Steam Mobile Authenticator is a joke. Support TOTP/HOTP.

All Discussions > Steam Forums > Suggestions / Ideas > Topic Details

notstarboard 18 Dec @ 12:45pm

Steam Mobile Authenticator is a joke. Support TOTP/HOTP.

The justification for the Steam Mobile Authenticator to avoid 15-day market holds is asinine. Steam still insists on emailing 2FA codes for regular sign-ins, and setting up the Mobile Authenticator in the first place is done via an SMS 2FA code. Neither of these are particularly secure means of 2FA. The Steam Mobile Authenticator also isn't password protected and it's built into a Steam app that keeps the user logged in, so if you have access to someone's phone with the Steam app installed, you would have complete control of their account and inventory. That would not be the case for OTP apps, which are typically secured with a password by default, and which of course cannot also be used to control a logged-in Steam account.

It is ridiculous to use 2FA via SMS in order to set up a proprietary 2FA system via the Steam app when you could just use TOTP/HOTP from the beginning. That would make everyone more secure, including users who don't want to use the Steam mobile app, and it would improve the market and sign-in experience for users without the app as well. You could also of course support TOTP/HOTP in addition to the Steam Mobile Authenticator, so at least people who know enough to care would be able to benefit and nobody would have reason to complain.

Given how bad the Steam Mobile Authenticator is compared to just using TOTP/HOTP and how much simpler it would have been for Steam to just use the existing standard, it is abundantly clear that Valve just wants people to download the Steam app. It's not really about security; it's about them making more more money. I will not keep the Steam app on my phone on principle, so all design choice accomplishes is making me resent Steam and it's progressive enshittification. Between this and the unacceptably high RAM use from the Steam desktop app, which is basically just a glorified Chrome browser even in Small Mode, I have never been closer to switching to GOG as my primary marketplace.

Last edited by notstarboard; 18 Dec @ 8:16pm

The author of this topic has marked a post as the answer to their question.
Click here to jump to that post.

Originally posted by William Shakesman:

Originally posted by notstarboard:
Originally posted by Nx Machina:

It is a discussion forum for suggestions and ideas and there have being numerous threads about the same topic. Valve wants their own app, and they can because like online business they can choose what is. My bank for example has their own app.
I'm sympathetic to not wanting tons of spammy posts about the same topic, so perhaps link some of them here? Seems to me that many posts saying the same thing would be a good indication that Valve actually should do this, but as you say, they just want people to use their app. The thing that rubs me the wrong way, though, is them insisting it's for security reasons, when in reality it's almost certainly just greed.

Certainly doesn't make me feel obligated to keep their forums tidy and free of dissent, even if I acknowledge it must be annoying for people who hang out here.

Every time these threads come up, the usual responders who have no experience with these systems nor responsibility for these systems continue to provide materially false responses and have to be corrected by the requester repeatedly. At this point, it would be more helpful if those responding searched for the previous threads on the same topic than the guy making a new thread on it.

< >

Showing 1-15 of 102 comments

Satoru 18 Dec @ 12:50pm

The Steam Mobile Authenticator is a TOTP authenticator with push capabilities. It does exactly what you are requesting

The phone number is primarily used as an account recovery mechanism. It is not a primary MFA mechanism Steam uses.

You are no more or less secure using the Steam Mobile Authenticator than you are any other authenticator

Last edited by Satoru; 18 Dec @ 12:51pm

notstarboard 18 Dec @ 12:53pm

Originally posted by Satoru:
The Steam Mobile Authenticator is a TOTP authenticator with push capabilities. It does exactly what you are requesting

No, it does not. I want Steam to comply with the open standard, meaning that users could use any app they'd like to authenticate and would not need to have the Steam app installed. The Steam app being TOTP under the hood does not help things. On the contrary, requiring SMS 2FA to set it up and having it in the same app as a logged-in Steam account actually hurts things.

Satoru 18 Dec @ 12:56pm

Originally posted by notstarboard:
Originally posted by Satoru:
The Steam Mobile Authenticator is a TOTP authenticator with push capabilities. It does exactly what you are requesting
No, it does not. I want Steam to comply with the open standard, meaning that users could use any app they'd like to authenticate and would not need to have the Steam app installed. The Steam app being TOTP under the hood does not help things. On the contrary, requiring SMS 2FA to set it up and having it in the same app as a logged-in Steam account actually hurts things.

Note that the authenticator follows the RFC to the letter. There’s no actual requirement to allow the seed to be used by other authenticator

Plus you then can’t get push notification nor can you use QR code logins either

Which again does not make the Steam Authenticator less secure in any way.

Again the phone SMS is only used for account recovery and is not a primary MFA mechanism.

Last edited by Satoru; 18 Dec @ 12:57pm

notstarboard 18 Dec @ 12:56pm

Originally posted by Satoru:
The Steam Mobile Authenticator is a TOTP authenticator with push capabilities. It does exactly what you are requesting

The phone number is primarily used as an account recovery mechanism. It is not a primary MFA mechanism Steam uses.

You are no more or less secure using the Steam Mobile Authenticator than you are any other authenticator

To respond to your edit, I just attempted to set up the Mobile Authenticator, and it sent me an SMS 2FA code. I typically get 2FA codes via email for Steam, but not this time. Neither is secure compared to TOTP, and neither would be necessary if Steam actually broadly supported TOTP.

As I alluded to above, you *are* less secure using the Steam Mobile Authenticator than any other TOTP app because it is built into the Steam app, where most users will already be logged into a Steam account.

Satoru 18 Dec @ 12:59pm

Sorry that confirming your confirming your recovery mechanism actually works is some kind of problem? Would you want people to have an out of date recovery mechanism? Because that sounds like a great way to get people locked out of their accounts

If you are that paranoid about the app, the app allows yoh to have biometrics (faceid or fingerprint) to access the entire app or parts of the app. Not to mention this requires physical access to your phone, at which point you’ve already lost

Last edited by Satoru; 18 Dec @ 1:00pm

notstarboard 18 Dec @ 12:59pm

Originally posted by Satoru:
Originally posted by notstarboard:
No, it does not. I want Steam to comply with the open standard, meaning that users could use any app they'd like to authenticate and would not need to have the Steam app installed. The Steam app being TOTP under the hood does not help things. On the contrary, requiring SMS 2FA to set it up and having it in the same app as a logged-in Steam account actually hurts things.

Note that the authenticator follows the RFC to the letter. There’s no actual requirement to allow the seed to be used by other authenticator

Plus you then can’t get push notification nor can you use QR code logins either

Which again does not make the Steam Authenticator less secure in any way.

You are missing the point. I am not saying that the method Steam uses to generate its codes in the mobile app is insecure.

QR code logins and push notifications are not essential features. I have no interest in either. I just want to have a more secure Steam account and participate in the market without 15-day holds without having the Steam app installed.

Last edited by notstarboard; 18 Dec @ 1:11pm

notstarboard 18 Dec @ 1:00pm

Originally posted by Satoru:
Sorry that confirming your confirming your recovery mechanism actually works is some kind of problem? Would you want people to have an out of date recovery mechanism? Because that sounds like a great way to get people locked out of their accounts

What are you even talking about?

notstarboard 18 Dec @ 1:07pm

Originally posted by Satoru:
If you are that paranoid about the app, the app allows yoh to have biometrics (faceid or fingerprint) to access the entire app or parts of the app. Not to mention this requires physical access to your phone, at which point you’ve already lost

I am not paranoid about the app. It is a personal preference to keep a lean software install on my phone. I have no interest in installing apps I will use rarely, especially when they are not FOSS, and especially when they provide no value over the web version.

There would be absolutely nothing wrong with Steam using TOTP via any authenticator app as their primary 2FA method. Most (all?) of Valve's competitors do this, and you could let users set up other 2FA methods for account recovery if they so choose.

Add: Biometrics should never be used as a password: only as a username. If I had my Steam account secured with a separate TOTP app and someone had physical access to my phone, it would do them no good, because they would need a password to access the TOTP code and they would need a different password to access my Steam account information. That is a much more secure setup than keeping an account with access to your credit card information always logged in, which is how the Steam app works.

Last edited by notstarboard; 18 Dec @ 1:24pm

notstarboard 18 Dec @ 1:12pm

Thanks for the Steam points, champ! So glad you took the time to read the post and understand my issue :)

Nx Machina 18 Dec @ 1:29pm

Can you explain why i have never lost access to my Steam account despite you claiming it is less secure? The app was introduced in 2015. That is 10 years of securing my account, in fact i have never lost access to my Steam account in 21+ years because i do not give away my account details.

Last edited by Nx Machina; 18 Dec @ 1:37pm

#10

nullable 18 Dec @ 1:33pm

Yeah if it's so awful and Valve's competitors do what you want... kinda seems like you should shop with Valve's competitors.

#11

notstarboard 18 Dec @ 1:36pm

Originally posted by Nx Machina:
Can you explain why i have never lost access to my Steam account despite you claiming it is less secure? The app was introduced in 2015. That is 10 years of securing my account, in fact i have never lost access to my Steam account in 21+ years because i do not give away my account details.

You are one person and 2FA is just one factor in account security.

The Steam Mobile Authenticator is less secure than using a separate TOTP/HTOP app, while simultaneously being inconvenient, as you are required to install an app specifically for Steam if you want to participate in the marketplace without restrictions. My primary concern *is not* security, but Steam's primary justification for the Steam Mobile Authenticator is security, and it is worse at that than just using the same thing everyone else uses, namely TOTP/HOTP. This is why I am calling the SMA a joke, and why I am asking for them to support TOTP/HOTP through any authenticator app that supports those standards.

#12

notstarboard 18 Dec @ 1:38pm

Originally posted by nullable:
Yeah if it's so awful and Valve's competitors do what you want... kinda seems like you should shop with Valve's competitors.

I assume you are aware that the entire point of this subforum is for suggestions and ideas and that 2FA is only one relatively minor piece of why I would choose a marketplace to buy games?

#13

Nx Machina 18 Dec @ 1:42pm

Originally posted by notstarboard:
You are one person and 2FA is just one factor in account security.

Just one person?

There are a multitude of people who have never lost access to their Steam account. The very ones who do not give away their account details.

Originally posted by notstarboard:
The Steam Mobile Authenticator is less secure than using a separate TOTP/HTOP app

Less secure?

If it is less secure lets test that theory?

What is my account name?

What is my password?

If you get both right i will authorise the login.

As a sidenote: People lose access to Ubisoft, Blizzard, EA accounts etc and what do they all have in common? They do not use the Steam Mobile app you claim is less secure.

Last edited by Nx Machina; 18 Dec @ 1:46pm

#14

Nx Machina 18 Dec @ 1:46pm

Originally posted by notstarboard:
I assume you are aware that the entire point of this subforum is for suggestions and ideas and that 2FA is only one relatively minor piece of why I would choose a marketplace to buy games?

It is a discussion forum for suggestions and ideas and there have being numerous threads about the same topic. Valve wants their own app, and they can because like any online business they can choose what is. My bank for example has their own app.

Last edited by Nx Machina; 18 Dec @ 1:49pm

#15

< >

Showing 1-15 of 102 comments

Per page: 1530 50

All Discussions > Steam Forums > Suggestions / Ideas > Topic Details

Date Posted: 18 Dec @ 12:45pm

Posts: 102

Start a New Discussion