Steam Guard/Why you should be using two-factor authentication (and why it's still annoying)

Published October 11, 2012

If, like me, you've been on Steam for a good number of years, you might have found that somehow you've got a fairly large amount of money tied up in it. Which is bad, because in essence, it's just another online service, and those things get hacked all the time...

The good news is they usually get hacked because users are careless, not because they're intrinsically insecure.

Steam Guard (SG) is additional protection, in the form of two-factor authentication, which helps a bit with the 'users are careless' bit by making it so it's a bit harder to be sufficiently careless to lose your account.

Two-factor authentication is commonly referred to as "something you have, and something you know". The latter is easy, a password. The 'have' in the case of SG is an email address. The basic premise is this: you log in with your password, and if your device/browser is unrecognised, it will also ask you to authenticate yourself by email (i.e. it will send you a code and ask you to input it as part of the login).

This is a pain, because it increases the difficulty of logging in, and there are times that Steam will take a long time to send you the email (particularly during sales). So it's wise to make sure your computer is authenticated long before there's a flash sale you're interested in.

But overall it's definitely a good idea to use Steam Guard, because a Steam account can potentially become quite valuable, and you'll want to keep it protected the best you can.

Finally, a standard piece of advice about passwords: Don't use the same password on your email account and Steam, for obvious reasons - if a hacker gets your Steam password, Steam Guard isn't going to stop them if they find they also have your email password.

Talk is cheap

I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won't get hacked and your sites are not up for grabs. If you opt into 2FA, you will have to "Confirm your phone". You would receive a text message with a specific code to be entered into the system. If you don't want to do this every single time, you can designate your smartphone, PC, or tablet as a trusted device and they will allow you to telesign in without the text code. Should an attempt to login from an unrecognized device happen, it would not be allowed.

– 16:58:17 12th October 2012