|
|
@@ -1,30 +1,30 @@ |
|
|
# Steam Guard: How to get TOTP shared and identity secrets |
|
|
# Steam Bots: How to get TOTP shared and identity secrets |
|
|
|
|
|
If you're looking into automating transactions in your Steam Account using Steam Bots, you most likely will need: |
|
|
1. To have [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password) (["MFA" or "2FA"](https://en.wikipedia.org/wiki/Multi-factor_authentication)) enabled via Steam Authenticator ([Steam Guard](https://help.steampowered.com/en/faqs/view/06B0-26E6-2CF8-254C)) |
|
|
If you're looking into automating transactions in your Steam Account using Steam Bots, you most likely will need to: |
|
|
1. Have [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password) (["MFA" or "2FA"](https://en.wikipedia.org/wiki/Multi-factor_authentication)) enabled via Steam Authenticator ([Steam Guard](https://help.steampowered.com/en/faqs/view/06B0-26E6-2CF8-254C)) |
|
|
1. Have in hands both `shared secret` and `identity secret` |
|
|
|
|
|
Having Steam Guard enabled for your Steam Account (`1.`) ensures that there will be no holds on transactions such as trades. Having the `shared` and `identity` secrets (`2.`) are necessary for complete autonomy of your Steam Bot, meaning it won't require any human interaction from you. |
|
|
Having Steam Guard enabled for your Steam Account ensures that there will be no holds on transactions such as trades. Having the `shared` and `identity` secrets are necessary for **complete autonomy** of your Steam Bot, meaning it won't require any human interaction from you. |
|
|
|
|
|
There is a _tremendous_ lack of information about all of this as Steam does not provide official support for implementing Steam Bots. The information available in this here guide was gathered through lots of ~~blood and sweat~~ hard research, reverse engineering, asking around, trials & errors, hitting countless dead-ends / outdated info and _whatnots_. |
|
|
There is a _tremendous_ lack of information about all of this as Steam does not provide official support for implementing Steam Bots. The information available in this guide was gathered through lots of ~~blood and sweat~~ hard research, reverse engineering, asking around, trials & errors, hitting countless dead-ends / outdated info and _whatnots_. |
|
|
|
|
|
That being said, please drop a comment if you find inaccurate information or if something works out differently for you as [YMMV](https://www.urbandictionary.com/define.php?term=ymmv) during this journey :) |
|
|
|
|
|
## Disclaimer 1: With this method you will need to RESET your Authenticator |
|
|
|
|
|
Before you go on, know that this method is based on removing the current Steam Guard Mobile Authenticator from your account and adding it again. **You will still be able to use Steam Guard Mobile Authenticator on your phone**, but you will need to remove and re-add it first. |
|
|
|
|
|
### >> This means that your account will end up with a **15-day trade hold** after the re-activation! << |
|
|
### >> This means that your account will end up with a [**15-day trade hold**](https://help.steampowered.com/en/faqs/view/34A1-EA3F-83ED-54AB) after the re-activation! << |
|
|
|
|
|
In _most_ cases it is not possible to retrieve `shared secret` and `identity secret` for already existing TOTP setups. Those secrets are revealed once and only once right upon activation of Steam Guard for the Steam Account. |
|
|
|
|
|
On a side note, _apparently_ it's possible (via rather shady, unclear and hacky methods) to retrieve those secrets if you currently have your TOTP set up via [SteamDesktopAuthenticator](https://github.com/Jessecar96/SteamDesktopAuthenticator) or in [Steam Guard in an Android phone](https://github.com/steamguard-totp/steamguard-shared-secret). Please take note this guide won't cover these options. |
|
|
> Side note: _Apparently_ it's possible (via rather shady, unclear and hacky methods) to retrieve those secrets if you currently have your TOTP set up via [SteamDesktopAuthenticator](https://github.com/Jessecar96/SteamDesktopAuthenticator) or in [Steam Guard in an Android phone](https://github.com/steamguard-totp/steamguard-shared-secret). Please take note this guide won't cover these options. |
|
|
|
|
|
## Disclaimer 2: You're dealing with your Steam Account security |
|
|
|
|
|
Before proceeding, make sure you understand everything you are doing - don't just run steps blindly or skip warnings! If you end up with your Steam Guard in a bad state without your TOTP backup code, **you can lose access to your Steam Account**. |
|
|
|
|
|
Know what you're doing, or ask if in doubt. Perhaps create a new Steam Account to try these out beforehand if you're feeling unsure. You are the sole responsible person for your own accounts! |
|
|
Know what you're doing, or ask before running any steps if in doubt. Perhaps create a new Steam Account to try these out beforehand if you're feeling unsure. **You are the sole responsible person for your own accounts!** |
|
|
|
|
|
Needless to say: **never share any of your account secrets** with anyone! If you will ask for help, make sure to dictate and remove any sensitive information from your codes or examples before posting anything on the internet. |
|
|
|
|
|
@@ -34,44 +34,126 @@ Check out the [Steam Guard FAQ](https://help.steampowered.com/en/faqs/view/06B0- |
|
|
|
|
|
- Minimal programming understanding (Python) |
|
|
- [Python 3.4+](https://www.python.org/downloads/) installed along with [pip](https://pip.pypa.io/en/stable/installation/) |
|
|
- Minimal understanding of how to use a terminal in Linux/Mac or Command-Prompt in Windows |
|
|
- Minimal understanding of how to use a terminal in Linux/Mac or Powershell in Windows |
|
|
|
|
|
--- |
|
|
|
|
|
Keeping all of the above in mind, let's get on with it! |
|
|
|
|
|
# What are the `shared` and `identity` secrets? |
|
|
|
|
|
_If you already know this, feel free to jump down to the next section: []()._ |
|
|
_If you already know this, feel free to jump down to the next section: [Generating `shared` and `identity` secrets](#generating-shared-and-identity-secrets)._ |
|
|
|
|
|
These secrets are key components for the computation of the TOTP algorithm. They ensure the uniqueness of your account's 2FA and make it virtually impossible for a 3rd party to gain access to your account. |
|
|
|
|
|
The `shared` and `identity` secrets are generated once and only once: when two-factor authentication (Steam Guard Mobile Authenticator) is being set up for your account. They are generated by Steam's API and sent to your device when you first set up 2FA for your account. It's your device's responsibility to store these values locally (Steam's Mobile apps does that _automagically_ for you) - and it's **your** responsibility to store the `recovery code` somewhere safe as that's your **only** way to regain access to your account should you lose access to your 2FA device. |
|
|
|
|
|
## What are they used for in a Steam Bot? |
|
|
|
|
|
Having these secrets when setting up your own Steam Bot ensures full autonomy of the bot. That is: there will be no need of human interaction (from you) for the bot to function! |
|
|
Having these secrets when setting up your own Steam Bot ensures full autonomy of the bot i.e. there will be no need of human interaction (from you) for the bot to function! |
|
|
|
|
|
### `shared secret` |
|
|
|
|
|
With this secret, bots are able to generate the 2FA codes themselves. This means they can log into their Steam Accounts on their own, and you won't ever need to pick up your phone for your bot to log in. Even if their login session expires, they will be able to log in again. |
|
|
With this secret, bots are able to generate the 2FA codes themselves. This means they can log into their Steam Accounts on their own, and you won't ever need to pick up your phone for your bot to log in. Even if their login session expires, they will be able to log in again on their own. |
|
|
|
|
|
### `identity secret` |
|
|
|
|
|
Further ahead, the `identity secret` is necessary to allow the bot to perform [Trade and Market Confirmations](https://help.steampowered.com/en/faqs/view/2E6E-A02C-5581-8904) on your behalf. If your bot will be making trades - or buying and selling in the Community Market - it will be able do so autonomously without you manually approving each transaction. |
|
|
Further ahead, the `identity secret` is necessary to allow the bot to perform [Trade and Market Confirmations](https://help.steampowered.com/en/faqs/view/2E6E-A02C-5581-8904) on your behalf. If your bot will be either making trades or buying & selling in the Community Market, it will be able do so autonomously without you approving each transaction manually. |
|
|
|
|
|
# Generating `shared` and `identity` secrets |
|
|
|
|
|
As explained extensively above, these are generated only when setting up Steam Guard; so start by removing your current 2FA method. |
|
|
|
|
|
## Remove your current Steam Guard |
|
|
|
|
|
Follow [Steam's official instructions](https://store.steampowered.com/twofactor/remove?step=ondevice) to learn how to remove your current Steam Guard. It's possible to do both via your mobile phone or in the browser using your `recovery code`. |
|
|
Follow [Steam's official instructions](https://store.steampowered.com/twofactor/remove?step=ondevice) to learn how to remove your current Steam Guard. It's possible to do it either via your mobile phone or via web browser using your `recovery code`. |
|
|
|
|
|
> **Worth mentioning one more time:** |
|
|
> |
|
|
> _Removing the authenticator means any [trades or Community Market listings will be held by Steam for up to 15 days](https://help.steampowered.com/en/faqs/view/34A1-EA3F-83ED-54AB)._ |
|
|
|
|
|
## Set up Steam Guard with ValvePython/steam |
|
|
|
|
|
// TODO |
|
|
Now we will make use of [ValvePython/steam](https://github.com/ValvePython/steam) to add Steam Guard to your account again. This project has [really good documentation](http://steam.readthedocs.io/en/latest/) and provides a lot of [useful functionalities](https://github.com/ValvePython/steam#features), so check it out if you're comfortable with Python! |
|
|
|
|
|
### Setting up your local Python environment |
|
|
|
|
|
As mentioned in the requirements, it's assumed you already have Python 3.4+ installed along with `pip`. |
|
|
|
|
|
Open up your terminal (Linux/Mac) or Powershell (Windows) and navigate to whichever folder you want run this script on: |
|
|
|
|
|
```bash |
|
|
# Linux/Mac |
|
|
cd /home/USERNAME |
|
|
|
|
|
# or, if on Windows: |
|
|
# cd \Users\USERNAME |
|
|
|
|
|
mkdir gen-steam-2fa |
|
|
cd gen-steam-2fa |
|
|
``` |
|
|
|
|
|
In the example above, `USERNAME` should be replaced by your Operating System's username. The name `gen-steam-2fa` was chosen for the folder in which we will run the scripts from. |
|
|
|
|
|
Python 3.4+ comes with `venv` by default, so we will use it to create a virtual environment and install our dependencies within it: |
|
|
|
|
|
```bash |
|
|
python -m venv venv |
|
|
|
|
|
# Linux/Mac |
|
|
source venv/bin/activate |
|
|
# on Windows: |
|
|
# venv\Scripts\activate.ps1 |
|
|
``` |
|
|
|
|
|
> Note: depending on your Python installation, you may need to invoke `python3` instead of `python` as the command-line executable for Python |
|
|
|
|
|
You should notice in your terminal/Powershell that the `venv` virtual environment is now active. Go ahead and install the required dependencies: |
|
|
|
|
|
```bash |
|
|
pip install wheel protobuf steam |
|
|
``` |
|
|
|
|
|
That's it for the dependencies! The next step is creating the Python script and running it. |
|
|
|
|
|
### Create the Python script |
|
|
|
|
|
See the [code for `generate.py` in the file below](#file-generate-py). Copy its contents and save it to a file with the same name in your working folder. Make sure to edit line `11` and insert your actual Steam Account username there. |
|
|
|
|
|
### Running the script |
|
|
|
|
|
> Before running the script, remember: **you should finish the setup in your mobile phone!** |
|
|
> |
|
|
> This script is only meant to start the process of setting up Steam Guard for your account (and generate the needed `shared` and `identity` secrets). The script does NOT finalize the Steam Guard setup; so if you don't conclude it in your phone, your account will not have 2FA active. |
|
|
|
|
|
Watch closely the output of the script in your terminal/Powershell. The script will first ask for your Steam Account's password, but it may ask for additional things such as: |
|
|
- A confirmation code that will be sent to your email address; |
|
|
- For you to solve a captcha. For that an URL will be displayed in the terminal, follow it and solve the captcha to validate the login; |
|
|
|
|
|
> _If it asks for your 2FA code, that means your old 2FA is still active in your account. You should go back and remove it first!_ |
|
|
|
|
|
Time to run the script: |
|
|
|
|
|
```bash |
|
|
python generate.py |
|
|
``` |
|
|
|
|
|
When all goes well, the script will show you a dictionary containing both the `shared_secret` and `identity_secret`. Save those safely along with `revocation_code` (that's your "recovery code" in case you lose access to your mobile phone). For convenience, the script will also save those secrets into a `2FA-secrets.json` file locally. Make sure to delete it once you have the data safely stored somewhere! |
|
|
|
|
|
**You will also receive an SMS with a confirmation code in your mobile phone!** That's expected as you are activating Steam Guard _Mobile_ Authenticator, so let's finish off the setup on your mobile phone! |
|
|
|
|
|
### Finishing the setup on your phone via Steam Mobile app |
|
|
|
|
|
Now open the [Steam Mobile](https://store.steampowered.com/mobile) in your phone. Log into your account if it's not logged in already. |
|
|
|
|
|
Go to the "Steam Guard" tab, select "Add Authenticator" and follow the steps as you normally would to add the authenticator to your account. |
|
|
|
|
|
You should receive a second SMS. Take note that it should contain the exact same confirmation code as the one in the previous SMS. If they don't match, chances are you took too long between these steps and a new authenticator request was done. In that case I would suggest restarting the process by running the `generate.py` script again. |
|
|
|
|
|
If both SMSs have the same code, go ahead and input the code in Steam Guard to conclude the setup. Once done, you will have Steam Guard enabled for your account in this phone! Notice that Steam will alert you to safely store the recovery code somewhere. This recovery code should also match **exactly** the code you got as `revocation_code` from the Python script. |
|
|
|
|
|
# Conclusion |
|
|
|
|
|
All done! You should now have Steam Guard properly working on your phone again as usual. Along with that now you know exactly what are the `shared` and `identity` secrets for your account, so you're ready to _bot away_! |
|
|
|
|
|
Feel free to comment with suggestions, corrections, improvements or if you're stuck at any given steps. Hope this guide was helpful to you in one way or another :) |
mathielo renamed this gist