Feature request: Support for TOTP with custom encoders - Like Steam

Options
davidolrik
davidolrik
Community Member
in Desktop betas (Mac, Windows, and Linux)

Some sites use a variant of TOTP where they encode the result of the standard TOTP.

Here are two examples of the algorithm Steam uses:

There is even a generalised plugin for Keepass https://github.com/KeeTrayTOTP/KeeTrayTOTP that has support for Steam and other variants of TOTP.

Would you consider adding this feature to 1Password?

--
Best regards,
David Jack Wange Olrik

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided

Comments

  • Jack.P_1P
    Jack.P_1P
    Options

    Hey @davidolrik:

    Thanks for the feedback! As someone with way too many games in my Steam account, I can definitely see how it would be handy to have everything in one place. However, this is something that we've discussed before internally, and as it currently stands, it's something we're unlikely to do.

    Because Valve is expecting that the authenticator app is the one that they've released, they may make changes that may render our algorithm inaccurate and potentially lock you out of your account. If Valve wants you to use their Steam mobile app for two factor authentication, we think we should respect their decision.

    Jack

  • davidolrik
    davidolrik
    Community Member
    Options

    I see your point, even though their 2FA app is really bad.

    Would still be nice to have the Steam 2FA in 1Password and the bad Steam app as a backup.

  • Tertius3
    Tertius3
    Community Member
    Options

    This way, my security is lowered by company decision. I don't blame 1Password (they are only the messenger, not the offender), I blame Valve. I refuse every non-standard TOTP app, because if I start using one, they multiply and I end up having my phone overflow with authenticator apps. If it's not standard RFC 6238, it's not TOTP.
    So I didn't activate Steam's TOTP, I'm using the email authentication instead, which is definitely less secure.

  • Ben
    Ben
    Options

    I would also very much prefer to use 1Password for all OTP codes and not install any other authenticator apps. The difficulty for us as a product is that if we include workarounds to support non-standard OTP implementations, and they break due to the site changing things, that wouldn't be a great customer experience. It would reflect poorly on us, and cause an increase in support load.

    I think the best we can do here is encourage the sites we use to implement standards compliant TOTP, so that any authenticator app can generate the codes.

    Ben

This discussion has been closed.