Steam Guard Mobile

Steam have released a Beta version of a Steam Guard two-factor authenticator on their mobile app. Currently all users on the website and Steam client are verified using a email sent to their registered email address. The email contains a code, which when entered into the Steam website, authorizes the computer for access to that steam account.

With the release of the new Steam Guard mobile authenticator, users can instead open the app on their mobile device to see a decaying code, which can be used as the 2FA code for Steam or the Steam website.

Steam Guard

Steam Guard is currently in Beta, but access can be granted by joining the Steam Guard Mobile group and waiting for the next round of invites.

The Mobile Steam Guard uses a standard time-based one-time password (RFC 6238) to generate the hash from the user’s secret key. However, Steam’s implementation differs from the standard in generating the actual displayed code. Rather than creating a 6 or 8 digit base10 code, Steam keeps compatibility with their existing email codes to create a 5 character string. This string is created from a specific set of 26 letters or digits.

Adding Steam GuardSteam Guard is added by using the Steam app downloaded from the Android or iOS app stores, where it can be configured to use “codes by phone” rather than the previous “codes by email”.

The app uses Steam’s WebAPI to register the mobile device with the Steam servers and generates a key that is used as the input into the HMAC-SHA1 algorithm in order to generate the 5 digital alphanumeric string. As standard, the string appears for 30 seconds, although the implementations can give some flexibility in the acceptance of adjacent codes.

Since Steam are using a standard TOTP implementation, it can be added into WinAuth as a new authenticator type. Starting with the 3.2 Beta, Steam authenticators are now usable in WinAuth.

The Steam Guard authenticator is set up in WinAuth as if it were a new mobile device. The process, as in Steam’s own mobile app, requires a verification of a new device by sending a one-time code to the registered email address. The authenticator must also be activated by a further code again sent to the user’s email address.


The 3.2 Beta version of WinAuth can be downloaded from the Downloads pages.