I wish they would just use a standard otp algorithm and I could easily use any auth app instead of a dedicated one
Mildly Infuriating
Home to all things "Mildly Infuriating" Not infuriating, not enraging. Mildly Infuriating. All posts should reflect that.
I want my day mildly ruined, not completely ruined. Please remember to refrain from reposting old content. If you post a post from reddit it is good practice to include a link and credit the OP. I'm not about stealing content!
It's just good to get something in this website for casual viewing whilst refreshing original content is added overtime.
Rules:
1. Be Respectful
Refrain from using harmful language pertaining to a protected characteristic: e.g. race, gender, sexuality, disability or religion.
Refrain from being argumentative when responding or commenting to posts/replies. Personal attacks are not welcome here.
...
2. No Illegal Content
Content that violates the law. Any post/comment found to be in breach of common law will be removed and given to the authorities if required.
That means: -No promoting violence/threats against any individuals
-No CSA content or Revenge Porn
-No sharing private/personal information (Doxxing)
...
3. No Spam
Posting the same post, no matter the intent is against the rules.
-If you have posted content, please refrain from re-posting said content within this community.
-Do not spam posts with intent to harass, annoy, bully, advertise, scam or harm this community.
-No posting Scams/Advertisements/Phishing Links/IP Grabbers
-No Bots, Bots will be banned from the community.
...
4. No Porn/Explicit
Content
-Do not post explicit content. Lemmy.World is not the instance for NSFW content.
-Do not post Gore or Shock Content.
...
5. No Enciting Harassment,
Brigading, Doxxing or Witch Hunts
-Do not Brigade other Communities
-No calls to action against other communities/users within Lemmy or outside of Lemmy.
-No Witch Hunts against users/communities.
-No content that harasses members within or outside of the community.
...
6. NSFW should be behind NSFW tags.
-Content that is NSFW should be behind NSFW tags.
-Content that might be distressing should be kept behind NSFW tags.
...
7. Content should match the theme of this community.
-Content should be Mildly infuriating.
-At this time we permit content that is infuriating until an infuriating community is made available.
...
8. Reposting of Reddit content is permitted, try to credit the OC.
-Please consider crediting the OC when reposting content. A name of the user or a link to the original post is sufficient.
...
...
Also check out:
Partnered Communities:
Reach out to LillianVS for inclusion on the sidebar.
All communities included on the sidebar are to be made in compliance with the instance rules.
KeepassXC (a PC application) has a preset for Steam OTP parameters, if your Android/iOS app of choice allows you to use non-standard parameters I guess it should be possible to use them?
The only somewhat painful part for me was actually getting the OTP secret.
i finally managed to extract the OTP secret.
OMG, WTF. So needlessly hard. If Epic Store did the same of Valve for their OTP, the forums would be filled with hate and outrage
Thank you for this tip! I saw your comment and I checked my 2FA app, Aegis, and it has a "Steam" option as well!
(When creating an entry, you can just select "Type: Steam" instead of "TOTP")
Try the recovery codes would be what I’d do
Maybe try the I no longer have access to the “I no longer have access” button, unless the only option there related to point 1
If all else fails you could contact customer support
All options eventually led to customer support. So now I'm waiting for steam to give me permission to access my games . It's frustrating that I can know my password and can access the email connected to the account. But for some reason that's not enough .
That's the point of real 2fa. And the process of activating it also makes it very clear. I find it incredibly frustrating when I activate 2fa on some service, and they allow email as a fallback that I can't turn off. Cause that turns it back into single factor, being the email. That's what the recovery codes are for.
Otherwise, if someone has access to your email, they can just reset the password and get access (cause that is the 2nd factor). Then they can change the associated email address and that's that.
How is it not 2fa if it involves any method besides your password? Your password is factor 1, something else is factor 2. That can be a number of things.
Reset password via email. Reset second factor via email. Email is the only factor, neither password nor the 2fa.
Usually, the actual login is not the easiest target for an attacker, the recovery methods are. You call a helpline to get a second SIM for SMS codes. You guess (or dig up) answers to recovery questions if available. You get access to email accounts, e. g. via phishing.
If a recovery path for a security factor is weak, it ceases to be a security factor. By allowing both password and the second factor to be recoverable via email, both factors collapse into one: get access to the email and you're in.
Like Randelung said, that would be true if you couldn't reset you password via email. But as long as that's possible the email can't ever be the 2nd factor because it can be used to (re)set the 1st one.
A safer definition of what the 2 factors should be is "something you know" and "something you own". The "know" is usually a password (which you can remember, but you should use a password manager these days so you can have a different password for every service). The "own" is typically a phone these days (generating a timed code, for example). But it doesn't have to be, it can be a physically USB dongle or your fingerprint. The idea is that it's something that can't be overheard, or recorded via key logger or or even told to someone.
Steam does this better (as in safer) than most.
I think they got the hug of death when the Winter sale started.
Steamguard blocked me from logging into my account because one of my devices is connected to VPN (different country) and other one doesn't. What's the point of a security feature if it can't distinguish between legitimate login vs an attacker. I'm not using steamguard anymore. Would rather enter code from my email. Just dumb implementation tbh.