Valve are now testing a new version of the Steam app for Android and iOS, which comes with a much more modern design and a QR code login system too.
From the announcement Valve say it has been rebuilt "on a new framework and modernized the design", joking that 2015 called and wanted their app back. As before you can browse the store, get Steam Guard codes and confirm trades but you also now get the brand new QR code sign in system that many other applications also offer (like Discord). So you can scan it with your phone on the web, and not have to enter a password.
The new app also has smarter notifications, an improved library views and there's also now multi-account support which has become increasingly important especially with the Steam Deck now too. There's a new Steam Group you can join to get updates on it.
I would have taken some shots, but seeing as I'm now on iOS myself it's limited to 10,000 people and that filled up within seconds of the original announcements. Here's some shots from a reader on Android (click to enlarge):
With that said, I hope it doesn't interfere with the current 2FA system too much - as with the current system I have it working in KeePassXC and don't require the app every time I need to login on my desktop (which is frequent due to my VPN)
So hopefully they haven't changed / altered the 2FA code system.
Quoting: belisamaSo this is using a QR code to log into the website? Ugh, what's the point of that, logging into a real website on a real computer is easy. With something like KeePass, it's just a few keystrokes. What would actually be useful is using QR codes to log into phone apps, instead of having to do a prolonged, error-prone hunt-and-peck.
What you are avoiding isn't just the username/pass. It's the 2-factor code (which is also a pain in the butt).
Quoting: HohlraumWhat you are avoiding isn't just the username/pass. It's the 2-factor code (which is also a pain in the butt).
*shrug* Okay, offer it in both directions.
Quoting: CyborgZetaSo if I'm understanding this right, the new phone app comes with QR scanning you can use to log into said phone app...by scanning it with your phone. I could understand desktop Steam providing a QR code for scanning, but how do you scan the phone one if it's on your phone? I'm sure I've missed something really obvious here, so I hope a smarter one than I comes along to explain.
No, how it works is that you're already logged into your phone and then to log into the website (from a laptop or desktop computer) you scan the QR with your (logged in) phone.
Quoting: BlackBloodRumValve just remembered they have a mobile app!Does that handle entering the code for you? That's pretty slick.
With that said, I hope it doesn't interfere with the current 2FA system too much - as with the current system I have it working in KeePassXC and don't require the app every time I need to login on my desktop (which is frequent due to my VPN)
So hopefully they haven't changed / altered the 2FA code system.
Quoting: HohlraumTOTP 2-factor authentication is not a pain if you use a good app (I use OTPClient and it just 2 extra clicks.)Quoting: belisamaSo this is using a QR code to log into the website? Ugh, what's the point of that, logging into a real website on a real computer is easy. With something like KeePass, it's just a few keystrokes. What would actually be useful is using QR codes to log into phone apps, instead of having to do a prolonged, error-prone hunt-and-peck.
What you are avoiding isn't just the username/pass. It's the 2-factor code (which is also a pain in the butt).
Steam doesn't support TOTP though: they use their own nonstandard system. That seems like the real problem.
Quoting: RandomizedKirbyTree47Steam doesn't support TOTP though: they use their own nonstandard system. That seems like the real problem.
It really is. They've no good reason for requiring a proprietary app just for MFA.
Quoting: GuestCan't wait for people to have their Steam accounts hacked because they used a QR code for logging in (it's too easy to spoof them).If it is like the Discord one; the client will pop up the login box with a QR code (so it is generated by Valve). Then you would launch the Steam App on your mobile device to take a picture of the code on your monitor, then it authenticates through the app, telling the client you have authorized it to login.
So not sure where it would be able to spoof it, unless you went around using the app to scan things that are not the Steam client.
Quoting: slaapliedjeSo not sure where it would be able to spoof it, unless you went around using the app to scan things that are not the Steam client.
First of all, never underestimate the wacky stuff users will do. Second, if it works on the website (or even if people just *expect* that it will), rather than just the dedicated client, then some sort of site spoofing could be possible. In any case, QR Code normalization is bad. I about died when they became the new hotness in restaurants during Covid.
Quoting: belisamaOh, I agree with you. I was just posting how, in theory, it would work. I have been saying for many years that QR codes are a terrible idea and totally something that would be easy to exploit.Quoting: slaapliedjeSo not sure where it would be able to spoof it, unless you went around using the app to scan things that are not the Steam client.
First of all, never underestimate the wacky stuff users will do. Second, if it works on the website (or even if people just *expect* that it will), rather than just the dedicated client, then some sort of site spoofing could be possible. In any case, QR Code normalization is bad. I about died when they became the new hotness in restaurants during Covid.
Quoting: PhiladelphusYup. But bear in mind it can be a little tricky getting your 2FA secret key out of the current android app, as for the new one? no idea!Quoting: BlackBloodRumValve just remembered they have a mobile app!Does that handle entering the code for you? That's pretty slick.
With that said, I hope it doesn't interfere with the current 2FA system too much - as with the current system I have it working in KeePassXC and don't require the app every time I need to login on my desktop (which is frequent due to my VPN)
So hopefully they haven't changed / altered the 2FA code system.
With KeePassXC once your 2FA is all setup in the DB, you can just have autotype set to:
{USERNAME}{TAB}{PASSWORD}{ENTER}{DELAY 9999}{TOTP}{ENTER}
(Long delay because it likes to take it's time to show the 2FA input box sometimes.
So I just clear the username field, hit "perform auto type" and poof I'm logged back in.
Now if Valve support Yubikey's on the other hand.. that would be great, considering how much value could potentially be held in an account due to the games!
(Thankfully not my account, My account only has around 360 games or so, so it's not worth stealing to anyone )
Last edited by BlackBloodRum on 25 August 2022 at 10:44 pm UTC
Quoting: belisamaSo this is using a QR code to log into the website? Ugh, what's the point of that, logging into a real website on a real computer is easy.
You have to understand that games like Dota and Counter Strike are (were? it's been a while) VERY popular in Asia, where you play them in net cafe/PC rental shop. This would make it so much more convenient and secure in those environments.
You might have a better threat model, in which case that's cool, but this is a good feature to have in those environment and would only help.
Besides, as someone who often got logged out due to vpn stuff, this would be handy for me too even if I have bitwarden, since I wouldn't have to open my browser.
For anyone reading comments to find out what the new app is like, it is SO much better! Much more responsive and it is very well organized. It's been long overdue and it is such a welcome change. The left to right scrolling through games (at least on the Great on Deck page) is a little buggy so hopefully they sort that out soon. Discovery Queue needs some work too. Beta, folks, beta!
The QR code login worked flawlessly for me. My extensive library loads near instantly now where as on the old app I'd have to shave my beard several times before seeing it pop up. You can currently sort your library by name, playtime or recent but it doesn't look like they have added any custom collections as of yet.
Wishlist lets you sort by all the same things the desktop client does, whereas in the old app, sorting was more limited (for instance sorting by discount % was missing).
Wishlist also let's you filter games by platform, Deck Compatibility (Playable, and/or Verified), and numerous other options.
There are settings for notifications so you can select what type you'd like to receive or block - receiving a gift, discussion replies, new inventory items, friend invitations, major sales, prepurchased game is available to preload, and of course, when wishlist items go on sale.
As in the desktop client you can select your Home Screen, albeit with some different choices than on desktop, e.g. Store, News, Steam Guard, Notifications.
In general the app seems as full featured as the desktop client. A very welcome change! Keep in mind it is only in beta so expect bugs and changes. I'd say it is already less buggy than the existing app though, so don't be afraid to give it a try because of UI bug worries.
Quoting: wit_as_a_riddleSo, any of you security experts actually try the app? 🤣🤣🤣
Well, I tried it after your comment and now I will take a look how to get rid of it again.
It's got severe longer loading times than the old one on my mobile. It shows me lots of crap I don't care for, and what I actually care for, new discussion posts, is a) well hidden, b) hardly set apart from old discussions and c), when I choose a thread with new posts, it loads quite some seconds just to not bring me to the first new item. I'd rather use the web site on my mobile browser than this.
Last edited by Eike on 31 August 2022 at 9:30 am UTC
See more from me