Steam Guard support

Hey folks. Something I've been trying to do lately is consolidating all my 2FA within the 1Password app. Two main longstanding apps that got in the way of that were the Battle.net Authenticator from Blizzard, and Steam Guard from Valve.

Today I finally found a workaround for the first. I deactivated my Authenticator from my phone, installed WinAuth on my computer, generated an Authenticator app within it and verified it with Blizzard, then exported the Authenticator app information from WinAuth in plaintext. I then took the whole otpauth://totp/BattleNet:Battle.net secret URL and pasted it in 1Password's One-Time Password field, and received back a functioning, correct code that helps me login to my account. Great!

I tried to replicate this with Steam Guard, but:
1) The 1Password code generator correctly recognizes that the output is 5-characters long.
2) It outputs numbers instead of letters.

I'm aware that this is an extremely rare use-case scenario, but can the app be updated to support Steam Guard (or character string based 2FA outputs)?


1Password Version: 7.2.581
Extension Version: 4.7.3.90
OS Version: Windows 10 Build 1803
Sync Type: 1Password.com

Comments

  • Hey, @clappingcactus! Much though I'd love to say yes (I hate having any 2FA outside of 1PW and SteamGuard bugs me too), I don't think this is something we're likely to do. For one, given the letters, it sounds like Steam may use something other than TOTP (HOTP, maybe? That's another popular one) and we only support TOTP in 1Password. In addition, Steam really wants you to just use SteamGuard. Yes, it's your choice to put in some extra effort to work around this and, if you manage it, we're not going to stop you but! We really can't account for how Steam will react to this. How much does their system for recovering your account if you lose your authenticator device depend on you having used SteamGuard specifically, for example? Will you get locked out if you store it in 1Password instead? We just can't say we support using 1Password for TOTP when the account you're protecting doesn't support it.

    All of that said, I'd be more than happy to pass your feedback along to the team, and I sincerely hope Steam and Blizzard both open up 2FA to whatever app you'd like to use one day. I've had to swap my Battle.net Authenticator between phones often enough, I'm well acquainted with that struggle and wouldn't wish it on anyone. Here's hoping! 🙏

  • clappingcactus
    clappingcactus
    Community Member

    Hi @bundtkate,

    First of all, thanks for the super prompt response (at 5pm nonetheless).

    Steam provides recovery codes (up to 20 of them) that can be used from within their app in case the 2FA fails. I'd hyperlink where the functionality is, but I think it's steam-desktop-client only to generate those. So adding the functionality to 1Password, especially in scenarios where the end-user is technical enough to use a workaround, shouldn't in effect really cause a significant overlap between people who go this roundabout method, and people who are careless enough not to have their backup codes on hand.

    That said, the plaintext export from WinAuth lists the Steam Guard info as follows: "otpauth://totp/Steam:Steam?secret=", so I think it might not actually be HOTP? That said, I'm not a coder and could well be wrong.

    Haha, much as I hope with you that Blizzard and Valve change their policy, I don't know if it will ever happen, given that providing users with added security is only a secondary goal to having their own apps.

  • I'm not a coder and could well be wrong.

    That makes two of us, @clappingcactus, don't worry. You are definitely not alone. :lol: Honest, I'm guessing at best re: both companies' motivations for trying to keep things proprietary and that answer may be of no relevance in the end. If they do use standard TOTP and the workaround is generating a proper URL (URI? My non-coder is showing here) for you, then it honestly should work fine with 1Password out of the box. Standard disclaimer about the site not supporting using a non-proprietary app meaning weird things could happen still applies, but as I said before, I'm not one to stop folks from taking risks they understand and want to take.

    Absent additional knowledge about WinAuth and the underlying design of Steam's TOTP, I'm not sure I'd personally be of much further help, but if anyone would have some insight here, I'd think @rickfillion would be a good bet. I'm sure he's off the grid for the day, but he may catch a moment tomorrow to share his better-informed thoughts. :chuffed:

  • @clappingcactus: So I had a chat with a few folks about this and the short version is that unless Blizzard and Steam decide to make this easier for us, we're not going to be dedicating resources to making 1Password work for something it's technically not intended to. I wholly understand and respect the fact that having tons of different authenticator apps for different things is a giant pain and hate it as much as anyone, but the fact of the matter is that very few folks are going to go out of their way as you have to work around this. It would be extremely difficult to make changes to 1Password to support these OTPs when Steam and Blizzard are most certainly not going to want to help and have actively put obstacles in our way.

    I'm sorry I don't have better news for you, but I do still have my fingers crossed this won't be a permanent frustration. 🤞

  • clappingcactus
    clappingcactus
    Community Member

    Thanks for asking and replying @bundtkate :) One day!

  • It's no trouble at all, @clappingcactus. :chuffed: I try to keep the apps I use on my phone to a single page when possible, so you can imagine I'd be particularly delighted to be able to ditch a few. :wink: Here's hoping!

  • soulflyman
    soulflyman
    Community Member

    Some one here in the forum suggested that it is also a TOTP but with another alphabet (can't find the posting anymore).
    However, I have not looked into it in detail but the code how it is done is open source:
    https://github.com/DoctorMcKay/steam-twofactor-server

    Maybe the 1password team will integrate this, so we can remove one more app from our phones.

  • Greg
    Greg
    1Password Alumni

    Hi @soulflyman,

    If Valve or Blizzard want you to use their official apps (SteamGuard and Battle.net Authenticator) and have no interest in supporting third-party authenticator apps for their services, I do not think that we will support it. Please see the reply from Kate above. Thanks! :+1:

    Cheers,
    Greg

  • AsParallel
    AsParallel
    Community Member
    edited December 2019

    Late reply, and I'm sure this is low priority, but the algo needed to transform steam secrets into TOTP can be found here:
    https://github.com/fortis/go-steam-totp/blob/master/steam_totp.go

    Obviously this would entail 1password having enough access to obtain said secret, so it's probably not feasible given the application delivery mechanism and usability standards.

  • Thanks for sharing, @AsParallel. As you noted, we're definitely not about having the sort of access that would allow us to obtain any of your secrets. And, regardless, it really boils down to what Greg and I both discussed earlier – if a given account has put restrictions into place in an effort to force you to use a proprietary authenticator app, whether or not they've succeeded completely, we're not comfortable intervening there. For folks with sufficient technical knowledge to make this work in 1Password, there are options and we're certainly not going to stop y'all from using them, but Steam, etc. are going to assume that you're using the app they want you to (and not without reason). This means you're putting yourself at some risk that they'll change something and cause your OTP to stop working. It's obviously your choice to take that risk, but we shouldn't be making that choice for folks so we're almost certain to leave it up to y'all unless and until these sites/accounts change their policy.

  • Dan_Aykroyd
    Dan_Aykroyd
    Community Member

    Hi,

    Steam is the biggest company in PC gaming (and beyond), with millions of users. Other competing products to yours (which are even free), like Bitwarden, KeePass and Keeweb are already supporting to generate OTP codes that use letters (instead of just numbers like yours), which can be used for Steam completely transparent. Since the URI is exactly the same as with other OTP schemes, you only paste the otpauth://totp/Steam?secret=X12345678X and they start outputting OTPs including letters; while your OTP generator only outputs numbers.

    Aren't you still not considering supporting letters generation for OTPs? It's not only for supporting Steam (which should be enough, considering its popularity and that your competitors have been doing this since 2018), but for all the other OTPs from services using the same scheme.

    Thanks.

  • ag_ana
    ag_ana
    1Password Alumni

    @Dan_Aykroyd:

    Nothing changed since the last time we discussed this. We appreciate you taking the time to share your feedback with us though! :+1:

  • Dan_Aykroyd
    Dan_Aykroyd
    Community Member

    OK then, hopefully one day you will reconsider this.

    For anybody interested in doing this, I'm falling back to the following workaround using a free password manager that actually support this (KeeWeb) to generate OTPs for the Steam entry when needed. It's the fastest way I've found yet and allows me to remove the Steam app from my phone:

    • Keep the Steam otpauth URI in 1Password saved as a text field
    • When prompted to enter a the OTP by Steam, go to https://app.keeweb.info, click New, click + New Entry and paste the otpauth URI that you kept saved in 1Password in a new field named otp (this exact name is needed so KeeWeb knows it needs to generate OTP from the URI you paste there, instead of saving as a plain text)
    • Once you focus out of that field, you will get the token ready to copy and paste in Steam. Just copy it by clicking on the field name

    This is really fast, takes let's than a minute to achieve and KeeWeb is free and open-source (it runs in your browser purely on JavaScript), so it doesn't require to create a new account or anything to start using it right away. Hopefully 1Password will support Steam one day, so we don't have to jump through hoops to achieve what we can do with other free passwords manager for quite some time.

    Creating Entry in KeeWeb

    Viewing Steam OTP in KeeWeb

  • ag_ana
    ag_ana
    1Password Alumni

    @Dan_Aykroyd:

    Isn't this more complicated and slower than just using the Steam authenticator app?

    From a security point of view, we also cannot recommend pasting your 2FA secret on an external website, so this workaround is not something that we can endorse.

  • Dan_Aykroyd
    Dan_Aykroyd
    Community Member

    For me it's better to do it like this instead of keeping another app draining battery while waiting to receive push notifications just to confirm once per month that I'm login in to the Steam website.

    Regarding pasting the secret you are right about doubting, so it will be the decision of whoever wants to do this. KeeWeb is a known password manager that is open-source (so anybody could take a look at what's going on under the hood), but this can also be achieved on other well known passwords managers like KeePass (also open-source; KeeWeb forked from this) or BitWarden (freemium) if preferred. And also, we are just pasting a random secret not tied to any username/password for the algorithm to generate the token, so it's useless by itself if somebody gets a hold of it.

  • ag_ana
    ag_ana
    1Password Alumni

    @Dan_Aykroyd:

    For me it's better to do it like this instead of keeping another app draining battery while waiting to receive push notifications just to confirm once per month that I'm login in to the Steam website.

    Got it, I understand.

    Regarding pasting the secret you are right about doubting, so it will be the decision of whoever wants to do this.

    I totally agree, I just thought it would be a good thing to clarify that this is not an officially supported solution from our side. If the Steam authenticator doesn't follow the TOTP standard and implemented their own solution, we recommend using the Steam authenticator app for this :+1:

  • SanityFox
    SanityFox
    Community Member

    I'm onboard with working around the Steam phone app. Their app blows, uses lots of battery, constantly forgets the login information, and is basically a pointless app with only one function - SteamGuard. I'd love to have a method for not using it. It's infuriating that a company like Steam, that built its dominance through ease of use is completely pooping on that and forcing us into their ecosystem unnecessarily. I get that I'm in a minority here, but oh I would love it if 1password could provide like a "non-approved beta feature" for advanced users.

  • ag_ana
    ag_ana
    1Password Alumni

    We appreciate your feedback about this @SanityFox, thank you for taking the time to share your thoughts :)

  • msxtj
    msxtj
    Community Member

    @Dan_Aykroyd :

    Can you please explain step by step how to do this? I could not find an easy way to get the URI.

    This is what I have. It's a bit of a mystery right now how to get the URI.

  • msxtj
    msxtj
    Community Member

    Okay, I managed to figure this out. I used https://github.com/Jessecar96/SteamDesktopAuthenticator to get the otpauth.

    Seriously, 1Password could use this code and enable that for advanced user (enabled as an optional feature burried in settings with disclaimers that this feature is not officially supported. We are okay with that).

    In any case, Steam provides official Backup codes that can be saved in 1Password and used in case something changes with the OTP mechanism.

    So, please Agilebits, do something and please please step up your game!

  • ag_ana
    ag_ana
    1Password Alumni

    @msxtj:

    Thank you for the update! I am glad to hear you managed to get this figured our already. And thank you for your feedback as well :+1:

  • msxtj
    msxtj
    Community Member

    @ag_ana : Probably not the response I expected.

    Right now, 1Password OTP understands only numbers. A step-up effort would be to enable 1Password to also print out alphanumeric ones. It is the same otpauth code. In 1Password, I get 6 digts, but the same same otpauth in KeeWeb, I get the correct alphanumeric one that works in Steam.

    otpauth example: otpauth://totp/Steam:MyUserName?secret=MYSECRETCODE1234567890XXXYYY&issuer=Steam

    Like other users said, you could enable it for us in some "Advanced settings", with the disclaimer that this feature is not officially supported. This offloads you any customer complaints in case things go awry. [Users are generally safe anyway with the official Revocation code and Backup codes that Steam provides.]

    What I'd like to hear is not "thanks for you feedback", but rather "we are listening to our users, and we will look into catching up with our competition". BitWarden and KeeWeb works as I can confirm. Maybe there are others too that work.

  • ag_ana
    ag_ana
    1Password Alumni
    edited June 2020

    @msxtj:

    We are always listening to feedback, so we really appreciate that you are taking the time to share your thoughts about this. You would not do it if you weren't so passionate about 1Password, and for that we are very grateful :)

    In this specific case however, as per bundtkate's message above and in this other discussion you also commented on, this is not something we plan to do unless things change on the Steam side. We will certainly continue evaluating the situation as it evolves, but I think it's fair not to give you false hopes.

  • msxtj
    msxtj
    Community Member
    edited June 2020

    @ag_ana :

    Can Agilebits do some research on how the competition is able to do it?

    - the above is a screenshot of a post from a Bitwarden moderator.

    Source URL: https://community.bitwarden.com/t/steam-totp-support/988/6

    Somehow Bitwarden was able to understand Steam's OTP protocol and they implemented it. What kind of expertise is Agilebits lacking to do something like that? Maybe the community could help.

  • ag_ana
    ag_ana
    1Password Alumni

    @msxtj:

    It is not a technical problem: we are aware of how to do this, but as we explained in this discussion a few times, we decided not to implement it. If Steam wants you to use their app, I think we should respect their decision.

    So to answer your question: it's not a technical problem, but a company decision.

    Once again, please allow me to link to bundtkate's message above and to this other discussion you also commented on in case you want to read the details.

  • johnpetts
    johnpetts
    Community Member

    Just to leave my 'two cents' in here - firstly, thanks for your responses @ag_ana. I really like how responsive this company is. I just wanted to say that it's disappointing that there has been a 'company decision' made here, which apparently seems to be for the benefit of Valve rather than your users. I may be being naive here, but last time I checked, it's the users who are paying for your service and who would like 1Password to be their one-and-only authenticator. We make that decision again every time we renew our subscriptions, and when buying into a subscription model, users expect that the service will continue to evolve to meet their needs. It's clear that the technology to implement Steam Guard compatibility is actually quite trivial, so once again I feel I need to ask, why have you prioritised avoiding hurting Valve's feelings over delivering features to your users? Several other users have suggested that simply hiding this feature in an 'advanced' group of features would help to avoid any potential confusion around the 'unsupported' nature of how Steam Guard works.

  • ag_ana
    ag_ana
    1Password Alumni

    @johnpetts:

    Just to leave my 'two cents' in here - firstly, thanks for your responses @ag_ana. I really like how responsive this company is.

    You are welcome! And thank you as well for the discussion :)

    It's clear that the technology to implement Steam Guard compatibility is actually quite trivial, so once again I feel I need to ask, why have you prioritised avoiding hurting Valve's feelings over delivering features to your users?

    I think bundtkate explained this best in her post above, which I am quoting here for your convenience:

    For folks with sufficient technical knowledge to make this work in 1Password, there are options and we're certainly not going to stop y'all from using them, but Steam, etc. are going to assume that you're using the app they want you to (and not without reason). This means you're putting yourself at some risk that they'll change something and cause your OTP to stop working. It's obviously your choice to take that risk, but we shouldn't be making that choice for folks so we're almost certain to leave it up to y'all unless and until these sites/accounts change their policy.

  • Kotoki1337
    Kotoki1337
    Community Member
    edited September 2020

    Has anyone considered importing a .maFile file? Many unofficial Steam guard software use this file to save account information, and many open source software use it, including SDA and even the famous ASF also support that. I am really looking forward to 1password supporting the import .maFile file. After I input the account password through 1password, I also need to open SDA to input the one-time password, which is really troublesome. Hope u guys can consider this feature request.

  • Hey @Kotoki1337

    As @ag_ana mentioned above, we are aware of how to do this, but as we explained in this discussion a few times, we decided not to implement it. If Steam wants you to use their app, I think we should respect their decision.

    This is not something we plan to do unless things change on the Steam side. We will certainly continue evaluating the situation as it evolves, but I think it's fair not to give you false hopes.

This discussion has been closed.