WTF Steam



  • I foolishly decided to install the Steam Mobile Authenticator some time ago.

    It has since decided to sign me out and I've forgot my password.

    I can't change my password without using the Mobile Authenticator, and I can't remove the Mobile Authenticator from my account without my password.

    So how the hell am I supposed to sign in?! "No problem" they say, "We'll send a code to the phone we have on file, just type it into our website", and yes, the code came and the website accepted it, but it still won't allow me to change my password without a Mobile Authenticator code, and the code I got in the text message doesn't work. So they send another code to "Remove the mobile authenticator", and again, it works fine, then asks me for my password before it'll continue, which I don't have.

    Seems I'm going around in circles.



  • @Mole I know this isn't in a help forum, but have you tried contacting Steam support? It's a separate account, so you should be able to get in or create a new support account.


  • area_can

    I think WTF sums up Steam nicely.


  • Dupa

    @bb36e said in WTF Steam:

    I think WTF sums up Steam nicely.

    Yeah, or even the daily WTF.


  • :belt_onion:

    @Mole said in WTF Steam:

    I foolishly decided to install the Steam Mobile Authenticator some time ago.

    It has since decided to sign me out and I've forgot my password.

    I can't change my password without using the Mobile Authenticator, and I can't remove the Mobile Authenticator from my account without my password.

    So how the hell am I supposed to sign in?! "No problem" they say, "We'll send a code to the phone we have on file, just type it into our website", and yes, the code came and the website accepted it, but it still won't allow me to change my password without a Mobile Authenticator code, and the code I got in the text message doesn't work. So they send another code to "Remove the mobile authenticator", and again, it works fine, then asks me for my password before it'll continue, which I don't have.

    Seems I'm going around in circles.

    FWIW, there should be a way to get the codes off of the app without signing in, as I've been in precisely that predicament before. See if there's something you can do to get to the hamburger menu (I don't remember exactly how I did that before...) and get to the authenticator part of the app.


  • I survived the hour long Uno hand

    Lesson of the day: don't sign up for 2FA unless it uses Google's authenticator. That one you don't have to log into once it's set up.


  • FoxDev

    @Yamikuronue The same applies to Microsoft's Azure Authenticator (and the standard Microsoft Authenticator, but that's essentially the Google Authenticator with a different badge)



  • @Yamikuronue said in WTF Steam:

    Lesson of the day: don't sign up for 2FA unless it uses Google's authenticator. That one you don't have to log into once it's set up.

    But if you get a new phone, Google Authenticator gives different codes. Inconvenient.



  • @another_sam said in WTF Steam:

    But if you get a new phone, Google Authenticator gives different codes. Inconvenient.

    On Android, maybe. On iPhone it just refuses to restore the codes from backup in the first place.


  • Trolleybus Mechanic

    @Yamikuronue said in WTF Steam:

    Lesson of the day: don't sign up for 2FA

    period.

    Because literally no one will ever get it right, and all they want is your cell # to for Moar Marketing Moniez.


  • Garbage Person

    @Lorne-Kates Yep. I only use it when it's mandatory (banks and shiz)



  • @Lorne-Kates said in WTF Steam:

    all they want is your cell # to for Moar Marketing Moniez

    I have never received a spam text or phone call on my Google Voice number.


  • :belt_onion:

    @Lorne-Kates said in WTF Steam:

    Lesson of the day: don't sign up for 2FA

    period.
    Because literally no one will ever get it right, and all they want is your cell # to for Moar Marketing Moniez.

    Totally and completely false.

    If it's offline authentication, like Google Authenticator or Microsoft Authenticator, both of which use the same protocol IIRC, your phone number quite literally never comes into play.

    Even if it uses something like a cell phone, it's pretty ridiculous to think that someone's gonna sell that number, received in that way, for marketing reasons, unless you're dealing with a really, really bad company... My cell number has been used on both Microsoft and Google accounts and I've quite literally never gotten a single telemarketing call on it.

    But please, do keep encouraging people to not use possibly one of the best account security methods out there because :fa_tinfoil_hat:. It's much better when people get their account hacked after using the same password everywhere...


  • :belt_onion:

    @sloosecannon Nota bene: I'm not saying Steam gets it right, either. They're absolutely terrible and should use something standardized like Authenticator rather than their stupid-as-hell roll-your-own-2fa crap.


  • I survived the hour long Uno hand

    @another_sam said in WTF Steam:

    if you get a new phone

    So you're saying when using two-factor authentication, if you lose the second factor, you can't log in? I wonder how I could possibly have predicted that.


  • BINNED

    I had a pretty similar problem with Battle.net Authenticator that I foolishly installed years ago. The phone I installed on broke and I didn't have the code/seed thingy I need to configure it on another phone. To remove the "protection" from my account they wanted me to send them a scan of some form of government-issued ID...

    I wonder if they even know what my country's ID is supposed to look like. I could have probably photoshopped it - which I would have to do anyway since the "real name" on that was something like Dick Blowjob.

    In the end I decided I don't care enough to go through the trouble, and I haven't played an Activision game ever since.



  • @Mole said in WTF Steam:

    and I've forgot my password.

    And here, ladies and gentlemen, we have TR:wtf:. Write the damned password down if you have to, on a post-it by your computer (really, if someone burgles your place, you have other things to worry about than whether someone finds the password to your Steam account with no identifying mark to tell the burglar what it is for), but do not forget it.

    Do not forget it, because that password is worth money. If you forget it and lose access to Steam, you lose all the money you sank into games on there.


  • Trolleybus Mechanic

    @sloosecannon said in WTF Steam:

    like Google
    ... unless you're dealing with a really, really bad company...

    Uh-huh. Google is not using your cell phone number for marketing and analytic. Not. At. All.


  • Winner of the 2016 Presidential Election

    @Lorne-Kates Just make sure to go through the settings after every single Android/GMail/… update and make sure you disable all new "allow us to analyze your data" options. Easy, right? 🚎


  • ♿ (Parody)

    @Lorne-Kates said in WTF Steam:

    Uh-huh. Google is not using your cell phone number for marketing and analytic. Not. At. All.

    Why should I care about this (I mean, my number, obviously I don't care about your number)?



  • @Steve_The_Cynic

    And here, ladies and gentlemen, we have TR:wtf:. Write the damned password down if you have to, on a post-it by your computer (really, if someone burgles your

    Do not forget it, because that password is worth money. If you forget it and lose access to Steam, you lose all the money you sank into games on there.

    When I created the Steam account it was because I was forced to. I didn't give a crap about the account and used a throwaway password, mutated to fit in line with the password requirements. I've since bought a game on there, but the app remembered my password from donkeys ago so I didn't care about changing it. It's only since it has decided to forget it that I've got this problem.

    I've contacted support but they are worse than useless, wanting me to prove my id by posting or faxing (really) some official document to them. It's ok though, I can block out any personal information as long they can use it as a valid form of id (wtf)

    My conclusion is to play the game offline (I only have the one game) and not give a crap about Steam any more.



  • @Lorne-Kates said in WTF Steam:

    Uh-huh. Google is not using your cell phone number for marketing and analytic. Not. At. All.

    Oh noes, Google is going to know I never click on ad banners and almost never buy stuff online! They'll serve me only the cheapest ads!

    I'd be more concerned if you were going for the political surveillance aspect, but my country's intelligence agencies already do that, so meh.



  • @Yamikuronue said in WTF Steam:

    So you're saying when using two-factor authentication, if you lose the second factor, you can't log in? I wonder how I could possibly have predicted that.

    What you might not have predicted is that while nearly every app on your new phone works exactly as it did on the old phone because the cloud is made of magic (and maybe you did backups), the authenticator does not. Your accounts and settings and data and all sorts of things just migrate their way onto your new device, but the authenticator does not.

    The second factor isn't your Google account or your phone number or something else that's hard to lose, it's the easily damaged or lost physical device that you carry everywhere and put at great risk of destruction all day every day.


  • Notification Spam Recipient

    @another_sam
    It's almost like we should store the private keys somewhere in the cloud to automagically restore them... oh wait....


  • :belt_onion:

    @another_sam Yeah, it's a tough line to walk to determine how stuff like that would work.

    Ideally, you'd be able to say "It's your fault for not using the backup codes"... That's pretty much the only way you can make absolutely sure you can't get past the 2fa. On the other hand, that's a fantastic way to piss people off, because you're saying it's their fault for locking themselves out of their account (which... even if it is... there are a lot of people who probably don't realize that they need to save the backup codes). And phones fail too - Whether you break it, or it just dies, or it gets stolen, or any of any number of possible reasons.

    Ideally, you'd be somewhere in the middle - you don't want to make it easy to get past the 2fa via social engineering, but you should have some way to recover the account if you lose the second factor.


  • Notification Spam Recipient

    @sloosecannon said in WTF Steam:

    you should have some way to recover the account if you lose the second factor.

    I have a watchdog gmail account that (in theory) should be able to reset each other if needed. I really need to test it one of these days, but it seems I forgot the password to that account...


    Filed under: Perfect opportunity!


  • :belt_onion:

    @Tsaukpaetra said in WTF Steam:

    @sloosecannon said in WTF Steam:

    you should have some way to recover the account if you lose the second factor.

    I have a watchdog gmail account that (in theory) should be able to reset each other if needed. I really need to test it one of these days, but it seems I forgot the password to that account...


    Filed under: Perfect opportunity!

    :slowclap:



  • The wtf here is that the code they sent to your phone via SMS or whatever didn't work.

    What exactly do you want Steam to do here? Why did you install the mobile authenticator for an account you don't know the password to? The difference between you and some dude who stole your phone is literally zero. The fault tolerance mode here is 'reset my password using a link sent to an email address over TLS'.

    (what's the point of a mobile authenticator app anyway? Texting a code to your phone that you can then read shows you currently physically have the phone in your possession. Is it just a CSPRNG so you can use it in the boonies? Where do you have internet but no phone reception??)


  • :belt_onion:

    @AyGeePlus said in WTF Steam:

    The wtf here is that the code they sent to your phone via SMS or whatever didn't work.

    What exactly do you want Steam to do here? Why did you install the mobile authenticator for an account you don't know the password to? The difference between you and some dude who stole your phone is literally zero. The fault tolerance mode here is 'reset my password using a link sent to an email address over TLS'.

    (what's the point of a mobile authenticator app anyway? Texting a code to your phone that you can then read shows you currently physically have the phone in your possession. Is it just a CSPRNG so you can use it in the boonies? Where do you have internet but no phone reception??)

    Well, the problem is that the Steam "mobile authenticator" is part of the Steam app - which requires you to be logged in to do anything. If you happen to get logged out....... you're screwed.

    Filed under: Catch 22, Please insert your 2fa code to get your 2fa code, recursive requirements


  • :belt_onion:

    @AyGeePlus said in WTF Steam:

    what's the point of a mobile authenticator app anyway?

    Also, it's required for some Steam features or something - I remember a thread (I think it was a @blakeyrant because there's no WinPhone authenticator). Stupid, but that's Steam for you...



  • @AyGeePlus said in WTF Steam:

    what's the point of a mobile authenticator app anyway? Texting a code to your phone that you can then read shows you currently physically have the phone in your possession.

    I can think of a few wrinkles, not insurmountable, but still something that needs to be considered in the decision making process:

    1. Privacy implicaions of asking for and storing phone numbers
    2. Validating phone numbers from foreign lands
    3. Sending texts to foreign lands
    4. Text providers charge money


  • @AyGeePlus said in WTF Steam:

    Where do you have internet but no phone reception??)

    My mother's house. Before my current phone, which supports Wi-Fi calling, there was no way to get a text message.

    But seriously, people, http://keepass.info


  • Notification Spam Recipient

    @SirTwist said in WTF Steam:

    people, http://kepass.info

    You mised a letter. ;)

    Seriously, a password manager doesn't help with 2fa. You forget the password (or lose the key) to that, and you're still f'ed.



  • @Tsaukpaetra said in WTF Steam:

    You forget the password (or lose the key) to that, and you're still f'ed.

    Make a secure, memorable passphrase for your password manager.


  • Notification Spam Recipient

    @another_sam said in WTF Steam:

    memorable passphrase

    Eh. Those never worked for me (probable memory map issue). I can't remember those funky quirky phrases, but I can instantly recall AFEBB01AA3 (wifi password from 2005) without issue.



  • @Tsaukpaetra said in WTF Steam:

    Eh. Those never worked for me (probable memory map issue). I can't remember those funky quirky phrases, but I can instantly recall AFEBB01AA3 (wifi password from 2005) without issue.

    Freak.


  • Notification Spam Recipient

    @another_sam said in WTF Steam:

    Freak

    You noticed? I suppose I hide it quite well, all things considered.



  • @Tsaukpaetra is Tay v2.0, confirmed


  • Notification Spam Recipient

    @AyGeePlus said in WTF Steam:

    @Tsaukpaetra is Tay v2.0, confirmed

    In many aspects, Tay cannot compare at all to me. In many aspects, I cannot be compared to Tay.

    However, the bottom line is that we both know our conversants only through the Internet. :D



  • @Tsaukpaetra But can you sing?



  • @Tsaukpaetra Sorry, fixed. Keepass has a plugin for doing TOTP like Google Authenticator, if you can get the secret number. I also keep a copy of the QR code as an attachment to each account that has GAuth. This meant I had to tell Google I was using an iPhone so it would actually give me the number.

    A single password is much easier to remember. If you're really worried about forgetting, you'll still have to write it down, or keep an unencrypted copy of the db in a safe deposit box or something.


  • Notification Spam Recipient

    @aliceif said in WTF Steam:

    But can you sing?

    Actually, yes. Under normal circumstances, I can sing quite well.
    Recent damage to my vocal cords have reduced this ability, but I expect to make 95% recovery.



  • @Mole said in WTF Steam:

    When I created the Steam account it was because I was forced to. I didn't give a crap about the account and used a throwaway password, mutated to fit in line with the password requirements.

    See, I told you. You are TR:wtf:. You just confirmed it. Never, ever assume that (a) software will continue to remember that you are logged in to it(1), and (b) that account you created 'because you had to' will remain like that.

    (1) Not least because one of the great virtues of Steam is that when you log in to it on a new machine, you can immediately pull down any of the software you bought previously.


  • Notification Spam Recipient

    0_1459945752452_CfV_jH8W8AAduNL.jpg



  • @DogsB said in WTF Steam:

    0_1459945752452_CfV_jH8W8AAduNL.jpg

    Well, overall, I'd say the guy who wrote the story is ignorant of the origin of being "under fire" for something. Dude! It ain't that kind of fire! It means people are (metaphorically) shooting at him.

    Sigh. Kids these days.


  • kills Dumbledore

    @Steve_The_Cynic said in WTF Steam:

    Dude! It ain't that kind of fire! It means people are (metaphorically) shooting at him.

    And what forces the bullet out of the gun? Setting fire to the gunpowder



  • @Steve_The_Cynic said in WTF Steam:

    See, I told you. You are TR:wtf:. You just confirmed it. Never, ever assume that (a) software will continue to remember that you are logged in to it(1), and (b) that account you created 'because you had to' will remain like that.

    (1) Not least because one of the great virtues of Steam is that when you log in to it on a new machine, you can immediately pull down any of the software you bought previously.

    Ok, my bad, but Steam is still shit :)



  • @another_sam said in WTF Steam:

    Privacy implicaions of asking for and storing phone numbers
    Validating phone numbers from foreign lands
    Sending texts to foreign lands
    Text providers charge money

    Which can all be summarized as 0. Phone calls and SMSs are terrible standards that need to die in a fire.



  • @Steve_The_Cynic Honestly... I think you can just use "123456" as your Steam password. Since you're forced to use SteamGuard anyway, and your email account should be secure, the password is not that important.



  • @sloosecannon Yes, it's a difficult problem. If your phone has the private key you need to log in, then by definition if you lose your phone, you should lose the ability to log in. Obviously people don't want that.

    Most online accounts have several authentication methods (hardware token, phone number, email, password, security questions...) and require a combination of those to login or recover a missing one.

    And of course, you can chain some of those: hacking into my email would let you get into my Steam account, hacking someone's Google account would probably let you see their synced Chrome passwords, etc. And let's not forget that you can "partition" accounts, requiring extra passwords to access more sensitive parts.

    The end result is you have a big directed graph of authentication methods, and there are thousands of ways you can arrange it. I wonder if anyone has made any standard language to represent that? It might be useful.

    Ultimately I guess we're going to need secure cabins that perform a full biometric scan of you to see if you match.


Log in to reply