Skip to content

Instantly share code, notes, and snippets.

@zudsniper

zudsniper/README-SteamBots-Secrets.md

Forked from mathielo/README-SteamBots-Secrets.md
Created June 22, 2023 05:28
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save zudsniper/b67a6e4daec9f0df048539f86aa62282 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save zudsniper/b67a6e4daec9f0df048539f86aa62282 to your computer and use it in GitHub Desktop.
Download ZIP
Steam Bots: How to get shared and identity secrets from Steam Guard TOTP
Raw
README.md

Steam Guard: How to get TOTP shared and identity secrets

If you're looking into automating transactions in your Steam Account using Steam Bots, you most likely will need:

  1. To have TOTP ("MFA" or "2FA") enabled via Steam Authenticator (Steam Guard)
  2. Have in hands both shared secret and identity secret

Having Steam Guard enabled for your Steam Account (1.) ensures that there will be no holds on transactions such as trades. Having the shared and identity secrets (2.) are necessary for complete autonomy of your Steam Bot, meaning it won't require any human interaction from you.

There is a tremendous lack of information about all of this as Steam does not provide official support for implementing Steam Bots. The information available in this here guide was gathered through lots of blood and sweat hard research, reverse engineering, asking around, trials & errors, hitting countless dead-ends / outdated info and whatnots.

That being said, please drop a comment if you find inaccurate information or if something works out differently for you as YMMV during this journey :)

Disclaimer 1: With this method you will need to RESET your Authenticator

Before you go on, know that this method is based on removing the current Steam Guard Mobile Authenticator from your account and adding it again. You will still be able to use Steam Guard Mobile Authenticator on your phone, but you will need to remove and re-add it first.

>> This means that your account will end up with a 15-day trade hold after the re-activation! <<

In most cases it is not possible to retrieve shared secret and identity secret for already existing TOTP setups. Those secrets are revealed once and only once right upon activation of Steam Guard for the Steam Account.

On a side note, apparently it's possible (via rather shady, unclear and hacky methods) to retrieve those secrets if you currently have your TOTP set up via SteamDesktopAuthenticator or in Steam Guard in an Android phone. Please take note this guide won't cover these options.

Disclaimer 2: You're dealing with your Steam Account security

Before proceeding, make sure you understand everything you are doing - don't just run steps blindly or skip warnings! If you end up with your Steam Guard in a bad state without your TOTP backup code, you can lose access to your Steam Account.

Know what you're doing, or ask if in doubt. Perhaps create a new Steam Account to try these out beforehand if you're feeling unsure. You are the sole responsible person for your own accounts!

Needless to say: never share any of your account secrets with anyone! If you will ask for help, make sure to dictate and remove any sensitive information from your codes or examples before posting anything on the internet.

Check out the Steam Guard FAQ if you have any questions about how it works.

Requirements

  • Minimal programming understanding (Python)
  • Python 3.4+ installed along with pip
  • Minimal understanding of how to use a terminal in Linux/Mac or Command-Prompt in Windows

Keeping all of the above in mind, let's get on with it!

What are the shared and identity secrets?

If you already know this, feel free to jump down to the next section: .

These secrets are key components for the computation of the TOTP algorithm. They ensure the uniqueness of your account's 2FA and make it virtually impossible for a 3rd party to gain access to your account.

The shared and identity secrets are generated once and only once: when two-factor authentication (Steam Guard Mobile Authenticator) is being set up for your account. They are generated by Steam's API and sent to your device when you first set up 2FA for your account. It's your device's responsibility to store these values locally (Steam's Mobile apps does that automagically for you) - and it's your responsibility to store the recovery code somewhere safe as that's your only way to regain access to your account should you lose access to your 2FA device.

What are they used for in a Steam Bot?

Having these secrets when setting up your own Steam Bot ensures full autonomy of the bot. That is: there will be no need of human interaction (from you) for the bot to function!

shared secret

With this secret, bots are able to generate the 2FA codes themselves. This means they can log into their Steam Accounts on their own, and you won't ever need to pick up your phone for your bot to log in. Even if their login session expires, they will be able to log in again.

identity secret

Further ahead, the identity secret is necessary to allow the bot to perform Trade and Market Confirmations on your behalf. If your bot will be making trades - or buying and selling in the Community Market - it will be able do so autonomously without you manually approving each transaction.

Generating shared and identity secrets

As explained extensively above, these are generated only when setting up Steam Guard; so start by removing your current 2FA method.

Remove your current Steam Guard

Follow Steam's official instructions to learn how to remove your current Steam Guard. It's possible to do both via your mobile phone or in the browser using your recovery code.

Worth mentioning one more time:

Removing the authenticator means any trades or Community Market listings will be held by Steam for up to 15 days.

Set up Steam Guard with ValvePython/steam

// TODO

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment