This is what I get for switching from Ubuntu to mint and trying to use steam.
I wish they would just use a standard otp algorithm and I could easily use any auth app instead of a dedicated one
KeepassXC (a PC application) has a preset for Steam OTP parameters, if your Android/iOS app of choice allows you to use non-standard parameters I guess it should be possible to use them?
The only somewhat painful part for me was actually getting the OTP secret.
Thank you for this tip! I saw your comment and I checked my 2FA app, Aegis, and it has a “Steam” option as well!
(When creating an entry, you can just select “Type: Steam” instead of “TOTP”)
I think they got the hug of death when the Winter sale started.
Try the recovery codes would be what I’d do
Maybe try the I no longer have access to the “I no longer have access” button, unless the only option there related to point 1
If all else fails you could contact customer support
All options eventually led to customer support. So now I’m waiting for steam to give me permission to access my games . It’s frustrating that I can know my password and can access the email connected to the account. But for some reason that’s not enough .
That’s the point of real 2fa. And the process of activating it also makes it very clear. I find it incredibly frustrating when I activate 2fa on some service, and they allow email as a fallback that I can’t turn off. Cause that turns it back into single factor, being the email. That’s what the recovery codes are for.
Otherwise, if someone has access to your email, they can just reset the password and get access (cause that is the 2nd factor). Then they can change the associated email address and that’s that.
How is it not 2fa if it involves any method besides your password? Your password is factor 1, something else is factor 2. That can be a number of things.
Reset password via email. Reset second factor via email. Email is the only factor, neither password nor the 2fa.
Usually, the actual login is not the easiest target for an attacker, the recovery methods are. You call a helpline to get a second SIM for SMS codes. You guess (or dig up) answers to recovery questions if available. You get access to email accounts, e. g. via phishing.
If a recovery path for a security factor is weak, it ceases to be a security factor. By allowing both password and the second factor to be recoverable via email, both factors collapse into one: get access to the email and you’re in.
Like Randelung said, that would be true if you couldn’t reset you password via email. But as long as that’s possible the email can’t ever be the 2nd factor because it can be used to (re)set the 1st one.
A safer definition of what the 2 factors should be is “something you know” and “something you own”. The “know” is usually a password (which you can remember, but you should use a password manager these days so you can have a different password for every service). The “own” is typically a phone these days (generating a timed code, for example). But it doesn’t have to be, it can be a physically USB dongle or your fingerprint. The idea is that it’s something that can’t be overheard, or recorded via key logger or or even told to someone.
Steam does this better (as in safer) than most.
Steamguard blocked me from logging into my account because one of my devices is connected to VPN (different country) and other one doesn’t. What’s the point of a security feature if it can’t distinguish between legitimate login vs an attacker. I’m not using steamguard anymore. Would rather enter code from my email. Just dumb implementation tbh.