1

I'm all on-board that Value is recently pushing for two-factor authentication on Steam accounts. I'm not happy that they force you to use the Steam mobile app because both on iOS and Android, it's a piece of trash. Plus, I already use Google authenticator for my other two-factor needs.

Does anyone know if Steam uses a rolling code algorithm compatible with standard rolling code generation software? With the right information, can I use GA for Steam? Or is it simply a timed code issued only to some unique ID associated with a mobile app installation linked to your account?

Community
  • 1
David Cowden
  • 111
  • 4
  • 2
    I'm not sure that we can answer this. Even if we did, Valve could change it without announcement as it's a proprietary tool. – Neil Smithline Jan 06 '16 at 04:29
  • Well that sounds like an answer. I didn't know it was proprietary. Do you have a source stating their two-factor auth API is proprietary? Generally an API isn't proprietary and the DMCA protects me if I want to write something that inter-operates with one. I guess no one has done any independent research? – David Cowden Jan 06 '16 at 05:27
  • It is proprietary by the fact that they don't use something like GA. Perhaps it's been researched but I doubt anyone here will know. Perhaps someone will answer. You never know. – Neil Smithline Jan 06 '16 at 05:32
  • I'm being pedantic, but that's not really a thorough definition of proprietary. You never know, maybe someone will (= – David Cowden Jan 06 '16 at 05:33
  • 2
    Perhaps 'trade secret' would be better? – Neil Smithline Jan 06 '16 at 05:37
  • I'm voting to close this question as off-topic because it asks about the internal operation of a proprietary system. We can't know the answer. – Bob Brown Jan 06 '16 at 16:36
  • @BobBrown I thought it might be interesting to look into how this system works. Please close the question there's no way I can improve it to make it more about information security. Is there a more appropriate community to have interesting discussion about existing real world security systems? If I asked about the encryption algorithm Apple's *Fairplay* uses I could point you to sources researching the topic even though it's "proprietary". Sigh... – David Cowden Jan 07 '16 at 00:19
  • David - This is not a discussion forum, so questions asking for discussion will not work here. – Rory Alsop Jan 07 '16 at 14:52
  • @RoryAlsop my question explicitly asks for an answer, not discussion (my bad for using that term in my comment). What I meant is: usually questions that don't have immediately apparent answers provoke discussion around determining the answer and you often see such "discussion" accompany good answers here. Something along the lines of: "By realizing x, then doing y, I came to the conclusion z, which answers your question". – David Cowden Jan 07 '16 at 20:02
  • I mean look at this question on two-factor auth: http://security.stackexchange.com/questions/24652/two-factor-authentication-when-is-it-worth-it?rq=1 It asks, "when is it worth it?" which is very obviously an answer than needs accompanying discussion or explanation. The answer in the first sentence alone would not be very useful to anyone, "it's worth it when single factor is not enough". The answer proceeds to explain why the given conclusion is valid. I'd say that's pretty close to a discussion, albeit arguably biased toward the answer being defended... Anyway, s/discussion/explanation – David Cowden Jan 07 '16 at 20:07

0 Answers0