Recently Steam has added a delay in trades between users if one user doesn't have the Steam Authenticator enabled. Maybe you don't have a smartphone. Maybe you're cursed with a Windows Phone or one of 5 people left with a Blackberry. What can you do?

http://steamcommunity.com/sharedfiles/filedetails/?id=581563653

WinAuth as of 3.4.2 beta now supports both the SteamGuard authenticator codes and trade confirmations. If you don't have a mobile phone, definitely go this route. Please refer to my guide on how to secure your WinAuth authenticator from hijackers

Please note that using WinAuth is less secure than having a separate device for trade confirmations.

Not getting hijacked is the best defense. And not downloading garbage from the Internet is the best way to ensure your account is safe.

So you've decided to dive in and get a Steam Authenticator. This is a good thing. Doing so will greatly increase the security on your Steam account.

If you're new, the Steam Authenticator works like SteamGuard but doesn't require email. No more waiting for your SPAM filters to catch up. No more lost email codes. Sounds great doesn't it?

However before we proceed you will need the following

• An Apple or Android device
  
• A real phone # that can receive SMS messages. This is now mandatory so you'll need to get something that does SMS.
  
• A piece of paper and a pen. Yes you need this.

The first step is obviously to go to your phone's app store and download the Steam app. There are Android and iOS versions of the Steam app. Ensure you're getting it from the Google or Apple store! Fake "Steam App" can be used to steal your credentials! So only download from the authorized stores.


You'll need to log into the app once using the old email SteamGuard code. This gets your bootstrapped into the app.





Here's where the fun begins. In the app find the SteamGuard section. Note my screenshots are from iOS. Android might be slightly different but the overall flow should be similar

Tap Settings




Select "Get Steam Guard Codes from my Phone"





Tap Next






This changed in recent revisions, but you can now ONLY use SMS to authorize the app.

Type in your phone number and tap "Add Phone"




Type in the code you got via SMS and tap Submit





Now get that pen and paper ready, and skip to the "WRITE DOWN YOUR R-CODE" Section.

When you authorize the Steam Authenticator you will receive a screen that has a code that looks like





This will stay on the screen for 30 seconds

Remember that paper and pen I told you about before.

WRITE THIS CODE DOWN NOW

Put this code in a safe place! It is one safety net you will have if you somehow screw up your Steam Authenticator app.

WRITE THIS CODE DOWN NOW

Especially if you decided to not to register your phone! The R-code is the ONLY way to remove the authenticator if you don't have an SMS number. So again:

WRITE THIS CODE DOWN NOW

Rarely the app won't show or generate the R-code as part of the registration process. The app will generate the codes but you don't have an R-code in case of emergency. This is not good.


The app now allows you to view the Recover Code after you've registered the app. Update your app if you don't see the following.

1) Go into the SteamGuard section

2) Tap "My Recovery Code"



3) You will now see the recovery code screen



Remember what was stated previously

WRITE THIS DOWN!

DO NOT STORE ON YOUR PHONE

Did you write down your R-code? That's great.

Is it on your phone? Maybe you took a screen shot on your phone of the R-code. Or wrote it on a note on your phone.


Why?

Because when are you going to need your R-code?

When you can't use your authenticator. Probably because you lost your phone, or formatted it or whatever. Guess what?

Now the only way to recover your phone authenticator is to find a code..... on the phone you no longer have....

Put your R-code separate from your phone!

This is your second line of defense

If you ever log out of the Steam Authenticator app, in order to log in again you'll need a Steam Guard code. A code you can't get because... you logged out of the app! WHAT TO DO?

Easy. You can generate a list of one time use Steam Guard codes.



Note this step is VERY VERY important, if you ever lose your phone number then you have very few ways of removing the number except via SteamGuard codes. Having backup SteamGuard codes ensures you can use them to remove your old phone number and register a new one.

On a computer (not your phone) go to your Account Settings. And click "Manage Steam Guard"




Then click "Get Backup Codes"




Input your SteamGuard code from your authenticator




Save these codes off to a safe place. You can use them in desperation if you need to log into Steam but don't have your authenticator for some reason.

So you opted out of using the SMS option when you created your authenticator originally. But now you want to add a phone number to your account for increased security and ease of recovery later.

Its important that you have several Plan B for when things might go wrong with your authenticator. An ounce of prevention today, will prevent 8 weeks of torment from Support in the future. Well worth it in my opinion.

Go to you Account Settings. In the Contact Info section click "Add A Phone Number"




Input your SteamGuard code from your authenticator




Enter your phone number here. Ensure you change the country code to your appropriate country. Note SMS charges will apply to you




Input the 5 digit numeric code you get through SMS




Woo Hoo! Your phone is now authenticated




You now have an additional recovery option when anything happens to your authenticator.

So now you've done it. You lost your authenticator. Whatever the reason. You formatted your phone. You lost it. Your dog ate it. You destroyed it while doing your victory dance when you got a CSGO Karmabit Knife Camo. Whatever it is. You're now screwed

Or are you?

If you followed all my tips above then don't fear! You have an escape hatch with a parachute waiting for you.

This is where the SMS option is CRITICAL. It is the most reliable way to recover your account. Alternatively you can use your R-code as well.

https://help.steampowered.com/

Click "I deleted or Lost my Steam Guard Mobile Authenticator"


First type in your account name



Then it will send a recovery code to either your email or via SMS.




Type in the code that yoru phone gets. It will look like a Steam Guard code



Then goto Remove Authenticator



All you need to do here is type in your Steam password.



Presto you're saved! See I told you that SMS option was the way to go!! Gold star for you!


Type in the recover code. Again it looks like a Steam Guard code



Click Remove Authenticator



Ok now you have 2 choices.

1) Use the R-Code which YOU WROTE DOWN BEFORE RIGHT? YOU DID DIDN'T YOU? So you just need to put in your Rcode



2) Or you can have Steam send you another Steam Guard code via SMS. See you can't get away from that SMS option.



Then input your Steam password

Now you can remove your SteamGuard authenticator

The authenticator user your phone's time in order to generate the codes. If the time is off on your phone, then the app will generate the wrong code and it wont work.

Check that your phone time is properly synced, then try a new code.

So its important to understand what kinds of things the Mobile Authenticator and the SMS phone option give you. Its not 100%. But it does add layers of protection for you


Note this is primarily as a RECOVERY tool. It will allow you to RECOVER your account if

• You lose/delete/format your Mobile Authenticator
  
• A hijacker changes your password

That's pretty much it. It will not protect your Inventory. Because your attacker can change your email address in the Steam client to their own. Then trade your items away. So while you can get your account back, it doesn't afford any protection for your inventory.

Still its important to have this as a backup recovery method in case you lose your Mobile Authenticator for some reason. Don't ignore this!


The Mobile Authenticator give you far better protection for your items. This is where the big security measures come in

• A hijacker cannot change your email without the code from your Mobile Authenticator. This prevents the #1 way in which hijackers steal your items
  
• As of Oct 20th Steam trades REQUIRE the Mobile Authenticator code instead of the one from your email. This means that even if the hijacker steals both your Steam account AND your email somehow, your items are safe because they cannot be traded away without your Mobile Authenticator as well.

As you can see the Mobile Authenticator gives you the greatest level of security for both your account and your items. If you want to really protect your account, having the Mobile Authenticator adds a gigantic wall for potential hijackers to overcome. It mitigates even if you foolishly give away both your email and steam account credentials as well.

So you've done all the right things. You now have two-factor authentication on Steam. You've enabled it on your email account too. You have unique passwords on Steam. You're totally safe now right?

WRONG

You must always be vigilant. You are your own worst enemy. People are hijacked because attackers trick them into giving them the keys to their accounts. No amount of security in the world is going to help if you give your 'trader' access to your PC.

Always be vigilant.

Beware of all external links. Beware of downloads. Beware of unknown sources.

Security is about layers. The more layers there are the more inconvenient it is for attackers. But the reality is YOU are the weakest layer.

Don't let hijackers exploit you. Always be wary of links. Never rush things. Assume EVERYTHING is out to get you. Basically assume you're in Australia. Because everything there is Nature's way of saying "GTFO or die!". Everything is out to get you. Act accordingly.

Feeling left out in the cold because you don't have a smartphone? Don't worry there's a solution for you!

WinAuth is an Open Source two-factor keyring. It supports the two-factor authentication for many services. And recently has begun to support SteamGuard.

{LINK REMOVED}https://winauth.com/

If you don't have a smartphone then you can download WinAuth and register your account to have a desktop application that gives you the SteamGuard codes


The whole point of two factor authentication is to separate the authenticator from the authentication. Putting the authenticator on your computer means that a hijacker has access to your computer AND THE AUTHENTICATOR!

This is a big problem since they can steal the SteamGuard codes from you! WinAuth has a password option. ENABLE THIS OPTION.

You might be confused as to whether your registered phone # needs to be on the same device as the authenticator.

It doesn't.

All you really need is

* An iOS or Android device. This can be a smartphone, or it could be a totally wifi tablet or other device. This just runs the app.

* A phone number thta can receive SMS messages. You need this to get the authorization for the app but that's it. It can be a flip phone from the 90s you grandpa has.

Thus you can have various combinations of devices such as:

1) iPhone/GalaxyS for SMS + iPhone/GalaxyS for app. Where the app and SMS are on the same device. This is the typical scenario.
2) wifi iPad/Galaxy Note/some garbage tablet you got at a Christmas Secret Santa for the app + flip phone for SMS
3) iPhone for the app + Samsung Galaxy S4 for the SMS (for the ultra rich and ultra paranoid!)

The Mobile Authenticator now requires an SMS phone number to register the app. Maybe you don't have one.

You might be tempted to use an online service like Google Voice to get an SMS number.

While this does work, as I have tested a Google Voice number with another account, I would advise EXTREME caution when doing so.

{LINK REMOVED}https://www.authy.com/blog/do-not-use-your-google-voice-number-for-two-factor-authentication

As you can see using an online service like Google Voice for your SMS may leave you vulnerable to hijacking despite having 2FA and an SMS phone number.

In other words BE VERY VERY CAREFUL if you use this route. You need to be super paranoid and cautious about stuff. Because a hijacker can attack you and steal your credentials and your SMS which is VERY bad

In the USA you can use services like Google Voice.

Outside of the USA you'll have to see if there are any similar services available


DO NOT USE ANY FREE SMS SERVICES. Hijacks have occurred because a person used a free SMS service and got their account hijacked. Or worse, their accounts were VAC banned because the 150th person that used that phone # cheated.

Lets say you change your phone number. Maybe you lost your phone. Maybe you're on a new contract. So you need to change it.

https://store.steampowered.com/phone/remove

Then select one of two options


1) Use SMS

This basically sends an SMS message to your existing phone. Then you can remove the phone # from Steam. When you get your new phone number, simply add it back using the "Adding A Phone Number To Your Account" section above

Of course this somewhat assumes you're thinking ahead.

2) Use SteamGuard codes

In this scenario you use a SteamGuard code in order to remove the phone number.


You may
* Use a SteamGuard code from your authenticator
* Use a SteamGuard code from your Backup SteamGuard codes

Remember back when I told you to generate a set of Backup SteamGuard codes?

Did you ignore that?

Yeah don't ignore that!

Go back and generate those codes right now!!

You need

1) To have the Mobile Authenticator on
2) Have the Mobile Authenticator on for 7 days straight

If any of the above isn't correct you will still be subject to 3 day trade holds.


In your browser click on your name then select Account Details

If your "Account Security" section looks like this



Note the yellow shield. That's wrong. Go back and activate the Authenticator properly

It should look like this



Note the green shield. That means you have the Steam Mobile Authenticator active on your account


After you activate the Steam Mobile Authenticator you must wait a 7 day cooldown before you are exempt from trade holds


If you ever remove the authenticator or change to the email authentication and go back to the mobile authenticator, that re-triggers the 7 day cooldown. You'll have to wait another 7 days after that.

1) Register a the Mobile Authenticator
2) Register a SMS # with Steam
3) WRITE DOWN YOUR R CODE
4) Generate a set of Backup SteamGuard Codes