<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	
	xmlns:georss="http://www.georss.org/georss"
	xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#"
	>

<channel>
	<title>Steam Guard &#8211; Jake Forrester</title>
	<atom:link href="https://www.jakeforrester.com/tag/steam-guard/feed/" rel="self" type="application/rss+xml" />
	<link>https://www.jakeforrester.com</link>
	<description>Personal Blog</description>
	<lastBuildDate>Fri, 28 Aug 2020 18:42:04 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.6.2</generator>

<image>
	<url>https://www.jakeforrester.com/wp-content/uploads/2020/08/cropped-seems_potato_jake-32x32.png</url>
	<title>Steam Guard &#8211; Jake Forrester</title>
	<link>https://www.jakeforrester.com</link>
	<width>32</width>
	<height>32</height>
</image> 
<site xmlns="com-wordpress:feed-additions:1">181047172</site>	<item>
		<title>Never Enter A Steam Two-Factor Code Again</title>
		<link>https://www.jakeforrester.com/2020/08/28/never-enter-a-steam-two-factor-code-again/</link>
					<comments>https://www.jakeforrester.com/2020/08/28/never-enter-a-steam-two-factor-code-again/#respond</comments>
		
		<dc:creator><![CDATA[Jake]]></dc:creator>
		<pubDate>Fri, 28 Aug 2020 18:37:40 +0000</pubDate>
				<category><![CDATA[Steam]]></category>
		<category><![CDATA[2FA]]></category>
		<category><![CDATA[Mobile Confirmation]]></category>
		<category><![CDATA[Steam Guard]]></category>
		<category><![CDATA[Two-Factor]]></category>
		<guid isPermaLink="false">https://www.jakeforrester.com/?p=82</guid>

					<description><![CDATA[Trading on Steam has gone from a wonderful community-oriented experience, to a major hassle. Not only are there at least sixteen different reasons you might not be able to trade, but you also need to install Steam&#8217;s proprietary two-factor auth app to your phone before you can confirm any trades. The process is very cumbersome&#8230;]]></description>
										<content:encoded><![CDATA[
<p>Trading on Steam has gone from a wonderful community-oriented experience, to a major hassle.  Not only are there at least <a href="https://support.steampowered.com/kb_article.php?ref=1047-EDFM-2932">sixteen different reasons you might not be able to trade</a>, but you also need to install Steam&#8217;s <a href="https://support.steampowered.com/kb_article.php?ref=4020-ALZM-5519">proprietary two-factor auth app</a> to your phone before you can confirm any trades.</p>



<p>The process is very cumbersome for anyone who trades frequently, and it&#8217;s even worse for anyone doing development on the platform who needs to test things where multiple accounts are exchanging items.</p>



<p>Luckily, there&#8217;s a way around all of this  It will require a bit of work up-front though, and isn&#8217;t exactly the most secure solution if your local computer is shared.</p>



<p>First, we need a way to generate the one-time-use two-factor codes the same way the Steam app does. </p>



<h2 class="wp-block-heading">Setup The 2FA Server</h2>



<p>Dr. McKay has created a mimicked version of the Steam Guard 2FA app.  You can run the server as either a node.js application, or my own personal preference, a PHP application (since my workstation is already running nginx/php).  Clone the repo from here: <a href="https://github.com/DoctorMcKay/steam-twofactor-server">https://github.com/DoctorMcKay/steam-twofactor-server</a>.  </p>



<p class="has-white-color has-vivid-cyan-blue-background-color has-text-color has-background"><em>Note: My workstation is running Linux (Fedora).  The concepts apply everywhere, but your setup steps may differ.</em></p>



<p>I edited my <code>/etc/hosts</code> file to point <code>steam-secrets.local</code> to <code>127.0.0.1</code>, and the nginx config to match.</p>



<pre title="/etc/hosts" class="wp-block-code"><code class="">127.0.0.1 steam-secrets.local</code></pre>



<pre title="/etc/nginx/conf.d/steam-secrets.local.conf" class="wp-block-code"><code lang="bash" class="language-bash">server {
    listen 80;
    index index.php index.html;
    server_name steam-secrets.local;
    root /var/www/html/steam-twofactor-server;

    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST' always;
    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;

    location ~ \.php(/|$) {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;

        # Make sure that the base script exists
        if (!-f $document_root$fastcgi_script_name) {
                return 404;
        }

        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
}</code></pre>



<p>When you&#8217;re done following the readme, test it by hitting: <a href="http://steam-secrets.local/steam_twofactor.php/code/test">http://steam-secrets.local/steam_twofactor.php/code/test</a>.  The response should error with:<br><code>No secret is available for that account</code>.</p>



<h2 class="wp-block-heading">Prepare For Steam Guard</h2>



<p>Before you can enable Steam Guard, you need a phone number attached to your account.  You can attach the same phone number to multiple accounts (there&#8217;s a limit per-month for the same number, but it&#8217;s relatively high&#8211;somewhere around 30). </p>



<ol class="wp-block-list"><li>Login to the account on Steam</li><li>Go to <a href="https://store.steampowered.com/account/">Account Settings</a></li><li>Ensure your email address is validated.  If not, validate it from this same page before continuing.</li><li>Under <strong>Contact Info</strong>, click <strong>Add a phone number</strong></li><li>Check your email and click <strong>Add phone number</strong> within the email</li><li>Close the new window, open the original tab with the account settings and enter the 5-digit code texted to you</li><li>Press <strong>Done</strong></li></ol>



<p>Now your account meets the requirements to run the mobile authenticator.</p>



<h2 class="wp-block-heading">Enable Steam Guard</h2>



<p>In order to use the 2FA server, we need to get the client secret.  This is only given during the setup process and you can never fetch the info from Steam again.</p>



<p>In my case, I&#8217;m using some alts just for trading so I&#8217;ll be setting them up from scratch.  If you&#8217;re using your main account and want the steam guard code from your phone, good luck.  You&#8217;ll need to have the phone rooted and search through the steam authenticator files.</p>



<p>Regardless of whether or not you used PHP for the server, we will be using node to make the requests for setting up 2FA.  Specifically, we&#8217;ll be using this repo: <a href="https://github.com/DoctorMcKay/node-steamcommunity">https://github.com/DoctorMcKay/node-steamcommunity</a>.</p>



<pre class="wp-block-preformatted"><strong>$ git clone git@github.com:DoctorMcKay/node-steamcommunity.git
</strong>Cloning into 'node-steamcommunity'...
remote: Enumerating objects: 129, done.
remote: Counting objects: 100% (129/129), done.
remote: Compressing objects: 100% (84/84), done.
remote: Total 2124 (delta 72), reused 80 (delta 44), pack-reused 1995
Receiving objects: 100% (2124/2124), 421.43 KiB | 300.00 KiB/s, done.
Resolving deltas: 100% (1284/1284), done.
<strong>$ cd node-steamcommunity/examples
$ npm i</strong>
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
added 86 packages from 122 contributors and audited 86 packages in 2.386s

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

<strong>$ node enable_twofactor.js 
</strong>Username: my_test_account
Password: my_test_password
An email has been sent to your address at gmail.com
Steam Guard Code: A12TV
Logged on!
Writing secrets to twofactor_76561197960287930.json
Revocation code: R10111
SMS Code: 61361
Two-factor authentication enabled!</pre>



<p>Congratulations!  The hard part is done.</p>



<p>Grab the file that was generated and copy the contents it into a file called <code>&lt;your_account_name>.json</code> inside the secrets directory of the two-factor server.</p>



<pre class="wp-block-code"><code class="">$ mv twofactor_76561197960287930.json /var/www/html/steam-twofactor-server/secrets/gaben.json</code></pre>



<p>Test that it worked by loading the project in your browser for that account: <a href="http://steam-secrets.local/steam_twofactor.php/code/gaben">http://steam-secrets.local/steam_twofactor.php/code/gaben</a>.  If you see five random characters, then you&#8217;re done setting up the server.</p>



<h2 class="wp-block-heading">Automate Code Entry</h2>



<p>In order to enter the 2FA codes automatically, and to click the mobile trade confirmations, we&#8217;ll need a userscript.  These are snippets of javascript that run locally in your browser when certain pages are accessed.  You need a browser extension in order to run them, so ensure you have <a rel="noreferrer noopener" href="https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/" target="_blank">Greasemonkey</a> (Firefox) or <a rel="noreferrer noopener" href="https://chrome.google.com/webstore/detail/tampermonkey/dhdgffkkebhmkfjojejmpbldmpobfkfo?hl=en" target="_blank">Tampermonkey</a> (Chrome).</p>



<p>To install the userscript, load the following page in your browser after the extension is installed. <a rel="noreferrer noopener" href="https://github.com/DoctorMcKay/steam-twofactor-server/raw/master/userscript/Steam_Community_Mobile_Trade_Confirmations.user.js" target="_blank">https://github.com/DoctorMcKay/steam-twofactor-server/raw/master/userscript/Steam_Community_Mobile_Trade_Confirmations.user.js</a></p>



<p>Now go to <a href="https://steamcommunity.com/mobileconf/conf">https://steamcommunity.com/mobileconf/conf</a>  and paste the base URL of your 2Fa server.</p>



<pre class="wp-block-code"><code class="">http://steam-secrets.local/steam_twofactor.php/</code></pre>



<div class="wp-block-image"><figure class="aligncenter size-large"><img fetchpriority="high" decoding="async" width="446" height="215" src="https://www.jakeforrester.com/wp-content/uploads/2020/08/image-2.png" alt="" class="wp-image-95" srcset="https://www.jakeforrester.com/wp-content/uploads/2020/08/image-2.png 446w, https://www.jakeforrester.com/wp-content/uploads/2020/08/image-2-300x145.png 300w" sizes="(max-width: 446px) 100vw, 446px" /></figure></div>



<p>Now, whenever a two-factor prompt appears on Steam, you will automatically enter and submit the code as long as the account is found on that server.</p>



<h2 class="wp-block-heading">Accepting Trades From Mobile</h2>



<p>Bookmark the following page for whenever you need to approve a trade: <a href="https://steamcommunity.com/mobileconf/conf">https://steamcommunity.com/mobileconf/conf</a></p>



<figure class="wp-block-image size-large"><img decoding="async" width="596" height="196" src="https://www.jakeforrester.com/wp-content/uploads/2020/08/image.png" alt="" class="wp-image-92" srcset="https://www.jakeforrester.com/wp-content/uploads/2020/08/image.png 596w, https://www.jakeforrester.com/wp-content/uploads/2020/08/image-300x99.png 300w" sizes="(max-width: 596px) 100vw, 596px" /></figure>
]]></content:encoded>
					
					<wfw:commentRss>https://www.jakeforrester.com/2020/08/28/never-enter-a-steam-two-factor-code-again/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
		<post-id xmlns="com-wordpress:feed-additions:1">82</post-id>	</item>
	</channel>
</rss>