STEAM GROUP
Steam Mobile App SteamMobile
Join Group
STEAM GROUP
Steam Mobile App SteamMobile
25,465
MEMBERS
1,033
IN-GAME
5,832
ONLINE
Founded
August 18, 2022
Overview Announcements Discussions Events Members Comments
Harryoe Aug 25, 2022 @ 9:19am
App bypasses steam guard?
You can log into your account and gain access to your account without 2fa (you don't need a steam guard code). This seems like a major security problem- Or am I missing something?
< >
Showing 1-15 of 16 comments
Frugl Aug 25, 2022 @ 9:22am 
You are logging in from the app that can already give you the steam guard code.
#1
Г Oct 12, 2022 @ 3:33pm 
it's still bypassing a second factor: you can now log into a steam account solely with a "something you have" factor, the phone with the steam app logged in, no need for a "something you know" factor, a traditional password. it is, in fact, a major security downgrade, and one you should be able to turn off somehow.
#2
Matri Dunadan Oct 12, 2022 @ 4:18pm 
Originally posted by Г:
it's still bypassing a second factor: you can now log into a steam account solely with a "something you have" factor, the phone with the steam app logged in, no need for a "something you know" factor, a traditional password. it is, in fact, a major security downgrade, and one you should be able to turn off somehow.

Agreed. This is a HUGE security risk. Anyone who has your phone can INSTANTLY access your Steam account.

At least with the previous code method they still need your password, so losing your phone isn’t a huge risk.
#3
Drunken F00l Oct 12, 2022 @ 4:45pm 
The app knows the codes and will automatically provide them during the login process. The old app did the same.

edit: I thought y'all were talking about how you can login to the app itself without providing any 2fa
Last edited by Drunken F00l; Oct 12, 2022 @ 7:22pm
#4
Matri Dunadan Oct 12, 2022 @ 5:11pm 
Originally posted by Drunken F00l:
The app knows the codes and will automatically provide them during the login process. The old app did the same.

Codes are no longer needed, since whoever stole the phone can just scan the QR to login, since the app can no longer logout.

Meaning the phone thief doesn’t even need the login details or password.

And since they now have access to your account on the PC, they can change the password, registered email, registered phone number, security questions & answers, refresh & invalidate the Recovery Codes, literally everything needed in order to recover our account is invalidated.
#5
Lighthouse Oct 12, 2022 @ 5:49pm 
Originally posted by Drunken F00l:
The app knows the codes and will automatically provide them during the login process. The old app did the same.

Originally posted by Matri Dunadan:
Originally posted by Drunken F00l:
The app knows the codes and will automatically provide them during the login process. The old app did the same.

Codes are no longer needed, since whoever stole the phone can just scan the QR to login, since the app can no longer logout.

Meaning the phone thief doesn’t even need the login details or password.

And since they now have access to your account on the PC, they can change the password, registered email, registered phone number, security questions & answers, refresh & invalidate the Recovery Codes, literally everything needed in order to recover our account is invalidated.


This is a simple fix. All they need to do is make it so that they need to enter the Family Share code to enter the QR Code Scanner/Authenticator.

And if they forget their Family Share Code, steam support can be more than happy to help them out.
Last edited by Lighthouse; Oct 12, 2022 @ 5:50pm
#6
Matri Dunadan Oct 12, 2022 @ 5:57pm 
Originally posted by Furry Femboy:
This is a simple fix. All they need to do is make it so that they need to enter the Family Share code to enter the QR Code Scanner/Authenticator.

And if they forget their Family Share Code, steam support can be more than happy to help them out.

Or! Just allow us to log out, which disables the QR scanner, but retain the code generator, just like in the old app.

This way, 2-Factor is preserved, since it requires both the password and the code to login.
#7
Lighthouse Oct 12, 2022 @ 6:03pm 
Originally posted by Matri Dunadan:
Or! Just allow us to log out, which disables the QR scanner, but retain the code generator, just like in the old app.

This way, 2-Factor is preserved, since it requires both the password and the code to login.

Valid point.
I think they are trying to add in QR scanning for some reason, maybe to keep up with standards of the modern way?
Last edited by Lighthouse; Oct 12, 2022 @ 6:03pm
#8
cSg|mc-Hotsauce Oct 12, 2022 @ 6:04pm 
Originally posted by Furry Femboy:
Valid point.
I think they are trying to add in QR scanning for some reason, maybe to keep up with standards of the modern way?

People have asked for it for years.

:qr:
#9
Lighthouse Oct 12, 2022 @ 6:22pm 
Are they going to fix this problem because now im starting to get a little anxiety from it..
#10
Matri Dunadan Oct 12, 2022 @ 6:27pm 
At this point the 2FA code generator is superfluous. Using the QR scanner is only available while logged into the app, and it instantly bypasses 2FA.

And if the 2FA code generator only works while logged in, what even is the point when the QR scanner is right there?
#11
FAT CONTROLLER Oct 12, 2022 @ 9:33pm 
Originally posted by Matri Dunadan:
At this point the 2FA code generator is superfluous. Using the QR scanner is only available while logged into the app, and it instantly bypasses 2FA.

And if the 2FA code generator only works while logged in, what even is the point when the QR scanner is right there?
Exactly, the code generator might as well be removed at this point. It serves ZERO purposes while we are forced to stay logged in and forced to use QR code.
#12
Varpie Oct 13, 2022 @ 3:32am 
Originally posted by Matri Dunadan:
Originally posted by Furry Femboy:
This is a simple fix. All they need to do is make it so that they need to enter the Family Share code to enter the QR Code Scanner/Authenticator.

And if they forget their Family Share Code, steam support can be more than happy to help them out.

Or! Just allow us to log out, which disables the QR scanner, but retain the code generator, just like in the old app.

This way, 2-Factor is preserved, since it requires both the password and the code to login.
Another option would be to use biometrics to secure the new "Steam Guard" (or, simply, to the app, since having access to the store with no extra security is already not great). That way, it would still be 2FA: what you have (the phone) and what you are (biometrics).
Last edited by Varpie; Oct 13, 2022 @ 3:32am
#13
rvcjew Oct 13, 2022 @ 11:31pm 
The old logged out method was great and had a easy to use widget as well. The qr code should be behind the os built in biometrics at least or your password if it is needed. Either way it needs to be a choice.
#14
zaphodikus Oct 14, 2022 @ 12:10am 
The way the first time after updating it takes you to the guard tab, that looks like a login tab is terrible OOB design. The first time after upgrade please after logging in DO NOT TAKE ME TO STEAM GUARD tab, take us to a "thank you for logging in" message. It's the right thing to do to prevent panic. Yes I know we have multiple accounts support now. But a clear indication that they have completed the challenge prevents heart failure. (Althogh the jumpy scrolling is giving me seizure, so there is that)

Yes I know its hard to please everyone all the time. But the default tab was just a bad default. Change it.
Last edited by zaphodikus; Oct 14, 2022 @ 12:12am
#15
< >
Showing 1-15 of 16 comments
Per page: 1530 50

All Discussions > General Discussions > Topic Details
Date Posted: Aug 25, 2022 @ 9:19am
Posts: 16
Start a New Discussion

Discussions Rules and Guidelines