Dota 2
812 ratings
How To Use The Steam Mobile Authenticator Properly
By Satoru
This guide will help you understand the proper way to use your Steam Authenticator. And guide you through worst case scenarios you need to be aware of, and how to mitigate them.

(yes yes its in the Dota2 section but some of Jimos general guides were there so I figured it was ok and I didn't know how to create a guide for "Steam")
I NEED TO TRADE! But I don't have a smartphone!! Use WinAuth
Recently Steam has added a delay in trades between users if one user doesn't have the Steam Authenticator enabled. Maybe you don't have a smartphone. Maybe you're cursed with a Windows Phone or one of 5 people left with a Blackberry. What can you do?

WinAuth as of 3.4.2 beta now supports both the SteamGuard authenticator codes and trade confirmations. If you don't have a mobile phone, definitely go this route. Please refer to my guide on how to secure your WinAuth authenticator from hijackers

Please note that using WinAuth is less secure than having a separate device for trade confirmations.

Not getting hijacked is the best defense. And not downloading garbage from the Internet is the best way to ensure your account is safe.
Introduction about the Steam Authenticator
So you've decided to dive in and get a Steam Authenticator. This is a good thing. Doing so will greatly increase the security on your Steam account.

If you're new, the Steam Authenticator works like SteamGuard but doesn't require email. No more waiting for your SPAM filters to catch up. No more lost email codes. Sounds great doesn't it?

However before we proceed you will need the following

  • An Apple or Android device
  • A real phone # that can receive SMS messages. This is now mandatory so you'll need to get something that does SMS.
  • A piece of paper and a pen. Yes you need this.

Getting Started - Registering your SteamGuard Authenticator
Get the Steam App from your app store

The first step is obviously to go to your phone's app store and download the Steam app. There are Android and iOS versions of the Steam app. Ensure you're getting it from the Google or Apple store! Fake "Steam App" can be used to steal your credentials! So only download from the authorized stores.

Log into the app using the 'old' method

You'll need to log into the app once using the old email SteamGuard code. This gets your bootstrapped into the app.

Register your phone

Here's where the fun begins. In the app find the SteamGuard section. Note my screenshots are from iOS. Android might be slightly different but the overall flow should be similar

Tap Settings

Select "Get Steam Guard Codes from my Phone"

Tap Next

Authorize using SMS

This changed in recent revisions, but you can now ONLY use SMS to authorize the app.

Type in your phone number and tap "Add Phone"

Type in the code you got via SMS and tap Submit

Now get that pen and paper ready, and skip to the "WRITE DOWN YOUR R-CODE" Section.
When you authorize the Steam Authenticator you will receive a screen that has a code that looks like

This will stay on the screen for 30 seconds

Remember that paper and pen I told you about before.


Put this code in a safe place! It is one safety net you will have if you somehow screw up your Steam Authenticator app.


Especially if you decided to not to register your phone! The R-code is the ONLY way to remove the authenticator if you don't have an SMS number. So again:

I Registered The App But Did Not Get The R Code! What Do I Do?
Rarely the app won't show or generate the R-code as part of the registration process. The app will generate the codes but you don't have an R-code in case of emergency. This is not good.

Go Into The App And Get The RCode

The app now allows you to view the Recover Code after you've registered the app. Update your app if you don't see the following.

1) Go into the SteamGuard section

2) Tap "My Recovery Code"

3) You will now see the recovery code screen

Remember what was stated previously


Did you write down your R-code? That's great.

Is it on your phone? Maybe you took a screen shot on your phone of the R-code. Or wrote it on a note on your phone.



Because when are you going to need your R-code?

When you can't use your authenticator. Probably because you lost your phone, or formatted it or whatever. Guess what?

Now the only way to recover your phone authenticator is to find a code..... on the phone you no longer have....

Put your R-code separate from your phone!

Save off some Backup Steam Guard Codes In Case You Change Phone Numbers!
This is your second line of defense

If you ever log out of the Steam Authenticator app, in order to log in again you'll need a Steam Guard code. A code you can't get because... you logged out of the app! WHAT TO DO?

Easy. You can generate a list of one time use Steam Guard codes.


Note this step is VERY VERY important, if you ever lose your phone number then you have very few ways of removing the number except via SteamGuard codes. Having backup SteamGuard codes ensures you can use them to remove your old phone number and register a new one.

On a computer (not your phone) go to your Account Settings. And click "Manage Steam Guard"

Then click "Get Backup Codes"

Input your SteamGuard code from your authenticator

Save these codes off to a safe place. You can use them in desperation if you need to log into Steam but don't have your authenticator for some reason.

Adding A Phone Number To Your Account
So you opted out of using the SMS option when you created your authenticator originally. But now you want to add a phone number to your account for increased security and ease of recovery later.

Its important that you have several Plan B for when things might go wrong with your authenticator. An ounce of prevention today, will prevent 8 weeks of torment from Support in the future. Well worth it in my opinion.

Go to you Account Settings. In the Contact Info section click "Add A Phone Number"

Input your SteamGuard code from your authenticator

Enter your phone number here. Ensure you change the country code to your appropriate country. Note SMS charges will apply to you

Input the 5 digit numeric code you get through SMS

Woo Hoo! Your phone is now authenticated

You now have an additional recovery option when anything happens to your authenticator.
So now you've done it. You lost your authenticator. Whatever the reason. You formatted your phone. You lost it. Your dog ate it. You destroyed it while doing your victory dance when you got a CSGO Karmabit Knife Camo. Whatever it is. You're now screwed

Or are you?

If you followed all my tips above then don't fear! You have an escape hatch with a parachute waiting for you.

This is where the SMS option is CRITICAL. It is the most reliable way to recover your account. Alternatively you can use your R-code as well.

Click "I deleted or Lost my Steam Guard Mobile Authenticator"

First type in your account name

Then it will send a recovery code to either your email or via SMS.

If you choose the SMS option

Type in the code that yoru phone gets. It will look like a Steam Guard code

Then goto Remove Authenticator

All you need to do here is type in your Steam password.

Presto you're saved! See I told you that SMS option was the way to go!! Gold star for you!

You choose email

Type in the recover code. Again it looks like a Steam Guard code

Click Remove Authenticator

Ok now you have 2 choices.

1) Use the R-Code which YOU WROTE DOWN BEFORE RIGHT? YOU DID DIDN'T YOU? So you just need to put in your Rcode

2) Or you can have Steam send you another Steam Guard code via SMS. See you can't get away from that SMS option.

Then input your Steam password

Now you can remove your SteamGuard authenticator
My SteamGuard Codes Don't Work?!?!
The authenticator user your phone's time in order to generate the codes. If the time is off on your phone, then the app will generate the wrong code and it wont work.

Check that your phone time is properly synced, then try a new code.
What Kinds of Protection Do I Get?
So its important to understand what kinds of things the Mobile Authenticator and the SMS phone option give you. Its not 100%. But it does add layers of protection for you

SMS Phone Number

Note this is primarily as a RECOVERY tool. It will allow you to RECOVER your account if
  • You lose/delete/format your Mobile Authenticator
  • A hijacker changes your password
That's pretty much it. It will not protect your Inventory. Because your attacker can change your email address in the Steam client to their own. Then trade your items away. So while you can get your account back, it doesn't afford any protection for your inventory.

Still its important to have this as a backup recovery method in case you lose your Mobile Authenticator for some reason. Don't ignore this!

Mobile Authenticator

The Mobile Authenticator give you far better protection for your items. This is where the big security measures come in
  • A hijacker cannot change your email without the code from your Mobile Authenticator. This prevents the #1 way in which hijackers steal your items
  • As of Oct 20th Steam trades REQUIRE the Mobile Authenticator code instead of the one from your email. This means that even if the hijacker steals both your Steam account AND your email somehow, your items are safe because they cannot be traded away without your Mobile Authenticator as well.
As you can see the Mobile Authenticator gives you the greatest level of security for both your account and your items. If you want to really protect your account, having the Mobile Authenticator adds a gigantic wall for potential hijackers to overcome. It mitigates even if you foolishly give away both your email and steam account credentials as well.
SteamGuard Cannot Protect You From Yourself
So you've done all the right things. You now have two-factor authentication on Steam. You've enabled it on your email account too. You have unique passwords on Steam. You're totally safe now right?


You must always be vigilant. You are your own worst enemy. People are hijacked because attackers trick them into giving them the keys to their accounts. No amount of security in the world is going to help if you give your 'trader' access to your PC.

Always be vigilant.

Beware of all external links. Beware of downloads. Beware of unknown sources.

Security is about layers. The more layers there are the more inconvenient it is for attackers. But the reality is YOU are the weakest layer.

Don't let hijackers exploit you. Always be wary of links. Never rush things. Assume EVERYTHING is out to get you. Basically assume you're in Australia. Because everything there is Nature's way of saying "GTFO or die!". Everything is out to get you. Act accordingly.
Use WinAuth If You Don't Have a Smartphone
Feeling left out in the cold because you don't have a smartphone? Don't worry there's a solution for you!

WinAuth is an Open Source two-factor keyring. It supports the two-factor authentication for many services. And recently has begun to support SteamGuard.


If you don't have a smartphone then you can download WinAuth and register your account to have a desktop application that gives you the SteamGuard codes


The whole point of two factor authentication is to separate the authenticator from the authentication. Putting the authenticator on your computer means that a hijacker has access to your computer AND THE AUTHENTICATOR!

This is a big problem since they can steal the SteamGuard codes from you! WinAuth has a password option. ENABLE THIS OPTION.
Does the Authenticator and the Phone Number need to be on the same device?
You might be confused as to whether your registered phone # needs to be on the same device as the authenticator.

It doesn't.

All you really need is

* An iOS or Android device. This can be a smartphone, or it could be a totally wifi tablet or other device. This just runs the app.

* A phone number thta can receive SMS messages. You need this to get the authorization for the app but that's it. It can be a flip phone from the 90s you grandpa has.

Thus you can have various combinations of devices such as:

1) iPhone/GalaxyS for SMS + iPhone/GalaxyS for app. Where the app and SMS are on the same device. This is the typical scenario.
2) wifi iPad/Galaxy Note/some garbage tablet you got at a Christmas Secret Santa for the app + flip phone for SMS
3) iPhone for the app + Samsung Galaxy S4 for the SMS (for the ultra rich and ultra paranoid!)
I Need SMS! Should I use Google Voice or Similar Online Services for SMS?
The Mobile Authenticator now requires an SMS phone number to register the app. Maybe you don't have one.

You might be tempted to use an online service like Google Voice to get an SMS number.

While this does work, as I have tested a Google Voice number with another account, I would advise EXTREME caution when doing so.


As you can see using an online service like Google Voice for your SMS may leave you vulnerable to hijacking despite having 2FA and an SMS phone number.

In other words BE VERY VERY CAREFUL if you use this route. You need to be super paranoid and cautious about stuff. Because a hijacker can attack you and steal your credentials and your SMS which is VERY bad

In the USA you can use services like Google Voice.

Outside of the USA you'll have to see if there are any similar services available

DO NOT USE ANY FREE SMS SERVICES. Hijacks have occurred because a person used a free SMS service and got their account hijacked. Or worse, their accounts were VAC banned because the 150th person that used that phone # cheated.
I Changed My Phone Number! How Do I Change It In Steam!?
Lets say you change your phone number. Maybe you lost your phone. Maybe you're on a new contract. So you need to change it.

Then select one of two options

1) Use SMS

This basically sends an SMS message to your existing phone. Then you can remove the phone # from Steam. When you get your new phone number, simply add it back using the "Adding A Phone Number To Your Account" section above

Of course this somewhat assumes you're thinking ahead.

2) Use SteamGuard codes

In this scenario you use a SteamGuard code in order to remove the phone number.

You may
* Use a SteamGuard code from your authenticator
* Use a SteamGuard code from your Backup SteamGuard codes

Remember back when I told you to generate a set of Backup SteamGuard codes?

Did you ignore that?

Yeah don't ignore that!

Go back and generate those codes right now!!
Why Do I Still Have Trade Holds?
You need

1) To have the Mobile Authenticator on
2) Have the Mobile Authenticator on for 7 days straight

If any of the above isn't correct you will still be subject to 3 day trade holds.

You MUST have the Steam Mobile Authenticator

In your browser click on your name then select Account Details

If your "Account Security" section looks like this

Note the yellow shield. That's wrong. Go back and activate the Authenticator properly

It should look like this

Note the green shield. That means you have the Steam Mobile Authenticator active on your account

It MUST be active for 7 days straight

After you activate the Steam Mobile Authenticator you must wait a 7 day cooldown before you are exempt from trade holds

If you ever remove the authenticator or change to the email authentication and go back to the mobile authenticator, that re-triggers the 7 day cooldown. You'll have to wait another 7 days after that.
tl;dr version
1) Register a the Mobile Authenticator
2) Register a SMS # with Steam
4) Generate a set of Backup SteamGuard Codes
Vsauce Apr 5, 2023 @ 1:46am 
This guy’s a scammer btw 🤔
nTapps · Dec 8, 2021 @ 1:32pm 
"It MUST be active for 7 days straight"

F this! Come on.
I've given up on this and finally decided to give you my number and then I have to wait EXTRA 7 DAYS?
This extra wait should NOT be needed
poiu477 Sep 11, 2021 @ 11:27am 
Just to make clear, if you think you've been hijacked, IE strange login attempts, regenerate new backup codes, they could have gotten 1 time use codes if they got in and generating new ones clears the old ones.
PC007 May 14, 2021 @ 7:06pm 
Nice Guide; thanks for the Info. Have a great day and stay safe! :ccHappy:
Adam Jensen 007 May 5, 2021 @ 5:01pm 
Nice guide!
ZAToM Mar 27, 2021 @ 3:13pm 
man satoru whats your problem? you deleted my posts and banned me for 24 hours after i replied someone in a nice and calm manner who said i should be killed and insulted me multiple times and then you kept deleting each and every post even i didnt mention egs or steam and you answer when i message you and now you just permanently ban me? i mean cmon man you cant be serious!
andritolion Feb 20, 2020 @ 7:56am 
There is in fact a Steam Guard app for Windows Phone. You don't necessarily need to use WinAuth if you have a Windows phone.
hu-li Feb 10, 2020 @ 1:55am 
I'm just saying through experience, but:
@Lxrken, how long ago did you first have your phone?
Threat Feb 10, 2020 @ 12:12am 
all i need to know is how to get the oops we cant send you a sms on your phone thing please help
Huntey Apr 8, 2019 @ 8:01am 
My account has the green shieled as well so i really dont know whats wrong ;c