Steam Guard support

Hey folks. Something I've been trying to do lately is consolidating all my 2FA within the 1Password app. Two main longstanding apps that got in the way of that were the Battle.net Authenticator from Blizzard, and Steam Guard from Valve.

Today I finally found a workaround for the first. I deactivated my Authenticator from my phone, installed WinAuth on my computer, generated an Authenticator app within it and verified it with Blizzard, then exported the Authenticator app information from WinAuth in plaintext. I then took the whole otpauth://totp/BattleNet:Battle.net secret URL and pasted it in 1Password's One-Time Password field, and received back a functioning, correct code that helps me login to my account. Great!

I tried to replicate this with Steam Guard, but:
1) The 1Password code generator correctly recognizes that the output is 5-characters long.
2) It outputs numbers instead of letters.

I'm aware that this is an extremely rare use-case scenario, but can the app be updated to support Steam Guard (or character string based 2FA outputs)?


1Password Version: 7.2.581
Extension Version: 4.7.3.90
OS Version: Windows 10 Build 1803
Sync Type: 1Password.com

Comments

  • bundtkatebundtkate

    Team Member

    Hey, @clappingcactus! Much though I'd love to say yes (I hate having any 2FA outside of 1PW and SteamGuard bugs me too), I don't think this is something we're likely to do. For one, given the letters, it sounds like Steam may use something other than TOTP (HOTP, maybe? That's another popular one) and we only support TOTP in 1Password. In addition, Steam really wants you to just use SteamGuard. Yes, it's your choice to put in some extra effort to work around this and, if you manage it, we're not going to stop you but! We really can't account for how Steam will react to this. How much does their system for recovering your account if you lose your authenticator device depend on you having used SteamGuard specifically, for example? Will you get locked out if you store it in 1Password instead? We just can't say we support using 1Password for TOTP when the account you're protecting doesn't support it.

    All of that said, I'd be more than happy to pass your feedback along to the team, and I sincerely hope Steam and Blizzard both open up 2FA to whatever app you'd like to use one day. I've had to swap my Battle.net Authenticator between phones often enough, I'm well acquainted with that struggle and wouldn't wish it on anyone. Here's hoping! 🙏

  • Hi @bundtkate,

    First of all, thanks for the super prompt response (at 5pm nonetheless).

    Steam provides recovery codes (up to 20 of them) that can be used from within their app in case the 2FA fails. I'd hyperlink where the functionality is, but I think it's steam-desktop-client only to generate those. So adding the functionality to 1Password, especially in scenarios where the end-user is technical enough to use a workaround, shouldn't in effect really cause a significant overlap between people who go this roundabout method, and people who are careless enough not to have their backup codes on hand.

    That said, the plaintext export from WinAuth lists the Steam Guard info as follows: "otpauth://totp/Steam:Steam?secret=", so I think it might not actually be HOTP? That said, I'm not a coder and could well be wrong.

    Haha, much as I hope with you that Blizzard and Valve change their policy, I don't know if it will ever happen, given that providing users with added security is only a secondary goal to having their own apps.

  • bundtkatebundtkate

    Team Member

    I'm not a coder and could well be wrong.

    That makes two of us, @clappingcactus, don't worry. You are definitely not alone. :lol: Honest, I'm guessing at best re: both companies' motivations for trying to keep things proprietary and that answer may be of no relevance in the end. If they do use standard TOTP and the workaround is generating a proper URL (URI? My non-coder is showing here) for you, then it honestly should work fine with 1Password out of the box. Standard disclaimer about the site not supporting using a non-proprietary app meaning weird things could happen still applies, but as I said before, I'm not one to stop folks from taking risks they understand and want to take.

    Absent additional knowledge about WinAuth and the underlying design of Steam's TOTP, I'm not sure I'd personally be of much further help, but if anyone would have some insight here, I'd think @rickfillion would be a good bet. I'm sure he's off the grid for the day, but he may catch a moment tomorrow to share his better-informed thoughts. :chuffed:

  • bundtkatebundtkate

    Team Member

    @clappingcactus: So I had a chat with a few folks about this and the short version is that unless Blizzard and Steam decide to make this easier for us, we're not going to be dedicating resources to making 1Password work for something it's technically not intended to. I wholly understand and respect the fact that having tons of different authenticator apps for different things is a giant pain and hate it as much as anyone, but the fact of the matter is that very few folks are going to go out of their way as you have to work around this. It would be extremely difficult to make changes to 1Password to support these OTPs when Steam and Blizzard are most certainly not going to want to help and have actively put obstacles in our way.

    I'm sorry I don't have better news for you, but I do still have my fingers crossed this won't be a permanent frustration. 🤞

  • Thanks for asking and replying @bundtkate :) One day!

  • bundtkatebundtkate

    Team Member

    It's no trouble at all, @clappingcactus. :chuffed: I try to keep the apps I use on my phone to a single page when possible, so you can imagine I'd be particularly delighted to be able to ditch a few. :wink: Here's hoping!

  • Some one here in the forum suggested that it is also a TOTP but with another alphabet (can't find the posting anymore).
    However, I have not looked into it in detail but the code how it is done is open source:
    https://github.com/DoctorMcKay/steam-twofactor-server

    Maybe the 1password team will integrate this, so we can remove one more app from our phones.

  • GregGreg

    Team Member

    Hi @soulflyman,

    If Valve or Blizzard want you to use their official apps (SteamGuard and Battle.net Authenticator) and have no interest in supporting third-party authenticator apps for their services, I do not think that we will support it. Please see the reply from Kate above. Thanks! :+1:

    Cheers,
    Greg

  • edited December 2019

    Late reply, and I'm sure this is low priority, but the algo needed to transform steam secrets into TOTP can be found here:
    https://github.com/fortis/go-steam-totp/blob/master/steam_totp.go

    Obviously this would entail 1password having enough access to obtain said secret, so it's probably not feasible given the application delivery mechanism and usability standards.

  • bundtkatebundtkate

    Team Member

    Thanks for sharing, @AsParallel. As you noted, we're definitely not about having the sort of access that would allow us to obtain any of your secrets. And, regardless, it really boils down to what Greg and I both discussed earlier – if a given account has put restrictions into place in an effort to force you to use a proprietary authenticator app, whether or not they've succeeded completely, we're not comfortable intervening there. For folks with sufficient technical knowledge to make this work in 1Password, there are options and we're certainly not going to stop y'all from using them, but Steam, etc. are going to assume that you're using the app they want you to (and not without reason). This means you're putting yourself at some risk that they'll change something and cause your OTP to stop working. It's obviously your choice to take that risk, but we shouldn't be making that choice for folks so we're almost certain to leave it up to y'all unless and until these sites/accounts change their policy.

  • Hi,

    Steam is the biggest company in PC gaming (and beyond), with millions of users. Other competing products to yours (which are even free), like Bitwarden, KeePass and Keeweb are already supporting to generate OTP codes that use letters (instead of just numbers like yours), which can be used for Steam completely transparent. Since the URI is exactly the same as with other OTP schemes, you only paste the otpauth://totp/Steam?secret=X12345678X and they start outputting OTPs including letters; while your OTP generator only outputs numbers.

    Aren't you still not considering supporting letters generation for OTPs? It's not only for supporting Steam (which should be enough, considering its popularity and that your competitors have been doing this since 2018), but for all the other OTPs from services using the same scheme.

    Thanks.

  • ag_anaag_ana

    Team Member

    @Dan_Aykroyd:

    Nothing changed since the last time we discussed this. We appreciate you taking the time to share your feedback with us though! :+1:

  • OK then, hopefully one day you will reconsider this.

    For anybody interested in doing this, I'm falling back to the following workaround using a free password manager that actually support this (KeeWeb) to generate OTPs for the Steam entry when needed. It's the fastest way I've found yet and allows me to remove the Steam app from my phone:

    • Keep the Steam otpauth URI in 1Password saved as a text field
    • When prompted to enter a the OTP by Steam, go to https://app.keeweb.info, click New, click + New Entry and paste the otpauth URI that you kept saved in 1Password in a new field named otp (this exact name is needed so KeeWeb knows it needs to generate OTP from the URI you paste there, instead of saving as a plain text)
    • Once you focus out of that field, you will get the token ready to copy and paste in Steam. Just copy it by clicking on the field name

    This is really fast, takes let's than a minute to achieve and KeeWeb is free and open-source (it runs in your browser purely on JavaScript), so it doesn't require to create a new account or anything to start using it right away. Hopefully 1Password will support Steam one day, so we don't have to jump through hoops to achieve what we can do with other free passwords manager for quite some time.

    Creating Entry in KeeWeb

    Viewing Steam OTP in KeeWeb

  • ag_anaag_ana

    Team Member

    @Dan_Aykroyd:

    Isn't this more complicated and slower than just using the Steam authenticator app?

    From a security point of view, we also cannot recommend pasting your 2FA secret on an external website, so this workaround is not something that we can endorse.

  • For me it's better to do it like this instead of keeping another app draining battery while waiting to receive push notifications just to confirm once per month that I'm login in to the Steam website.

    Regarding pasting the secret you are right about doubting, so it will be the decision of whoever wants to do this. KeeWeb is a known password manager that is open-source (so anybody could take a look at what's going on under the hood), but this can also be achieved on other well known passwords managers like KeePass (also open-source; KeeWeb forked from this) or BitWarden (freemium) if preferred. And also, we are just pasting a random secret not tied to any username/password for the algorithm to generate the token, so it's useless by itself if somebody gets a hold of it.

  • ag_anaag_ana

    Team Member

    @Dan_Aykroyd:

    For me it's better to do it like this instead of keeping another app draining battery while waiting to receive push notifications just to confirm once per month that I'm login in to the Steam website.

    Got it, I understand.

    Regarding pasting the secret you are right about doubting, so it will be the decision of whoever wants to do this.

    I totally agree, I just thought it would be a good thing to clarify that this is not an officially supported solution from our side. If the Steam authenticator doesn't follow the TOTP standard and implemented their own solution, we recommend using the Steam authenticator app for this :+1:

  • I'm onboard with working around the Steam phone app. Their app blows, uses lots of battery, constantly forgets the login information, and is basically a pointless app with only one function - SteamGuard. I'd love to have a method for not using it. It's infuriating that a company like Steam, that built its dominance through ease of use is completely pooping on that and forcing us into their ecosystem unnecessarily. I get that I'm in a minority here, but oh I would love it if 1password could provide like a "non-approved beta feature" for advanced users.

  • ag_anaag_ana

    Team Member

    We appreciate your feedback about this @SanityFox, thank you for taking the time to share your thoughts :)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file