Support the steam-style OTP
Hello!
I tried to add Steam to my 1Password, but fails. Manually entered otpauth://totp/Steam:myusername?secret=K7K3J64JZQJMKUDGIHTM5BRZMNO3UDLV&issuer=Steam to 1P, the outcomes are a 6 digit integer, not predicted 6 digit combination of letter+integer.
The steam uses same algorithm, but different implementation, which mean 1P can definitely implement it in future releases.
Thank you. Can't wait to see 1P supports more OTP style.
BTW, the above authentication url is deactivated. Feel free.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hello can an AgileBits staff look at this, thank you.
0 -
Is anyone here?
0 -
@BXIA: Yep! Sorry for the delay! We try to reply to messages on a first-come-first-served basis, but it can be difficult to tell at a glance that you've been waiting when the date of the most recent post keeps changing. ;)
This is certainly something to consider for a future version of 1Password, but I'm not sure that it's feasible to support all of the various proprietary one-time password implementations. 1Password supports the TOTP standard, which, as far as I can tell, specifies digits only in the RFC, which is why this doesn't work in 1Password already: Steam seems to be going it their own way. I'm glad to know this is available though, as I thought the only option was email.
Additionally, I'm not able to find an OTP secret for my Steam account in the first place, which certainly complicates things. Can you tell me where you're getting it from? This is the only "Steam Guard" settings page I could find, and it just sends me to the app:
https://store.steampowered.com/twofactor/manage
I'd appreciate if you could clarify this for me. Thanks in advance! :)
0 -
@brenty This token can my found in many ways. A rooted Android device, winauth application or steam-totp-node on GitHub. Basically all they do is pretending a android device to get the key.
As long as you have the key, it is really easy to get the token value. I did it with less then 30 Python lines.
I do not think 1PASSWORD will add the simulating feature just to get the keys for steam, but as long as users have the key, it can be really easy to derive the token.
By the way, as far as I know, RFC doesn't specify the method used by vendors. The standard we are using are Google authenticator standard up to my knowledge.0 -
This token can my found in many ways. A rooted Android device, winauth application or steam-totp-node on GitHub. Basically all they do is pretending a android device to get the key.
As long as you have the key, it is really easy to get the token value. I did it with less then 30 Python lines.
@BXIA: Oh. That seems a bit onerous. I can't imagine most people would do that to try to use Steam with 1Password. So it seems like, at least while Steam doesn't actually support using 3rd party clients to generate OTP codes, it might not make much sense to try to support that.
By the way, as far as I know, RFC doesn't specify the method used by vendors. The standard we are using are Google authenticator standard up to my knowledge.
Google (like Dropbox and a number of other providers) is using the TOTP standard, which is why we can use 1Password with Google accounts. They also give the user the option of using the TOTP secret with the app of their choice, presumably because there's some expectation of interoperability due to using an industry standard.
0
