CategoriesSteam

Never Enter A Steam Two-Factor Code Again

Trading on Steam has gone from a wonderful community-oriented experience, to a major hassle. Not only are there at least sixteen different reasons you might not be able to trade, but you also need to install Steam’s proprietary two-factor auth app to your phone before you can confirm any trades.

The process is very cumbersome for anyone who trades frequently, and it’s even worse for anyone doing development on the platform who needs to test things where multiple accounts are exchanging items.

Luckily, there’s a way around all of this It will require a bit of work up-front though, and isn’t exactly the most secure solution if your local computer is shared.

First, we need a way to generate the one-time-use two-factor codes the same way the Steam app does.

Setup The 2FA Server

Dr. McKay has created a mimicked version of the Steam Guard 2FA app. You can run the server as either a node.js application, or my own personal preference, a PHP application (since my workstation is already running nginx/php). Clone the repo from here: https://github.com/DoctorMcKay/steam-twofactor-server.

Note: My workstation is running Linux (Fedora). The concepts apply everywhere, but your setup steps may differ.

I edited my /etc/hosts file to point steam-secrets.local to 127.0.0.1, and the nginx config to match.

127.0.0.1 steam-secrets.local
/etc/nginx/conf.d/steam-secrets.local.conf
server { listen 80; index index.php index.html; server_name steam-secrets.local; root /var/www/html/steam-twofactor-server; add_header 'Access-Control-Allow-Credentials' 'true' always; add_header 'Access-Control-Allow-Methods' 'GET, POST' always; add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always; location ~ \.php(/|$) { fastcgi_split_path_info ^(.+\.php)(/.+)$; # Make sure that the base script exists if (!-f $document_root$fastcgi_script_name) { return 404; } fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; } }

When you’re done following the readme, test it by hitting: http://steam-secrets.local/steam_twofactor.php/code/test. The response should error with:
No secret is available for that account.

Prepare For Steam Guard

Before you can enable Steam Guard, you need a phone number attached to your account. You can attach the same phone number to multiple accounts (there’s a limit per-month for the same number, but it’s relatively high–somewhere around 30).

  1. Login to the account on Steam
  2. Go to Account Settings
  3. Ensure your email address is validated. If not, validate it from this same page before continuing.
  4. Under Contact Info, click Add a phone number
  5. Check your email and click Add phone number within the email
  6. Close the new window, open the original tab with the account settings and enter the 5-digit code texted to you
  7. Press Done

Now your account meets the requirements to run the mobile authenticator.

Enable Steam Guard

In order to use the 2FA server, we need to get the client secret. This is only given during the setup process and you can never fetch the info from Steam again.

In my case, I’m using some alts just for trading so I’ll be setting them up from scratch. If you’re using your main account and want the steam guard code from your phone, good luck. You’ll need to have the phone rooted and search through the steam authenticator files.

Regardless of whether or not you used PHP for the server, we will be using node to make the requests for setting up 2FA. Specifically, we’ll be using this repo: https://github.com/DoctorMcKay/node-steamcommunity.

$ git clone git@github.com:DoctorMcKay/node-steamcommunity.git
Cloning into 'node-steamcommunity'...
remote: Enumerating objects: 129, done.
remote: Counting objects: 100% (129/129), done.
remote: Compressing objects: 100% (84/84), done.
remote: Total 2124 (delta 72), reused 80 (delta 44), pack-reused 1995
Receiving objects: 100% (2124/2124), 421.43 KiB | 300.00 KiB/s, done.
Resolving deltas: 100% (1284/1284), done.
$ cd node-steamcommunity/examples
$ npm i
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
added 86 packages from 122 contributors and audited 86 packages in 2.386s

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ node enable_twofactor.js 
Username: my_test_account
Password: my_test_password
An email has been sent to your address at gmail.com
Steam Guard Code: A12TV
Logged on!
Writing secrets to twofactor_76561197960287930.json
Revocation code: R10111
SMS Code: 61361
Two-factor authentication enabled!

Congratulations! The hard part is done.

Grab the file that was generated and copy the contents it into a file called <your_account_name>.json inside the secrets directory of the two-factor server.

$ mv twofactor_76561197960287930.json /var/www/html/steam-twofactor-server/secrets/gaben.json

Test that it worked by loading the project in your browser for that account: http://steam-secrets.local/steam_twofactor.php/code/gaben. If you see five random characters, then you’re done setting up the server.

Automate Code Entry

In order to enter the 2FA codes automatically, and to click the mobile trade confirmations, we’ll need a userscript. These are snippets of javascript that run locally in your browser when certain pages are accessed. You need a browser extension in order to run them, so ensure you have Greasemonkey (Firefox) or Tampermonkey (Chrome).

To install the userscript, load the following page in your browser after the extension is installed. https://github.com/DoctorMcKay/steam-twofactor-server/raw/master/userscript/Steam_Community_Mobile_Trade_Confirmations.user.js

Now go to https://steamcommunity.com/mobileconf/conf  and paste the base URL of your 2Fa server.

http://steam-secrets.local/steam_twofactor.php/

Now, whenever a two-factor prompt appears on Steam, you will automatically enter and submit the code as long as the account is found on that server.

Accepting Trades From Mobile

Bookmark the following page for whenever you need to approve a trade: https://steamcommunity.com/mobileconf/conf