How to Use Your Yubikey as a Steam Guard TOTP Generator, 2023 Edition
Update Nov 5, 2023: This no longer works—see here for updated instructions.
Note: Unlike most other articles on this blog, this article contains instructions on how to solve a common-ish problem and therefore is written in English.
You will need:
What can you do with it?
I didn't say you should, I said you could. Personally, I trust my Yubikey more than my phone and I also expect it to live longer.
Doesn't this impact the security of my Steam account?
See above; I don't believe my Yubikey is more easily compromised and/or lost than my phone. If you disagree, don't do it.
Closing thought:
Thank you Valve for using standard TOTPs for Steam login. Now could you please make it easier to export/access the shared secret?
Acknowledgements:
Thanks to geripgeri for the original instructions on how to add a Steam account to your Yubikey.
Note: Unlike most other articles on this blog, this article contains instructions on how to solve a common-ish problem and therefore is written in English.
You will need:
- a Yubikey (not a Yubico "Security Key", but other brands may work as well; rule of thumb: if you can use your device as a 2FA for, say, Amazon, it should work)
- a rooted Android phone; there seem to be recipes for Androids without root, but I haven't tested them and they seem complicated
- an older version of the Steam app for Android (version 2.x, I got mine from here; don't worry, you can return to the current version when you're done)
- Remove your current Steam Guard from your Steam account; if you're not currently using the 3.x Steam app, you can probably skip this step.
Caution: This is not the same as Step 2! - Uninstall the current Steam app and install a 2.x version from your most trusted source.
- Set up your 2.x app as a Steam Guard authenticator.
- Use either adb or your favorite file manager app (with root privileges) to copy /data/data/com.valvesoftware.android.steam.community/files/Steamguard-[YOUR_STEAM_ID] ([YOUR_STEAM_ID] will be replaced by a long number) to your computer.
- This is a JSON file that will look something like this:
{
The relevant line is highlighted in bold; in your favorite Yubikey TOTP app, add a new account and enter the parameters in italics:
"steamid":"[YOUR_STEAM_ID]",
"shared_secret":"[BASE32_ENCODED_SECRET]",
"serial_number":"[SOME_NUMBER]",
"revocation_code":"R[YOUR_REVOCATION_CODE]",
"uri":"otpauth:\/\/totp\/Steam:[YOUR_ACCOUNT_NAME]?secret=[YOUR_SHARED_SECRET]&issuer=Steam",
"server_time":"[TIMESTAMP]",
"account_name":"[YOUR_ACCOUNT_NAME]",
"token_gid":"[8_BYTE_GID]",
"identity_secret":"[BASE32_ENCODED_SECRET]",
"secret_1":"[BASE32_ENCODED_SECRET]",
"status":1,
"phone_number_hint":"[LAST_4_DIGITS_OF_YOUR_PHONE_NUMBER]",
"steamguard_scheme":"2"
}Issuer: Steam
Account name: [YOUR_ACCOUNT_NAME]
Secret key: [YOUR_SHARED_SECRET] - Make sure your Steam app generates the same TOTPs as your Yubikey. If it doesn't, something has gone wrong and you'll likely need to start over from step 4 or 5.
- You're done! You can now update your old Steam app (2.x was last released in 2020!!) to the newest version. However, you may want to keep the Steamguard-[YOUR_STEAM_ID] file around to add accounts to more Yubikeys.
What can you do with it?
- You can use it to log in, even if your phone is lost, damaged, stolen, etc.
- You cannot use it to authorize trades.
I didn't say you should, I said you could. Personally, I trust my Yubikey more than my phone and I also expect it to live longer.
Doesn't this impact the security of my Steam account?
See above; I don't believe my Yubikey is more easily compromised and/or lost than my phone. If you disagree, don't do it.
Closing thought:
Thank you Valve for using standard TOTPs for Steam login. Now could you please make it easier to export/access the shared secret?
Acknowledgements:
Thanks to geripgeri for the original instructions on how to add a Steam account to your Yubikey.
Kommentare
Ansicht der Kommentare: Linear | Verschachtelt