underneath, the standard tools won't work.

I don't trade, so I don't care if the app I use to generate codes knows about that or not. I would be perfectly happy if I could simply have login protection, leaving trades as they are, but Valve has decided that if I don't want trade protection it's better that I have no protection at all than that I have login protection.

Just got my new u2f/otp yubikey, excited to turn on easy 2 factor auth wherever I can only to find out valve pulled a lazy ♥♥♥♥♥ move shirking this universally accepted standard, pissing me off...

Valves article linked by others justifies nothing regarding 2 factor login for account security. Only their dumb, "baby's first 'market' speculation game." For that they can use whatever cr-app they want, but secure login should use a mature standard developed by people who know better.

This article[github.com] suggests a hack for Yubico's totp app, at least for supporting Steam. *Correction* yubico-oath-desktop app supports generating steam codes.