⭕Steam OTP

The following instructions allow you to add Steam to your Yubikey's TOTP list via Yubikey Authenticator.

❊ What is Steam?

Steam is a video game digital distribution service and storefront by Valve. It was launched as a software client in September 2003 as a way for Valve to provide automatic updates for their games, and expanded to distributing and offering third-party game publishers' titles in late 2005.

One of the main security features of Steam is known as Steam Guard. This service allows you to add extra protection to your account and relies on installing a mobile program called Steam Guard Mobile Authenticator.

❊ Steam Guard Mobile Authenticator

Steam Guard is the Two-Factor authentication system you can enable to protect your Steam account. It works exactly as any 2FA protection, except that the One-Time Passwords are generated by the Steam Guard Mobile Authenticator only (or received by e-mail).

As Steam does not provide a standard way to use an alternative OTP app like 2FAuth, Authy, or Google Authenticator, the workaround is to get the OTP secret thanks to a third-party app. Once recovered, you will be able to use 2FAuth in place of the Steam Mobile Authenticator.

❊ Steam Secret Key

The steam secret key is the key you are given that is used by the mobile authenticator in order to generate a OTP every 30 seconds. Steam does not provide an easy way to view your steam secret; and they frankly don't want you having it. However, once you obtain your steam secret; you can use that secret to add your Steam account to any authenticator, including the Yubikey.

❊ Obtaining Steam Secret Key

Your steam secret key should be kept secret. Under no circumstances should you EVER give out your Steam Secret Key to anyone, for any reason.

If someone obtains your steam secret; they can then generate OTP codes and allow themself to access your steam account.

Since Steam does not want you having your secret key, we need to utilize a program called Steam Desktop Authenticator (SDA). This is a free open-source application that has been around for years and is trusted. Using this application will allow you to obtain the secret key needed.

DANGER: Recently there have been fake versions of SDA floating around that will steal your Steam account. Never download SDA from any place other than the official github repo!

The direct download above has been taken right from the repo.

Download From Github

Official Website

Download the latest version of SDA from the official Github page.

Direct Download

You may also get the direct download below.

43MB

SDA-1.0.10.zip

archive

Once you have downloaded SDA from the links above, extract the zip somewhere on your computer.

Before continuing, you must first disable the Steam Guard feature of your steam account before attempting to use SDA. If you already have Steam Guard enabled, and attempt to use SDA; you will be presented with the following error:

Once everything is done, launch Steam Desktop Authenticator.exe

The application may install a few libraries that are required for the program to run:

After the application launches, you'll be presented with the following options:

Read the options, and select which scenario fits you best. Some of you may have already used this program before.

For most people, you'll want to select This is my first time and I just want to sign into my Steam Account(s).

You will be presented with the main interface:

You will need to select

Which will ask you for your Steam login credentials:

Ensure you downloaded SDA from the links above. Do not enter your login information until you are sure you have the correct application. As stated before, there are fake versions running around. The official link and the direct download above are the only officials.

Continue with the setup by signing in. It may ask you to verify adding the Steam Guard service to your account by sending you an email that you must click on.

My steam account currently has Steam Guard enabled and I have it configured with my authenticators, so I can't show each step otherwise I'd have to unlink Steam Guard and then update all my OTP programs again.

It is easy to follow, so you should have no issues.

After adding your steam account to SDA, you should start generating OTP codes:

Go back to the folder where you placed SDA. Then click on the maFiles folder. You should see a .maFile file which is the named with your Steam64 ID.

Open the .maFile in a text editor.

For this example, I have "beautified" mine so that it's easier to read.

If the code is too difficult to read with everything being on one line or word-wrapped, you can use an online JSON Beautifier available here.

Paste your code inside the beautifier and then press "Beautify".

This tool will format your JSON file in a more human readable format.

{
    "shared_secret": "H26A/2BAH2L5kL2G56EpDkAk/ag=",
    "serial_number": "11145234561356781234",
    "revocation_code": "RAAA0A",
    "uri": "otpauth://totp/Steam:YourSteamUsername?secret=BAFR25G2EHFEGHFA346F572AVGQ256F6&issuer=Steam",
    "server_time": 1000000000,
    "account_name": "YourSteamUsername",
    "token_gid": "1a123456789ae123",
    "identity_secret": "AEF3DQxz14zfG26A4gh4H25e6fs=",
    "secret_1": "2d42d4g52G35A2FA2F123AguUj5=",
    "status": 1,
    "device_id": "android:47769b96-1111-aaaa-9999-234e23a5eb24",
    "fully_enrolled": true,
    "Session": {
        // hidden
    }
}

In your maFile, locate the shared_secret:

"shared_secret": "H26A/2BAH2L5kL2G56EpDkAk/ag="

Write the shared_secret down or store it in a password manager like Bitwarden or KeePassXC. We need the shared secret to give us the ability to use our Yubikey to sign into Steam.

Next, we need to convert the shared secret to get your actual secret key, you have to take the text in the shared_secret above and run it through a few tools.

The instructions below require you to go to a few websites and convert the shared_secret from base64 to hex to base32.

If you do not want to do these steps, there's a pre-made tool that is already configured to do the conversion for you.

Use the tool below and paste your shared_secret in the top right box. Your actual steam secret will be provided in the bottom right box.

View Online Tool Here

For more information on this method, view the section : Converting Base64 Shared Secret

If you do not want to use the online tool provided above, follow these instructions:

Copy the shared secret in the maFile, then go to Base64 to Hex converter website here.

Paste your steam shared_secret in the top box labeled Base64. Press the Convert Base64 to Hex button and your Hex should be provided in the Hex box at the bottom.

For my example, it converted H26A/2BAH2L5kL2G56EpDkAk/ag= to the hex 1f6e80ff60401f62f990bd86e7a1290e4024fda8

Next, convert the Hex string to Base32. You can do this by visiting the Hex to Base32 converter website here.

Paste your Hex value into the far left box, and then the far right box should automatically give you a Base32 value.

To summarize:

• Copy the Base64shared_secret given in the maFile.

• Convert the Base64 shared_secret to Hex.

• Convert the Hex to Base32.

The Base32 string is your actual secret that you will use with your authenticators. In our example, we're given the value D5XIB73AIAPWF6MQXWDOPIJJBZACJ7NI

This number should be saved also in a private place. The original shared_secret that you saved is no longer needed unless you lose your actual secret one day and need to convert it again.

We've done quite a bit, but we're almost done.

❊ Adding Steam to Yubikey

If you do not have the Yubikey Authenticator and Yubico Manager installed; you will need to do so now. If you don't have a Yubikey at all, you can add your Steam account to programs such as KeePassXC and Bitwarden by following steps similar to below.

Now that we have our Steam secret key, add it to a Yubikey.

You cannot add Steam to your Yubikey from the Yubikey Authenticator app. The reason for this is because Steam OTP codes are 5 digits.

Yubico Authenticator only gives the option to add 6 and 8 digit codes.

We need to utilize the command-line and manually add Steam to our Yubikey.

Launch Powershell, Command Prompt, or Terminal.

Change directories to your Yubikey Manager program path with the following command:

cd "C:\Program Files\Yubico\YubiKey Manager"

Add your Steam account by typing:

ykman oath accounts add STEAMNAME -i Steam

Change STEAMNAME to your steam account name. Don't edit anything else.

You will be prompted to enter your Steam Secret Key. Which is what we converted earlier from our shared_secret.

My Steam secret is D5XIB73AIAPWF6MQXWDOPIJJBZACJ7NI. Yours will be different.

It might prompt for a password. If so, enter the OATH password you configured in the Yubikey Authenticator program.

Steam will be added to your Yubico Authenticator app.

Now launch Yubico Authenticator.

If you have a password enabled for Yubico Authenticator, enter it:

You should now see Steam in your authenticator list:

Every time you sign into Steam, you can launch the Yubico Authenticator and retrieve your 5 digit OTP code.

❊ Converting Base64 Shared Secret

In the instructions above, we ask you to go to several websites. There's an easier alternative way which makes it a whole lot more simple thanks to the program Cyber Chef.

Cyber Chef is a online utility which allows you to convert many different strings. I have prepared a URL which automatically sets up the application to where you only need to paste in your shared secret.

Click here to access the converter

In the tool, Ignore everything on the left; it has been set up for you.

You only need to paste your shared_secret in the top right box, and your actual steam secret will be output in the bottom right box:

The program does all of the conversions.

Then copy the secret key in the bottom right box, and use that with the instructions in the Adding Steam to Yubikey section.

The website is trustworthy and does not record information you provide. However, there is the option to download the actual program, extract it to your computer, and open the provided HTML file and you can do everything locally.

CyberChef (Github)

Download Here