Steam guard, how does it know ?

[Thony]

I decided to activate steam guard on my mobile app for better security in case someone wants to get on my acc (spned some money on CSGO so i dont wanna lose that).

What i wonder is: When i launch steam on my PC and enter the password, it asks me for verification code (thats fine) which is generated by steam guard in my smartphone steam app.  

The thing is, im not connected to mobile or wifi network on my phone when i launch the app to get my verification code so how the hell does steam on my PC know im entering the correct code ?

Image from google

[ShadowCaptain]

Its probably some sort of algorithm, like how my bank security code generator is not connected to the internet, yet my online banking knows if I have the correct code or not

[The Cool n00B]

I don't know how Steam Guard generates codes, but maybe it has a few saved to your account and it'll make new ones later? Idk.

[Nexxus]

[Thony]

Its probably some sort of algorithm, like how my bank security code generator is not connected to the internet, yet my online banking knows if I have the correct code or not

Sounds legit but also like something hackers could crack with a little effort. I noticed the codes im getting have a certain pattern to them.

[ShadowCaptain]

Sounds legit but also like something hackers could crack with a little effort. I noticed the codes im getting have a certain pattern to them.

 

its probably super complicated and could be an algorithm created at random specific to your account and then encrypted or something

 

I dunno

[lx_srs]

I decided to activate steam guard on my mobile app for better security in case someone wants to get on my acc (spned some money on CSGO so i dont wanna lose that).

What i wonder is: When i launch steam on my PC and enter the password, it asks me for verification code (thats fine) which is generated by steam guard in my smartphone steam app.  

The thing is, im not connected to mobile or wifi network on my phone when i launch the app to get my verification code so how the hell does steam on my PC know im entering the correct code ?

 

 

Its probably some sort of algorithm, like how my bank security code generator is not connected to the internet, yet my online banking knows if I have the correct code or not

This.  My mom's EMR program used to have a tiny security key on a lanyard that generated codes based on an algorithm that the server also ran.

[Nexxus]

Sounds legit but also like something hackers could crack with a little effort. I noticed the codes im getting have a certain pattern to them.

I wouldn't be concerned. When steam guard was announced Gaben gave out his login details to his account and said go ahead get in, and ya...never happened.

 

I wouldnt be shocked if people are trying to this day

 

edit: try it yourself! gaben@valvesoftware.com, and the password: moolyftw

[ShadowCaptain]

I wouldn't be concerned. When steam guard was announced Gaben gave out his login details to his account and said go ahead get in, and ya...never happened.

 

I wouldnt be shocked if people are trying to this day

 

I think its physically impossible, you can't "hack" it since there is no communication to intercept, 

 

its a very clever system, thats why banks use it

[Samfisher]

Sounds legit but also like something hackers could crack with a little effort. I noticed the codes im getting have a certain pattern to them.

OTP (One Time Passwords) AFAIK have never been successfully cracked before.  Even with the physical device, it has been almost impossible to reverse engineer to get your next codes.  Never heard of anyone successfully doing it either.

[Thony]

I wouldn't be concerned. When steam guard was announced Gaben gave out his login details to his account and said go ahead get in, and ya...never happened.

 

I wouldnt be shocked if people are trying to this day

 

edit: try it yourself! gaben@valvesoftware.com, and the password: moolyftw

Either he trusts the system so much or he just trolled the world

But the idea of having such balls amazes me

[Master Disaster]

Simple, both the app and Steams servers run an identical algorithm which is generating codes, each user has a specific algorithm tied to their account.

When your phone generates a code Valves server will generate the exact same code as both are generating it from the same algorithm.

If the code you enter matches the code generated on the server side then your in.

[Nexxus]

Either he trusts the system so much or he just trolled the world

But the idea of having such balls amazes me

disclaimer it might be MOOLYFTW ive heard its all in caps too I just copy and pasted it, I watched the video where he did it and he didnt clarify. This was also 4 years ago so it might be different login details now too. 

[beingGamer]

The generated key should be valid for some specific amount of time right?

 

Suppose you generated the accesskey on your phone at 3:05PM on 3 Nov 2015.

and when you enter it into the steam app on your PC it just passes it to the server & your timezone, the server checks for the current time as per your timezone & might be generating unique accesskeys that can be generated from 3PM till 4PM for that day

Then it just checks whether the provided accesskey exists in the possibilities.

 

And allows you to enter if any one of them matches.

 

Of curse this is possible by having same key generation logic on the app & on the server

 

PS: just a guess of how it might be possible

[Master Disaster]

The generated key should be valid for some specific amount of time right?

 

Suppose you generated the accesskey on your phone at 3:05PM on 3 Nov 2015.

and when you enter it into the steam app on your PC it just passes it to the server & your timezone, the server checks for the current time as per your timezone & might be generating unique accesskeys that can be generated from 3PM till 4PM for that day

Then it just checks whether the provided accesskey exists in the possibilities.

 

And allows you to enter it any one of them matches.

 

Of curse this is possible by having same key generation logic on the app & on the server

 

PS: just a guess of how it might be possible

I've already explained exactly how it works, scroll up.