Keepassxc: Steam Guard Support for TOTP

Created on 26 May 2017  路  19Comments  路  Source: keepassxreboot/keepassxc

Expected Behavior

Option to use steam's generation when setting up totp

Current Behavior

No option

Possible Solution

This has already been done as a plugin for the original keepass, so I would expect that since it is only an algorithm difference it shouldnt actually be too difficult.
link to mentioned project: https://github.com/victor-rds/KeeTrayTOTP

"The Mobile Steam Guard uses a standard time-based one-time password (RFC 6238) to generate the hash from the user鈥檚 secret key. However, Steam鈥檚 implementation differs from the standard in generating the actual displayed code. Rather than creating a 6 or 8 digit base10 code, Steam keeps compatibility with their existing email codes to create a 5 character string. This string is created from a specific set of 26 letters or digits."
https://winauth.com/2015/06/11/steam-guard-mobile/

Context

Currently stuck using my phone for totp on steam, which is certainly less than ideal, especially when I am often unable to access steam on it due to rom problems, so being able to access straight from my keepass vault would be awesome.

Your Environment


KeePassXC - Version 2.1.4
Revision: c3bd5d21aa239761f6c4998cc79f8846c10d6718

  • Qt 5.8.0
  • libgcrypt 1.7.6
    Operating system: Arch Linux
    CPU architecture: x86_64
    Kernel: linux 4.11.2-1-ck-haswell
TOTP
Source
picture ibrokemypie
👍7

Most helpful comment

I have this working. I'll open a PR for review soon.

picture joelsmith on 20 Nov 2017
🎉62

All 19 comments

The implementation in KeeTrayTOTP seems pretty trivial,
this is the Steam encoder and this is the Alphabet, the length is 5 and the step is 30 seconds

KeeTrayTOTP for Steam uses the TOTP Settings additional attributes but sets the digits value to S (so it knows it will use the Steam encoder and alphabet. Sadly we store the digits value in a QInt8 so we can really store it as S but I think -5 can be an alternative (5 is the real length, minus is for the Steam encoder).

Also should be nice to have a Steam option in the GUI for adding a new TOTP Token.

Can I assign this to you @weslly ?
Setting the Milestone to 2.3

TheZ3ro picture TheZ3ro on 26 May 2017
👍7

On a totally unrelated note: Does auto-type work for you guys in the steam client? It doesn't for me. It seems that {TAB} doesn't function properly so the password gets appended in the "Account name" field.

guihkx picture guihkx on 7 Jun 2017

@GUiHKX Works fine for me, have you tried setting a delay?

weslly picture weslly on 7 Jun 2017
👍2

Adding a 100ms delay worked! Thanks

guihkx picture guihkx on 8 Jun 2017

If you are on linux this was a known issue that i corrected for 2.2.0. Linux now has a default 25ms delay between key presses, same as win and mac.

droidmonkey picture droidmonkey on 8 Jun 2017
👍1

Oh... so that's it then. I'm on Linux indeed

guihkx picture guihkx on 8 Jun 2017

Any chance that Steam trade confirmations tool could make it into KPXC?

https://github.com/winauth/winauth#new-features - like this one

Currently I'm forced to use WinAuth which is Windows only, which is not ideal to me as all my devices run Linux.

EDIT: Separate issue here https://github.com/keepassxreboot/keepassxc/issues/948

C0rn3j picture C0rn3j on 14 Sep 2017

Please create a new issue for this.

droidmonkey picture droidmonkey on 14 Sep 2017

What's the status on this?

Xinayder picture Xinayder on 20 Nov 2017

Unfortunately this is not at the top of the priority list right now.

droidmonkey picture droidmonkey on 20 Nov 2017

Missing this feature is tearing me apart (WinAuth through WINE/VM is very annoying to use).

Is there a way to put something like $5 bounty on this feature so maybe some dev would be more willing to implement it sometimes this year?

C0rn3j picture C0rn3j on 20 Nov 2017

I still want to get this done before v2.3.0 is released, so it shouldn't take too long.

weslly picture weslly on 20 Nov 2017

I have this working. I'll open a PR for review soon.

joelsmith picture joelsmith on 20 Nov 2017
🎉62

I am currently implementing steam guard one time password support for a wearable device and am currently blocked on getting my hands on the secret key. How would one acquire the base32 secret key in case of the steam guard authenticator - the mobile app does not show it on setup?

BTW I love KeepassXC!

ch1bo picture ch1bo on 10 Mar 2018

@ch1bo https://github.com/victor-rds/KeeTrayTOTP/blob/master/README.md#steam-totp-secret

weslly picture weslly on 10 Mar 2018

@weslly thanks!

ch1bo picture ch1bo on 11 Mar 2018

Any chance to get the secret key for this to work with the steam mobile app on iphone?

OlliC picture OlliC on 22 Sep 2018

@OlliC Have you tried this? https://github.com/CaitSith2/ios-steamguard-extractor

weslly picture weslly on 24 Sep 2018

There's a note at https://github.com/CaitSith2/ios-steamguard-extractor saying that the secret key can't be extracted from iOS backups anymore. I was able to get the secret using this: https://steam.readthedocs.io/en/stable/api/steam.guard.html
Had to remove Steam Guard Mobile Authenticator first.

tim-tx picture tim-tx on 18 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

guihkx picture guihkx  路  3Comments
lostfictions picture lostfictions  路  3Comments
MisterY picture MisterY  路  3Comments
mstarke picture mstarke  路  3Comments
shyim picture shyim  路  3Comments