I use KeePass, maybe I'm not paying attention, what's the 2FA option in KeePass? I just use it as a password manager...

Valve has their own 2FA app.

Steam refuses to put the safety of their users accounts in the hands of a third party.

Since why should Steam bother when they have their own?

If someone gets locked out of their account and doesn't have any of their emergency codes, Steam cannot help if a third party is handling the 2FA.

Originally posted by HikariLight:

Steam refuses to put the safety of their users accounts in the hands of a third party.

Since why should Steam bother when they have their own?

If someone gets locked out of their account and doesn't have any of their emergency codes, Steam cannot help if a third party is handling the 2FA.

Precisely. Yubikeys and all other MFA solutions are hacked all the time and are completely insecure. No serious security professional uses ANY security software or solution that they have not developed themselves. The only way to ensure security is to use a security solution that you made yourself.

Originally posted by William Shakesman:

Originally posted by HikariLight:

Steam refuses to put the safety of their users accounts in the hands of a third party.

Since why should Steam bother when they have their own?

If someone gets locked out of their account and doesn't have any of their emergency codes, Steam cannot help if a third party is handling the 2FA.

Precisely. Yubikeys and all other MFA solutions are hacked all the time and are completely insecure. No serious security professional uses ANY security software or solution that they have not developed themselves. The only way to ensure security is to use a security solution that you made yourself.

And it has been PROVEN that it is the USER is the weak point for the security of the Steam account.
Also, WHY should Steam use a third party to do something they already provide?
Steam provides a 2FA, so there is no need for them to get a third party company involved.

Thanks for all your replies, I was just wondering since I do use keepass and its option to do 2fa and not steam on my phone

Originally posted by William Shakesman:

Precisely. Yubikeys and all other MFA solutions are hacked all the time and are completely insecure. No serious security professional uses ANY security software or solution that they have not developed themselves. The only way to ensure security is to use a security solution that you made yourself.

Accounts on Steam are PHISHED because the end user giving away all their account details.

The account name, the password and the KEY to the door, the Steam Guard Mobile code, or scanning the QR code or authorising via fingerprint giving them access to the account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on Discord, free knife click the link, signing in through a fake login window etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't, therefore any action taken on your account is seen as you doing said actions.

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.

The weakest link is the end user, not the security offered.


Of course bank, credit card, pension accounts etc are never compromised, oh! Wait they are because the end user gave away all their account details known as PHISHING.

Originally posted by William Shakesman:

Originally posted by HikariLight:

Steam refuses to put the safety of their users accounts in the hands of a third party.

Since why should Steam bother when they have their own?

If someone gets locked out of their account and doesn't have any of their emergency codes, Steam cannot help if a third party is handling the 2FA.

Precisely. Yubikeys and all other MFA solutions are hacked all the time and are completely insecure. No serious security professional uses ANY security software or solution that they have not developed themselves. The only way to ensure security is to use a security solution that you made yourself.

I work in Cyber and this is the dumbest thing I've read in a long while. The old mantra reads: "One should not reinvent the wheel." TOTP is already handled by Microsoft and Google, which both follow RFC 6238 standards. Yubikeys also follows RFC 6238. It isn’t the service that is insecure, it is the user. There’s actually no reason to use SteamAuth over the aforementioned, other than personal preference. And tbh, imo, I can't see Steam Auth being more secure or even AS secure as the aforementioned. It's certainly way more inconvenient. Especially when my phone dies out of nowhere and I have to jump hoops to remove SteamAuth

Originally posted by nullable:

I use KeePass, maybe I'm not paying attention, what's the 2FA option in KeePass? I just use it as a password manager...

You can set up TOTP in keepass which would offer several advantages over the Steam app. The main being locally hosting your token, so you can transfer and have access to your token on multiple devices at a time, instead of being limited to only having access to it on one device at a time ala Steam's app. So in essence, instead of having to go get your phone, you can have direct access to your 2FA code on your computer, laptop1, laptop2, phone, etc. Adds a ton of convenience with no security loss. But since it is locally hosted, you would of course be responsible for having it backed up somewhere. Cloud, flashdrive, second device, etc. whichever works best for you.

Here's a great YT video showcasing how to do it. The only caveat is that he's doing a weird QR code reader workaround for PC, IMO its easier to click "Can't scan QR code" option that most sites will give you as it will give you the same code more quickly. But mayhaps he's showing that just in case you come across the odd website that only has a scan option.

I am currently trying to transition from Steam App to keepass, which is apparently doable. If I remember, I'll update this post if I can get it to work.

Amazing that the same people who come into every single one of those topics, prove everytime they don't even understand what they are arguing about, fail to educate themselves on the topic and fail to read any of the replies to them correcting them are still trying to engage other users in their nonsensical argumentation.

If only there was a word for such behaviour on the internet.

^ No idea what that's about but anywho I got it to work. It is definitely doable as of right now. Though I have some caveats.

You must do it through a third party app which is no longer receiving updates. So I would say for most people, unless you truly understand the risks and know what you're doing, to not attempt this.

But if you are using keepassXC, then I assume you are more likely to be at least somewhat tech savvy and can get this to work safely. It's fairly straightforward and easy, and a guide has already been made which I will link here[github.com].

Follow all of the steps, because the final steps include backing up your recovery items in a secure way.

Second caveat, since this is a dead third party app, there is the chance that this eventually stops working, in which case if you have not already imported your steam secret to keepass, then I don't know if it will be possible to do going forward unless Steam officially starts to support that. So if you are on the fence, and you've read the guide thoroughly and understand what to do, than I would say do it sooner rather than later. But YMMV, and again, unsupported app, use at your own risk.

For possible troubleshooting purposes, I used Steam Desktop Authenticator by Jessecar96 version 1.0.15 (no longer receiving updates as of Oct 15, 2024).

And I used .NET Desktop Runtime version 8.0.18.

Finally, though not necessarily needed, I changed my password afterwards since it is, in fact, a dead third party app. This way the credentials I used to retrieve the token are no longer paired with the secret key, but it is unlikely that this app is malicious, just an extra precaution I decided to take. Changing the password will require you to receive 2fa with your phone even though you have the SDA set up, which I think is a nice security feature, though inconvenient.

I also generated a new set of backup codes and saved in my keepass notes, which requires a 2fa code sent to your email. It will also require you to use the Desktop Authenticator for a confirmation (which is why it is crucial you back up the files generated by the app.)

Last, I encrypted the mafiles before I deleted them (remember we backed up *the unencrypted version* to a more secure source). Pretty much the same as using a shredder app. There is an option in the SDA app to encrypt the mafiles. Make sure to shift delete and not just send to recycle bin.

I also lost access to my account for a few minutes, which may have been an automated safety feature by Steam because it probably looked suspicious that I was changing all of my account info. (Couldn’t log in, and receiving generic error messages.) But I’m logged in now with my new credentials.

And once again C:, third warning, use at your own risk. It worked for me, but I provide no guarantees regarding functionality or safety.

Hope this helps in the future

Edit: Lol this post is already long enough, but just adding more info. Another caveat I've noticed is that the Steam app on your phone will still give you the option to add it as an authenticator. For obvious reason I do not recommend this, but YMMV if you try. I also tried to add the TOTP secret to my keepass database on my phone, but there is no convenient "steam" option. This is fine for me because I do not really even use the app anyway on my phone. But I will say this makes it even more necessary to make sure you backup your PC keepass database on at least one other device or in the cloud. You can still save your emergency Steam Revocation Code in the phone notes so, again, in my use case, not a deal breaker.

Originally posted by HikariLight:

Steam refuses to put the safety of their users accounts in the hands of a third party.

Since why should Steam bother when they have their own?

If someone gets locked out of their account and doesn't have any of their emergency codes, Steam cannot help if a third party is handling the 2FA.

^ Correct, that's one of the risks you take. Thankfully, power users who understand those risks can conduct their own risk/benefit analysis and choose to use Steam Auth or a third party, but it's shameful that you have to resort to a workaround instead of simply having the option built-in.

Originally posted by SasuCrowVT/TTV:

Originally posted by William Shakesman:

Precisely. Yubikeys and all other MFA solutions are hacked all the time and are completely insecure. No serious security professional uses ANY security software or solution that they have not developed themselves. The only way to ensure security is to use a security solution that you made yourself.

I work in Cyber and this is the dumbest thing I've read in a long while. The old mantra reads: "One should not reinvent the wheel." TOTP is already handled by Microsoft and Google, which both follow RFC 6238 standards. Yubikeys also follows RFC 6238. It isn’t the service that is insecure, it is the user. There’s actually no reason to use SteamAuth over the aforementioned, other than personal preference. And tbh, imo, I can't see Steam Auth being more secure or even AS secure as the aforementioned. It's certainly way more inconvenient. Especially when my phone dies out of nowhere and I have to jump hoops to remove SteamAuth

Damn near everyone else on this forum works in cyber, or at least claims to, and they also love correcting me, and it took a relative outsider like you dropping by six months later to pounce on that bait because for anyone else to have to do it would require them to have to also gainsay Hikari, and Hikari being a regular, is one of the guys they don't prefer to have to correct. So if nothing else thanks for reminding me of this post.

Originally posted by cinedine:

Amazing that the same people who come into every single one of those topics, prove everytime they don't even understand what they are arguing about, fail to educate themselves on the topic and fail to read any of the replies to them correcting them are still trying to engage other users in their nonsensical argumentation.

If only there was a word for such behaviour on the internet.

Failed to educate themselves?

Have you ever lost access to your Steam account?

I haven't in 20+ years and that includes before Steam Guard Email and Steam Guard Mobile existed.

The weakest link is always the end user not the security offered by Valve.

Originally posted by Nx Machina:

Failed to educate themselves?

Have you ever lost access to your Steam account?

I haven't in 20+ years and that includes before Steam Guard Email and Steam Guard Mobile existed.

The weakest link is always the end user not the security offered by Valve.

The funny thing is their main argument is 'bUt WhAt If I lOsE my sTeAm EmErGeNcY cOdE', in which case I got news for ya, I've lost it before and account recovery is still a nightmare even having Steam Auth.

How about I just host my own TOTP and not worry about one device failing bricking me from logging in? The whole point is user choice, but they act like we are forcing them to use a third party solution. I couldn't care less if they switch to keepass or use Steam Auth. That's their choice.

Originally posted by William Shakesman:

Damn near everyone else on this forum works in cyber, or at least claims to, and they also love correcting me, and it took a relative outsider like you dropping by six months later to pounce on that bait because for anyone else to have to do it would require them to have to also gainsay Hikari, and Hikari being a regular, is one of the guys they don't prefer to have to correct. So if nothing else thanks for reminding me of this post.

Who cares bro. I just commented to post my findings.

At the end of the day, the OP wanted to know if it was possible to use keepass over Steam Auth. And you can.