atm404 💬
Ron Gilbert (GrumpyGamer)Dear Steam: Use fucking standard 2FA so I can put it into 1password. WTF. Seriously. W.T.F. You made $3b last year. I'm sure you can hire a programmer to do this. It's a solved problem.
Josh Jersild@grumpygamer added bonus that I cannot remember which partner site to go to and so I always have to do the stupid email validation twice
tjhowse@grumpygamer RFC 6238! A shining beacon of interoperability. I was shocked to find that I could persuade Microsoft to let me use RFC 6238 time-based 2FA to sign into stuff.
Chip@grumpygamer But noooo, we HAVE to download their app...
avatastic 
@grumpygamer You're accessing steam from a new device, please enter the code.
*opens e-mail*
*enters 2FA for e-mail*
*copies code*
*enters code*
*forgets remember me on the PC*
Damnit!
padraig@grumpygamer For anyone wondering why and how #Valve is operating and thus also working on #Steam I'll leave a great documentary by #PeopleMakeGames here:
The issue is #StackRating, everyone rating each other. And everyone can freely choose what to work on. This leads to people trying to do "meaningful" tasks to leave an impression on the rest of the group. Might also lead to some doing tideous work to be noticeable. But doesn't seem to elevate what's best for users.
What's It Really like Working at Valve?
What's it actually like working for Valve Corporation? Over the last few months, People Make Games has interviewed 16 current and former Valve employees abou...
Roc 
@grumpygamer but then you wouldn't have any reason to install the steam app!
derek the solarboi@grumpygamer but ron i love waiting 15 min for an email that may or may not hit my spam folder
Tomasz Mazurek 🇵🇱@grumpygamer They can't reliably handle 3D Secure card payments on mobile for several years already, so I wouldn't hold my breath about this one either :(
Wu Evar 🇪🇺🇺🇦Ah lol and I thought it’s just me/my bank/my card. Tried to by a Steamdeck from app (silly me) - failed and had ~400eur blocked on my card for the next weeks.
Future Sprog@grumpygamer
They also added the “push notification to mobile app” as well as the “scan QR code from mobile app” to authenticate, which are quite clever and avoid mistyping.
These are when logging in to the Steam client but maybe they also apply on the website.
Real nuisance for the kids because they don’t have their own phones to put the app on.
@futuresprog It's also a nuisance for people like me that don't carry their phone next to them all day long. 1password does everything automatically.
@grumpygamer
I’m a big user of 1Password. It’s great stuff and it’s support for TOTP is fantastic.
Steam found early on that gamers would grief each other and try to steal accounts so for a while they were at the forefront of MFA and preventing Account takeovers, but now they’re looking a bit tired.
Anigma@grumpygamer And when we‘re at it: Not just TOTP but also FIDO2 please.
Matt Giuca@grumpygamer This, and also it would allow me to uninstall the mobile app that I need on the phone for 2FA which also captures links whenever I click a Steam URL and half the time shows the Steam front page. I just want to use my web browser to browse a website. (Arguably this is an Android problem for allowing apps to do this without user choice.)
Florian 
@mgiuca @grumpygamer you can disable open by default for a specific app at least in Android 13, sadly it is not possible to just disable specific url patterns
@kelvan I dunno, I have "don't allow app to open links" and it still does. I think that only applies to third party links.
@mgiuca do you have stock android or a manufacturer branded one?
Jademalo@grumpygamer I don't know if 1password can do it, but Bitwarden and Yubico Authenticator can.
The hard part is extracting the secret - you either have to register using the desktop authenticator to get your secret, or do a bunch of downgrading and adb backup shenanigans in order to extract it from android.
Melvin Gundlach@Jademalo @grumpygamer Nice! That should work with any app that supports TOTP (incl. the major browsers). I’m still wary of such an unofficial solution since I don’t want to be locked out of my account when Valve decides to change something.
(rainynight65) has moved@grumpygamer I'm not a fan of keeping my 2FA codes right next to my passwords in 1Password or equivalent. I know it's generally safe - but that just means nobody has breached it *yet*. And *if* someone gets in, they have *everything*. I prefer a degree of separation of my auth factors.
Stuart McHattie 👨🏼💻@rainynight65 you only have two factors if the code generator is never on the same device as your passwords. If you have a second app, cool, but if it’s on your phone alongside 1Password, you have two-step authentication, not two-factor.
The true value of two-step or two-factor is when databases get breached that leak your password. If someone has gotten into your password safe, you’re not going to be saving very much of your online presence, two-factor codes or not.
@sdjmchattie which is why I use a physical second factor wherever it is possible. And something like a Yubikey can also be used to store OTP tokens.
deedasmi@grumpygamer legit question. Why would you want to put a 2fa code right next to your other auth factor? Doesn’t that still just make it single factor?
Sean@deedasmi nope. It’s still 2fa unless someone steals your phone. And even then it’s locked behind Face ID.
@deedasmi @grumpygamer It’s still two factors: 1. Something you own (the device where your TOTP tokens are generated), 2. Something you know (your Steam password)
@melgu @grumpygamer Ah. I misunderstood. I don’t know my Steam password. Assumed that was also in password manager. I never put my 2fa in 1Password because, well, the passwords are there.
@deedasmi @grumpygamer I don’t use 1Password, but I can speak for how Apple handles the topic. There it’s:
1. Something you have (the device where the service password and TOTP secret or FIDO token are stored)
2. Something you know (the device password)
Alternatively 2. Something you are (biometric authentication)
1. Something you have (the device where the service password and TOTP secret or FIDO token are stored)
2. Something you know (the device password)
Alternatively 2. Something you are (biometric authentication)
@deedasmi @grumpygamer So depending on how 1Password handles new devices, the factors could be the same (just with the master password instead of the device password).
IAG@grumpygamer Valve doing something? Are you new here?
Gen X-Wing
Robin@grumpygamer Valve has this weird corporate structure that basically prevents them from growing to the point where they can support their products properly.
They run three live service games, one of the biggest game stores, a hardware department with a custom operating system, all with 300 employees.
So yeah, maintenance isn't a huge thing for them.
David Amador@grumpygamer battle net the same thing
RenderB@grumpygamer They couldn't hire someone to test it with a screen magnifier either. Every single time I move the zoomed view now it doesn't just take the focus away from chat etc windows, it puts them under the main steam window. it's an exercise is pure frustration.