Remove support for Steam OTP

[droidmonkey]

Summary

Steam no longer supports TOTP exclusively without using the mobile app for some operations. Removing this feature from KeePassXC will greatly simplify our TOTP implementation.

[Matthaiks]

Huh? Steam still supports TOTP.

[droidmonkey]

Reference issue: https://github.com/keepassxreboot/keepassxc/issues/8080

You can't just use the TOTP code to be successful. The mobile app is required. There is no reason for KeePassXC to support this feature anymore. Further, it is nearly impossible to extract the secret without rooting your phone. Overall, this never should have been supported.

[Matthaiks]

TOTP from KeePassXC still does work fine for logging in to Steam and the mobile app has an alternative: https://github.com/Jessecar96/SteamDesktopAuthenticator

[Mayurifag]

I don't know what future will be for this task, but I want to thank the maintainers for supporting steam otp feature 👍🏻 It was very helpful for me, even though it seemed to be not very maintainable because of differences with usual totp's.

[droidmonkey]

I might not touch it for now, just tracking what might eventually become an app-only 2fa for steam.

[Aetherinox]

The Steam TOTP feature is why I chose KeePassXC, and still works great. The only thing people have to do is use a program like mentioned above (Steam Desktop Authenticator) to grab your steam account's shared secret, then convert from Base64 -> Hex, and then from Hex to Base32.

You then take that result and plug it into KPXC and it generates codes perfectly fine.

Yeah please don't remove that, It's working great and is a huge reason why I use KeePassXC. Because of this, I haven't used the steam mobile authenticator in ages, and don't want to. I use that feature alone a crap-ton a week.

In regards to a notification being sent if you change your email, that may be the case for some, but I haven't changed my email in years, so I've never crossed paths with it. And if I needed to, I have SDA to do that real quick. I use it for signing in, and that works perfect.

[scriptkiddy666]

Just my 2 cents: I recently migrated my Steam Guard from the WinAuth application (which isn't updated anymore) to KeePassXC. During the reregistration I had to use the following tool https://github.com/dyc3/steamguard-cli afterwards I manually copied the secret from the maFile which was created by the tool. This secret worked perfectly fine in KeePassXC and it's no problem using KeePassXC now for generating the OTPs. Please keep this feature.

[droidmonkey]

Yup that's my opinion as well. Steam is a hot mess.

[Aetherinox]

Steam is a hot mess, but the KPXC steam support still works and I utilize it almost every other day. Was the primary reason for migrating to KeePassXC.

Then if I need to remove 2FA for some reason, I use SDA or https://github.com/dyc3/steamguard-cli.

Unfortunately, should steam be removed from KP, then I'll either have to stick to an older version of KP, or switch completely over to Yubikey.

[droidmonkey]

I'm not touching it for now, don't worry 😉

[1KELER1]

The only thing people have to do is use a program like mentioned above (Steam Desktop Authenticator) to grab your steam account's shared secret, then convert from Base64 -> Hex, and then from Hex to Base32.

This method does not work. It does not work. It turns out the same base32 as in the mafile. Exactly the same as https://github.com/dyc3/steamguard-cli

I assume that in KeePassXC this works with the old mafiles.

[philg-dev]

@1KELER1 I just set up TOTP for Steam in KeePassXC using the steamguard-cli. It works perfectly fine with KeePassXC and on Android with KeePassDX as well.

All I had to do is copy & paste the secret from within the <steamAccountName>.maFile that is in the query parameter to the otpauth URL. No conversion / de-/encoding needed.

So It's definitely not a problem with KeePassXC.