Hey all, I wanted to make this post as this literally just happened to me, and was a huge ordeal if you use the authenticator and if I didn't have every single necessary security requirement by Steam, I could have bricked my own account.
I updated my password (already logged in) via my settings on Steam on my pc. I did this as I got an authenticator code when not logging in and did the correct thing, updated my password.
What I wasn't ready for was it logging me out on my Steam mobile app, and when resigning in it asking for the Steam Guard code to finish sign in only, and would not let me verify via my SMS phone number.
On the website I was able to recover this by removing Steam Guard via their recovery methods, and it confirming this via text message/sms. If i didn't have this setup and my written down code the authenticator gives you, I'm not sure what I would have been able to do quickly to get back into Steam.
It was a huge headache I caused myself for something as simple as a password update, and this is a reminder to make sure you have all your security, sms, and authenticator things up to date!
So give you heads up, as long you don't wipe/uninstall your steam mobile guard app, when you click the button to deauthorize all devices, or changed credentials, your TOTP code should still remain on your app, it doesn't get removed all have to do is click Shield icon > at bottom left you see small button say show steam guard code that is your TOTP page to show your code, just copy it, and login as normal, and that it.
Lastly never ignore to write your recovery code, they're showing it to you because it's incase there a problem you need to remove it from account such as lost/stolen device, or you mistakenly wipe/deleted the app. So you wouldn't have to wait on support to handle it yourself in seconds.
Here safety tips, never login via 3rd party sites, someone may DM you scam links, there can be a close friends that fell for scam links which the scammer DM you using your friend account common scam via Steam, discord, and etc... Scam be like vote for my team, I gifted you something, you got invite to beta, or whatever story may be all of them a link to open your browser asking you to login.
There also lots of scam sites where they impersonate, or claim to be so site such as those trading / gambling sites. There also fake promotion like free skins, money, whatever it may be to scam you.
Yeah I only had a login screen on my app and it wouldn’t let me do anything else. I recovered via sms and removing steam guard temporarily. I saw other comments stating this but I didn’t see any recourse.
Thankfully having the code and SMA setup I had options. I wanted to make the post as a reminder to have these things setup in case someone updates passwords and maybe doesn’t have all their things setup or updated.
Do appreciate the info though!
I actually extracted the Steam Guard TOTP secret (AKA, the magic, secret code TOTP authenticators use to generate random codes) from the Steam Guard app on my phone, and imported it into KeePass XC, which I unlock with my physical YubiKey authenticator.
This way I'm not forced to use Steam's app, and can grab TOTP codes from any TOTP app I want (whether on my phone or my PC), nor do I have to worry about losing access if something happens to my phone with Steam Guard. Plus I have the TOTP Secret encrypted and backed in a few places (which also requires my security key, and extra security on top of it) in-case my PC's hard drive crashes or something.
Right now I generate my 2nd-factor TOTP code on the same PC I login from (would be smarter if I airgapped it to another PC or used KeePass XC on my phone tho), but it works well for me since I'm lazy and rarely ever need to generate my codes.
Guide plz. 🙏
Oh that’s smart. I setup yubi for work related stuff but didn’t think about implementing it this way.
Steam TOTP differs from the reference implementation because they render the TOTP in alphanumeric characters while the reference implementation (and any typical TOTP app) uses digit-only codes. Do you convert it somehow?
Not really an issue. You can have Steam send a code to your phone number to log in, or use your recovery code that you (hopefully) backed up and/or written somewhere.
As stated above the sms portion wouldn’t work. And having the code is what saved me! The fact it can bug when doing a basic password reset is annoying so I made the post you may bug out and always make sure your security options are updated.
Oh, my bad, I must've missed that part! I'm glad you got back into your account, though.
Surprises me how many people don't back up their recovery codes, though. Like you're spending hundreds of dollars (or pounds for me) on an account, and not many people do the bare minimum to keep their account safe.
100%. I’m a bit peeved resetting put me in this position but at least I had recourse. Someone above stated that it should have still given me steam guard codes even if I’m logged out. But it wasn’t or wasn’t accessible for me. Frustrating but like you said, keep your account safe! Enroll your number!
I'm pretty sure the Steam Guard tab (with the shield icon) works and gives you TOTPs even if you're signed out of your mobile Steam app. It works independently from the rest of the app.
I had no such tabs at the bottom. I believe you’re right as I’ve updated before and not had such issues.
But this time it was just on a login screen with nothing else. I truly was in bug land. Either way I wanted to make a post as a reminder always have all security settings ready for such an absurd event! Or even worse if your accounts stolen.
Steam Guard is a "yeah, that's me" acknowledgment. How is it going to do that if it doesn't know what "me" is, since you're not logged in?
Because when you set up a Steam Guard, it creates and stores a shared secret - which is everything it needs to generate TOTP codes.
That's what allows it to generate codes offline.
In fact, you don't actually need the app at all if you have the secret, you can use any other RFC 6238 authenticator to generate the codes, the only quirk is that Steam presents the output in a not standard way (5 alphanumeric characters instead of the usual 6 digits).
But when you login to another steam account on your mobile app, that shouldn't use the existing token to verify your identity. Keeping a token on logout is a security issue, no?
Each account stores its own shared secret. "Shared" here means that it's the same on your device and on the Steam servers, not that it's shared between multiple accounts. The secret that your Steam Guard uses to generate a TOTP is the same secret that Steam uses to verify that the code is correct. This is a different concept than, let's say, a private key, that only you ever has access to.
You can switch between multiple accounts on the mobile app and simultaneously have multiple Steam Guards set up on the same device. Since each account has its own secret, TOTPs for one account won't unlock a different account.
You're not really supposed to log out of the account on the device that has a Steam Guard set up for that particular account. If you don't trust a device for any reason, you should remove the Steam Guard from it.
Because it's tied to the phone, not the account you're signed into on the app.