Feature Request - Steam Guard OTP Support [No third party app support]

KrzakuKrzaku
edited September 2018 in Windows

It's possible to get the secret from the Steam mobile app. We can then use that secret to generate Steam specific OTP which includes letters. It is already supported in WinAuth (https://github.com/winauth/winauth), which is open-source, and copying the implementation can't be that hard. I would like to request support for Steam Guard OTP in 1Password apps.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • I've wanted this as well, but I think it may be more worthwhile to petition Steam to use the standard. Kind of absurd for everyone to slightly modify OTP for no real reason.

  • brentybrenty

    Team Member

    While I'd personally like to consolidate Blizzard, Steam, and others in 1Password, we don't currently have plans to support any proprietary two-factor "standards", as they're subject to change and not officially supported. But it's really cool to see what WinAuth is doing there. :)

  • Battle.Net authenticator IS supported, it uses standard 8-number TOTP. The issue with Steam is it uses both characters and numbers. The basic implementation to support this is literally like 40 lines of code. I can send you a GIST and you will have most of the work done for you.

  • brentybrenty

    Team Member

    @Krzaku: When did Blizzard switch to TOTP? I got it working a while back, but they were definitely not using the TOTP standard at that time.

  • I think it's been that way from the start. It is TOTP, but they don't allow you to just use any TOTP app officially. You have to use a 3rd party app to extract the secret (I used https://github.com/jleclanche/python-bna), and then you can add it to whichever TOTP generator you like.

  • brentybrenty

    Team Member
    edited July 2018

    @Krzaku: Ah, I may have been thinking of something else then. If so, that's not great from a user perspective (having to "extract" the secret to use it in another app), but it's pretty cool if it works. I'll have to mess around with that later. Thanks! :)

  • I can confirm this works. But you have to remove your mobile authenticator, add the python one to your account, then restore your mobile authenticator with the restore code from python. Tedious, but it does work! Thanks for sharing.

  • MikeTMikeT Agile Samurai

    Team Member
    edited September 2018

    That's great but we have to be careful here, we can't adopt something that's not officially supported. Imagine if Steam changed it while updating their apps and no one can sign in because we didn't match up with them.

    So, as long as Steam doesn't officially support third party clients, we will not work around them.

  • @MikeT how about extending this feature request to add support for 3rd party plugins to the app? It's doable even now but you have to mess around with a decompiler. It would be nice if there was native support for something like this, like KeePass has.

    By the way, it's right there in the name, "1password", yet you say you will not work around because a company does not support a certain spec. Let's face it, they probably never will, same for blizzard (it does support TOTP but not officially). And I'd wager there are many more companies like this. So it becomes "1password + however many other apps you really need to log in to a service".

  • bundtkatebundtkate

    Team Member

    @Krzaku: I think Mike's concern is that any company can and will make the assumption that their customers are using features of their service in a manner they support. So, Steam will assume you're using the Steam Guard app for 2FA and could potentially make changes to their system under that assumption that would break things and lock you out if you're not. Might it be a bit paranoid? Sure, but if we actively encourage folks to take that risk by working around Steam's and Blizzard's restrictions in some way, then we are putting customers who may not understand the risks at risk of getting locked out. Yes, many of y'all get this and are willing to take that risk and yes, it may well never ever happen that it's a problem, but it's our job to plan for these worst case scenarios and ensure we're not encouraging risky behavior. Some folks are going to do this anyway and that's fine, we're not going to stand in your way, but we're also not going to go out of our way to make it easier for folks who may not fully understand the risk they're taking, however small it might turn out to be in reality.

  • I understand you guys need to take into consideration regular people that just want to save passwords and that's it, but I think it would be nice if you could cater to the powerusers as well. That's why I mentioned implementing a plugin framework, I think that would make everyone happy and you wouldn't have to worry about what you described. I tried doing it on my own using 0harmony but it doesn't seem to play well with your binaries and doesn't want to load my assemblies. But with direct editing of the assemblies it is quite easy to implement what I want, but it has to be implemented on every update which is a pita (it really is just a few lines in the Totp class though).

  • bundtkatebundtkate

    Team Member

    Oh, for sure @Krzaku, I never want to say power users don't matter. Of course, what qualifies as a power user feature can easily be a topic of debate, but I think most of us would qualify as powerusers ourselves and we love when we can add new features for y'all without tripping up those looking for just the basics. I hope we never stop being open to these sorts of things and I'm certainly not saying we'll never do anything ever to support different TOTP schemes (or other 2FA schemes generally for that matter) only that we must be careful about it and ensure we're doing so in such a way that keeps all of our customers safe, regardless of their savvy, and in this case that seems a tall order. The idea of plugins is interesting and, although I don't see it as something we'll be considering any time soon, I'll be happy to pass it along to the team. :chuffed:

  • jan789jan789
    edited January 2019

    I've wanted this as well, but I think it may be more worthwhile to petition Steam to use the standard. Kind of absurd for everyone to slightly modify OTP for no real reason.

    How would we do the petition?

    It's also absurd for companies to expect us to install a unique app that does 2FA for their product and nothing else. Not everybody has a fancy enough phone to put on dozens of apps (not everyone has a smartphone at all, but that's a different issue). Why can't Steam just support OAuth and Microsoft Authenticator and the 1Password solution and whatever else might be usual, and let everyone use whatever they already have?

  • brentybrenty

    Team Member

    Actually, many folks prefer using a separate authenticator app, since that's a more discrete second factor. Not my personal preference since 1Password a secure place I can store my stuff, but worth noting.

    Anyway, as far as the rest, those would be questions for Valve. We can't really speak for them. :)

  • Bump. The desktop app has barely seen any (tangible) updates since I started this thread. Would you reconsider adding support for this? You wrote you didn't want to add support for this before "as they're subject to change", but well... It's been 2 years since I started the thread and they still have not changed it. Even more if you count since the time they introduced OTP. "we can't adopt something that's not officially supported" I don't see why not, people do it all the time when integrating systems/APIs that were not meant to be integrated elsewhere. If you personally do not want to support it then at least make it possible for the community to do so. Don't force people into editing your assemblies...

  • ag_anaag_ana

    Team Member

    @Krzaku:

    From MikeT's post earlier in this discussion, unless Steam officially starts supporting third party clients, this is not something we can consider doing. We don't know what their future plans are, but perhaps things will indeed change in the future. It doesn't look like there have been any changes since you opened this post however, so for now we have nothing new to share, sorry!

  • We all know this will never happen. Stop trying to cover yourself saying "unless they do this, we can't do anything about it, it's not our fault". You know what would happen if I were to tell my boss that I can't implement a feature because another company is using a non-compliant format or is doing something non-standard? I would've been fired, and another person would happily implement that feature. There is zero reason for you to lock users in like you do. Unless you were trying to lock them in your own closed ecosystem so they can't go anywhere else. Many other password managers allow users to expand the original capabilities of the software, you do not.

    Honestly, I do not feel like I'm getting my moneys worth out of this service. I've been using it for almost 3 years, paid around $165 and for what? For you to do exactly the same (or less) like other, sometimes free, services? You're resistant to change, you're patronizing to your users, and the software is subpar in comparison to alternatives.

    I do not mean anything in this post personally. Just my own thoughts on the AgileBits company. Pass it on to your superiors or do not, I don't care.

  • gadget78gadget78
    edited May 17

    @Krzaku would love to know more details on how different their OTP is implemented ?
    and what "...few lines in the Totp class..." needed editing ?

    is it that they just use more of the character set? as in characters and numbers, like our password generator options !
    or that its 8 digits long and not 4 or 6 ?
    EDIT1 found its not length restricted, as ""&digits=8"" at end of string works ! EDIT1
    anyhows all this could JUST be incorporated into the proper makeup string for OTP, so normal peeps wouldnt need to know...
    for EG

    otpauth://totp/Blizzard:EU123412341234:?secret=ASFAS75ASDF75889G9AD7S69AS7697AS&issuer=Blizzard&digits=8

    oddly the links put in before even suggest that 1password works !?
    https://github.com/jleclanche/python-bna
    altho the above example does not !
    and that is the proper syntax for a OTP which works in the other authenticators
    EDIT2
    got it to work, the secret wasnt encoded in base32, once it is, it excepts it, so should be ...
    otpauth://totp/Blizzard:EU123412341234:?secret=IFJUMQKTG42UCU2EIY3TKOBYHFDTSQKEG5JTMOKBKM3TMOJXIFJQ&issuer=Blizzard&digits=8
    i just used online encoder here...
    https://emn178.github.io/online-tools/base32_encode.html
    EDIT2

    also just to note...
    https://github.com/winauth/winauth
    does list that it supports the 4 main types (totalling 20 sites if you count them)
    and this is of course open source, so all details are there...

    surely having on the 1password features list, that it incorporates the winauth standards would be a BIG plus ! and all details are there for the taking and would then be class leading standalone single password place, no separate apps like other popular password managers ;) ..

  • after a bit of digging, i see that Yubikey HAVE added support for this...
    https://github.com/Yubico/yubioath-desktop/issues/72
    they implement it by using the URI STANDARD
    https://github.com/google/google-authenticator/wiki/Key-Uri-Format
    and using the label/credential entry, and triggered by the prefixed Steam: (and other prefixes im sure like Blizzard: as above)

    so when it sees this credential it will use the Alpha numeric base, and not the Numeric base TOTP type ...
    and it seems, alhpanumeric, and numeric, is the ONLY differences here
    then this could be added, and thus will then support all those other totp that use that " standard " ! ..
    which is alot, from what i can see, around 15 places (manly different game dev's !)
    so no real GUI needed, just parsing of that URI needed... even if its JUST triggered by a few labels, then us power/end users can easily implement it :)

  • ag_anaag_ana

    Team Member

    @Krzaku:

    We all know this will never happen.

    We cannot know that for certain: we support websites which follow the TOTP standard, so if Steam starts using the same method, 1Password will definitely be able to support this 2FA too, like all others. Currently it doesn't look like this is possible yet, but you never know if things will change in the future :)

    You know what would happen if I were to tell my boss that I can't implement a feature because another company is using a non-compliant format or is doing something non-standard? I would've been fired, and another person would happily implement that feature.

    I think it's a bit different in this case: our decision is not to support this in 1Password if the company does not support third-party clients (for the reasons explained earlier in this discussion). So it's not the decision of an individual developer, but rather our general approach to this.

    There is zero reason for you to lock users in like you do. Unless you were trying to lock them in your own closed ecosystem so they can't go anywhere else. Many other password managers allow users to expand the original capabilities of the software, you do not.

    Perhaps I am misunderstanding, but how do you mean that we are locking users in in this case? It seems like this is a different topic from the Steam 2FA support discussion, but you can already export your data anytime.

    Honestly, I do not feel like I'm getting my moneys worth out of this service. I've been using it for almost 3 years, paid around $165 and for what? For you to do exactly the same (or less) like other, sometimes free, services? You're resistant to change, you're patronizing to your users, and the software is subpar in comparison to alternatives.

    Sorry to hear this! We want you to be happy with 1Password, but we certainly don't want you to feel like this. I am hoping that 1Password has been adding value in this almost three years, even without support for Steam in this specific case. And if you have specific feedback about other features you think we should add or improve, please let us know either in the forum or via email at [email protected], and we will be happy to address your concerns :+1:

    I do not mean anything in this post personally. Just my own thoughts on the AgileBits company. Pass it on to your superiors or do not, I don't care.

    And we really do appreciate your feedback! We love everything that can make 1Password better, so thank you very much for taking time out of your day to share this feedback with us! It's great that you are so passionate about 1Password, and we will continue doing our best so it can live up to your expectations :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file