Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
D13H4RD

I wonder if Valve actually understands security...

Recommended Posts

Posted · Original PosterOP

This has been on my mind ever since Valve basically made it a requirement to use the Mobile Authenticator for trading items amongst other things.

 

This isn't a big deal to me. I've used Google Authenticator and Facebook's own and recently made the switch to Authy so that I can have them all-in-one.

 

But one thing struck out to me; The app shows your authentication code right on the lockscreen, regardless if it has a secure lock and it is not treated as "sensitive content" by Android

 

No authenticator ever shows a notification with your actual code, and if they do, it just says "Tap here to get your code".

 

To make matters even more damning, I use a Galaxy Note8 now and have put my authenticators in the Secure Folder. Normally, every notification from apps within that folder require granting access to that folder before it could be read. Well, I don't know why or how, but the Steam app ALSO shows your code from that secure folder without it even unlocking.

 

I don't know how this has gone unnoticed for the past 2 years, despite me writing it to them.


The Workhorse

R7 3700X | RTX 2070 Super | 32GB DDR4-3200 | 512GB SX8200P + 2TB 7200RPM Barracuda Compute | Windows 10 Pro

 

The Portable Station

Core i7 7700H | GTX 1060 | 8GB DDR4-2400 | 128GB SSD + 1TB HGST | Windows 10

 

Samsung Galaxy Note8 SM-N950F

Exynos 8895 ARM Mali G71 MP20 | 6GB LPDDR4 | 64GB internal + 128GB microSD | 6.3" 1440p "Infinity Display" AMOLED | Android Pie 9.0 w/ OneUI

Link to post
Share on other sites

Well the code only lasts for a how ever many seconds and then it’s changes to a new code. So it’s not like if someone sees and writes it’s down that they can do anything with it. It’s like 30 sec or maybe even less then the code expires 

 

ita just like company’s who use SMS to send codes like that, it just pops up as a notification and everyone can see it. Atleast In 90% if the ones I’ve had. I never go in the text to get the code I just read it from the notification and type it in before the notification goes away.

 

I don’t see how valve is different. I think they are pretty good at what they do.


If you want to argue with me, and you probably will please PM me, no need to ruin threads becase you dont like how I am.

 

Ask me how I made 100k selling illegal narcotics!

Spoiler

and you think im joking, Did a lot of wrong to get my money right.

I look up to Larry Hoover.

Your homies loyal 'til the one time you tell 'em no

 

Link to post
Share on other sites

I really wish Valve were competent and could just use third-party authenticators like everybody else. The Steam app is slow and uses up lots of resources on my mostly budget phone, while Google authenticator never runs unless I open the app.

Link to post
Share on other sites
Posted · Original PosterOP
11 minutes ago, Clockwork_princess said:

Well the code only lasts for a how ever many seconds and then it’s changes to a new code. So it’s not like if someone sees and writes it’s down that they can do anything with it. It’s like 30 sec or maybe even less then the code expires 

 

ita just like company’s who use SMS to send codes like that, it just pops up as a notification and everyone can see it. Atleast In 90% if the ones I’ve had. I never go in the text to get the code I just read it from the notification and type it in before the notification goes away.

 

I don’t see how valve is different. I think they are pretty good at what they do.

Isn't that true of Authy too?

 

Regardless, I don't see why it has to be shown on the device's lockscreen.


The Workhorse

R7 3700X | RTX 2070 Super | 32GB DDR4-3200 | 512GB SX8200P + 2TB 7200RPM Barracuda Compute | Windows 10 Pro

 

The Portable Station

Core i7 7700H | GTX 1060 | 8GB DDR4-2400 | 128GB SSD + 1TB HGST | Windows 10

 

Samsung Galaxy Note8 SM-N950F

Exynos 8895 ARM Mali G71 MP20 | 6GB LPDDR4 | 64GB internal + 128GB microSD | 6.3" 1440p "Infinity Display" AMOLED | Android Pie 9.0 w/ OneUI

Link to post
Share on other sites
11 minutes ago, D13H4RD2L1V3 said:

Isn't that true of Authy too?

 

Regardless, I don't see why it has to be shown on the device's lockscreen.

Well In every situation I’ve used steam with I’ve been at my computer with no one around when I log into steam. I really don’t see how it’s an issue even if your in a busy place. Just type the code and your good. If people are looking over your shoulder  or close enough to read a code on your lock screen that’s another issue.

 

But a work around is to go into your device settings and disable lock screen notifications for the steam app. 

 

Ps sorry for typos, still getting used to this IOS keyboard. I’ll try to fix them all 

 


If you want to argue with me, and you probably will please PM me, no need to ruin threads becase you dont like how I am.

 

Ask me how I made 100k selling illegal narcotics!

Spoiler

and you think im joking, Did a lot of wrong to get my money right.

I look up to Larry Hoover.

Your homies loyal 'til the one time you tell 'em no

 

Link to post
Share on other sites
Posted · Original PosterOP
1 minute ago, Clockwork_princess said:

Well I’m every situation I’ve used steam with I’ve been at my computer with no one around when I log into steam. I really don’t see how it’s an issue even if your in a busy place. Just type the code and your good. If people are looking over your shiver or close enough to read a code on your lock screen that’s another issue.

 

But a work around is to go into your device settings and disable lock screen notifications for the steam app. 

 

 

I actually disabled almost all notifications from Steam for this reason.

 

I get it's a convenience thing, but authenticators don't show codes in the lockscreen for a reason.


The Workhorse

R7 3700X | RTX 2070 Super | 32GB DDR4-3200 | 512GB SX8200P + 2TB 7200RPM Barracuda Compute | Windows 10 Pro

 

The Portable Station

Core i7 7700H | GTX 1060 | 8GB DDR4-2400 | 128GB SSD + 1TB HGST | Windows 10

 

Samsung Galaxy Note8 SM-N950F

Exynos 8895 ARM Mali G71 MP20 | 6GB LPDDR4 | 64GB internal + 128GB microSD | 6.3" 1440p "Infinity Display" AMOLED | Android Pie 9.0 w/ OneUI

Link to post
Share on other sites
Just now, D13H4RD2L1V3 said:

I actually disabled almost all notifications from Steam for this reason.

 

I get it's a convenience thing, but authenticators don't show codes in the lockscreen for a reason.

But have you had any real issues becase of it? Have people got into your account becase of it? 

 

I feel like disabling all notifications for it is just counterproductive. Just because you don’t like the lock screen one doesn’t mean you should make it harder by having to boot up an already slow app,

 

The only issue I see isn’t if a person steals your phone. But by the time you know it’s gone I hope you call and deactivate it before the person can realize they can ask for your steam code to log in. But then they would need to know your steam password for the code to even be sent.

 

 


If you want to argue with me, and you probably will please PM me, no need to ruin threads becase you dont like how I am.

 

Ask me how I made 100k selling illegal narcotics!

Spoiler

and you think im joking, Did a lot of wrong to get my money right.

I look up to Larry Hoover.

Your homies loyal 'til the one time you tell 'em no

 

Link to post
Share on other sites
Posted · Original PosterOP
2 hours ago, Clockwork_princess said:

But have you had any real issues becase of it? Have people got into your account becase of it? 

I know I sound silly at this point.

 

But I really feel that at least not treating authentication codes as sensitive content isn't all that secure. I know the reason Valve pushed for it was due to convenience alongside security, but showing your codes in plain view on the lockscreen is, well, not exactly confidence-inspiring.

 

I'm not too worried these days because I recently changed my Steam password into a confusing mumbo-jumbo of numbers, letters and symbols that have zero meaning whatsoever, but I feel that I should at least mention it.


The Workhorse

R7 3700X | RTX 2070 Super | 32GB DDR4-3200 | 512GB SX8200P + 2TB 7200RPM Barracuda Compute | Windows 10 Pro

 

The Portable Station

Core i7 7700H | GTX 1060 | 8GB DDR4-2400 | 128GB SSD + 1TB HGST | Windows 10

 

Samsung Galaxy Note8 SM-N950F

Exynos 8895 ARM Mali G71 MP20 | 6GB LPDDR4 | 64GB internal + 128GB microSD | 6.3" 1440p "Infinity Display" AMOLED | Android Pie 9.0 w/ OneUI

Link to post
Share on other sites
1 hour ago, D13H4RD2L1V3 said:

I know I sound silly at this point.

 

But I really feel that at least not treating authentication codes as sensitive content isn't all that secure.

I do understand what you're saying and I get it, but I think they did it becase they know it will take a situational circumstance to be able to get into the account that way.

but it could just be they dont know how to make a mobile app. when it first came out it was shit and now its just less shit.

 

but i've found vavle to have some of the best security but thats just from my experience not everyone thinks it.  


If you want to argue with me, and you probably will please PM me, no need to ruin threads becase you dont like how I am.

 

Ask me how I made 100k selling illegal narcotics!

Spoiler

and you think im joking, Did a lot of wrong to get my money right.

I look up to Larry Hoover.

Your homies loyal 'til the one time you tell 'em no

 

Link to post
Share on other sites
Posted · Original PosterOP
3 minutes ago, Clockwork_princess said:

but i've found vavle to have some of the best security but thats just from my experience not everyone thinks it.  

Personally, I don't hold Valve in high regards when it comes to security. There was that one incident where part of credit card details was exposed and it took a while for reps to officially communicate. 

 

It's serviceable but in my eye, I think Google and Apple do 2FA in a better fashion than Valve, but that's just my 2 cents.

 

Valve can improve. Whether they're willing to is up to them.


The Workhorse

R7 3700X | RTX 2070 Super | 32GB DDR4-3200 | 512GB SX8200P + 2TB 7200RPM Barracuda Compute | Windows 10 Pro

 

The Portable Station

Core i7 7700H | GTX 1060 | 8GB DDR4-2400 | 128GB SSD + 1TB HGST | Windows 10

 

Samsung Galaxy Note8 SM-N950F

Exynos 8895 ARM Mali G71 MP20 | 6GB LPDDR4 | 64GB internal + 128GB microSD | 6.3" 1440p "Infinity Display" AMOLED | Android Pie 9.0 w/ OneUI

Link to post
Share on other sites

Steams login security is better then my Banks web security. My bank is wells fargo btw. 


Victor F. 

My hobbies include: machining, electronics, radiation, and guns

DESKTOP: CPU: Ryzen 5 3600  Motherboard: Asus ROG B550-I RAM: Corsair Vegenence DDR4-3000 SSD: Samsung 970 Pro GPU: MSI GTX1070 Ti Titanium CASE: NZXT H1

LAPTOP: Apple MacBook Pro i7, 16gb ram, 256gb ssd. (2018 model) 

CAMERA: Panasonic Lumix G85

PHONE: iPhone 7 

DRONE: Dji Mavic Pro

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×