Valve Unveils Hardware-Based Steam Security

[Andy of Comix Inc]

So if my computer explodes, or I go traveling, can I unwire my Steam account?

Yeah, what if we change computers or something? Or, like he said, travel?

Thats one of Steam's selling points, which is "take Steam with you wherever you go, and download your games anywhere!".

Well, it IS optional.

I don't know if someone has already mentioned, but it ties account management to a single PC. So you can log in from elsewhere, but you can't change your name/password/email and other account-related settings. So if someone got ahold of your details, they could still log in, but they couldn't change your password or email unless they were on your computer.

It's an added layer of account protection, not a "locked to one computer" gimmick.

 

[Dana22]

As long as it's voluntarily, I won't mind. If it's not, it's going to be just like Treacherous Computing [http://www.gnu.org/philosophy/can-you-trust.html]

No this is mandatory, unless you buy hardware with "Intel's forthcoming Identity Protection Technology", you wont be able to log into the Steam.

 

[carpathic]

So if my computer explodes, or I go traveling, can I unwire my Steam account?

Yeah, what if we change computers or something? Or, like he said, travel?

Thats one of Steam's selling points, which is "take Steam with you wherever you go, and download your games anywhere!".

My thoughts exactly. What if I change up my computer?

 

[master m99]

for stuff like this i really love my battle,net authenticator keychain, random code every min ithink so none but me can get into my wow account and i can easily carry it with me so i can log on from any pc with wow on it =)

 

[master m99]

I would prefer just using an authenticator. Blizzard really did have the right idea.

Unless I misread something, this feature pretty much IS the exact same thing as the Blizzard Authenticator, just built-in to the processor rather than being a separate device.

difference is that the blizzard thing is a keychain/app and so is portable meaning you can log on anywhere so long as you have your keys/phone which most if not all people will, with a piece of hardware this is a bit more difficult as its well heavy and difficult to trancport.

 

[DonTsetsi]

I would prefer just using an authenticator. Blizzard really did have the right idea.

Unless I misread something, this feature pretty much IS the exact same thing as the Blizzard Authenticator, just built-in to the processor rather than being a separate device.

difference is that the blizzard thing is a keychain/app and so is portable meaning you can log on anywhere so long as you have your keys/phone which most if not all people will, with a piece of hardware this is a bit more difficult as its well heavy and difficult to trancport.

You can log in from anywhere, you can't change account details from another pc.

 

[DefiantWolf]

Honestly, the amount of half-assed knee-jerk reactions I'm seeing from a bunch of you is downright silly.

Simple logic to consider

- Phishing issues is Steam's number 1 Customer Service issue (it's right there in the article) I myself can think of at least a half dozen attempts on my own account that I spotted and dodged in the past couple years.

- Yes, people's computers die, but it's rare. I've been gaming on the PC for over a decade and have only had 2 CPU's ever die on me, and one motherboard crack due to my hamhandedness when replacing a defective cooling unit.

Therefore, if this system can greatly reduce their customer service load by significantly reducing phished account tickets in exchange for a far fewer number of "my computer fried" tickets, then I would say they made the right choice. The leaner they can run their Customer Service department while maintaining their level of quality (not saying it's good, just saying don't let it get worse) gives them more resources to make the kickass games they make.

So I support it. I'll even go on record to bet that it will be optional.

 

[Arachon]

As long as it's voluntarily, I won't mind. If it's not, it's going to be just like Treacherous Computing [http://www.gnu.org/philosophy/can-you-trust.html]

No this is mandatory, unless you buy hardware with "Intel's forthcoming Identity Protection Technology", you wont be able to log into the Steam.

Really? I see no mention of this in the article. What's your source?

But if this is true, they've essentially locked out anyone with an AMD CPU...

 

[lacktheknack]

So if my computer explodes, or I go traveling, can I unwire my Steam account?

Yeah, what if we change computers or something? Or, like he said, travel?

Thats one of Steam's selling points, which is "take Steam with you wherever you go, and download your games anywhere!".

Well, it IS optional.

I don't know if someone has already mentioned, but it ties account management to a single PC. So you can log in from elsewhere, but you can't change your name/password/email and other account-related settings. So if someone got ahold of your details, they could still log in, but they couldn't change your password or email unless they were on your computer.

It's an added layer of account protection, not a "locked to one computer" gimmick.

If that's the case, that's fantastic. I'm in.

 

[Woodsey]

It's a nice idea (assuming it's voluntary), but I probably won't use it. I like being able to access my Steam account and games on both my desktop and my laptop.

You're obviously going to be able to undo it. The reports a little vague on the details of how it works anyway.

This is strictly voluntary, right? Because if this is required, I'm gonna be furious.

Seems most likely.

"Steam Guard will let users limit control of their Steam account to a single PC, "

They are saying what the program will do, not necessarily if its a voluntary thing, however it seems like it only affects Intel Processor based computers and right there is were it seems likely it will be volentary

"Will let" implies choice.

 

[Dana22]

As long as it's voluntarily, I won't mind. If it's not, it's going to be just like Treacherous Computing [http://www.gnu.org/philosophy/can-you-trust.html]

No this is mandatory, unless you buy hardware with "Intel's forthcoming Identity Protection Technology", you wont be able to log into the Steam.

Really? I see no mention of this in the article. What's your source?

But if this is true, they've essentially locked out anyone with an AMD CPU...

I joked ! Of course they wouldn't do something like that !

 

[NLS]

So if my computer explodes, or I go traveling, can I unwire my Steam account?

Yeah, what if we change computers or something? Or, like he said, travel?

Thats one of Steam's selling points, which is "take Steam with you wherever you go, and download your games anywhere!".

According to the Steam beta announcement, you will have to enter a one-time code sent to you by email the first time you login from a new location.
So changing computer is no problem, but you will need access to your email(which you obviously should have).

 

[Larspcus2]

Either way, it will be cracked within a few days.

I don't think you understand what this is. The way identity thieves work is either via trojan, email scam(phishing) or brute force. This is impossible to crack by trojans or phishing, and offers enough protection against brute force to not worry about it.

An effective system against 99% of the thieves out there.

You forgot Man-In-The-Middle attacks, which this system will not protect you against.

1) Steam logins are SSL secured, which mean that you either have to a) be a moron and ignore the certificate warning or b) have a compromised machine.

2) The key is a "One-Time Password," which to me implies that each key will only be valid once, so the attacker will have to crack Intel's key cycling algorithm as well.

It might be possible to develop a trojan that steals the hardware password before it is used (I don't know much about hardware-level security), but it would certainly be more difficult to create than a simple keylogger.

EDIT:

According to the Steam beta announcement, you will have to enter a one-time code sent to you by email the first time you login from a new location.
So changing computer is no problem, but you will need access to your email(which you obviously should have).

This means that Valve's machine-specific security will join the long list of things that are only as secure as your email account.

 

[constantcompile]

Hey, maybe this will get Capcom to finally release MvC3 on Steam...

 

[MrTub]

Either way, it will be cracked within a few days.

I don't think you understand what this is. The way identity thieves work is either via trojan, email scam(phishing) or brute force. This is impossible to crack by trojans or phishing, and offers enough protection against brute force to not worry about it.

An effective system against 99% of the thieves out there.

You forgot Man-In-The-Middle attacks, which this system will not protect you against.

1) Steam logins are SSL secured, which mean that you either have to a) be a moron and ignore the certificate warning or b) have a compromised machine.

2) The key is a "One-Time Password," which to me implies that each key will only be valid once, so the attacker will have to crack Intel's key cycling algorithm as well.

It might be possible to develop a trojan that steals the hardware password before it is used (I don't know much about hardware-level security), but it would certainly be more difficult to create than a simple keylogger.

EDIT:

According to the Steam beta announcement, you will have to enter a one-time code sent to you by email the first time you login from a new location.
So changing computer is no problem, but you will need access to your email(which you obviously should have).

This means that Valve's machine-specific security will join the long list of things that are only as secure as your email account.

Yeah.. Kinda defeats the point imo..

 

[theultimateend]

I would prefer just using an authenticator. Blizzard really did have the right idea.

Unless I misread something, this feature pretty much IS the exact same thing as the Blizzard Authenticator, just built-in to the processor rather than being a separate device.

Well the thing about it being on my iphone instead is that I can play wow on my laptop, work computer, and home computer without needing 3 new processors .

But thanks for the heads up.

 

[TechNoFear]

1) Steam logins are SSL secured, which mean that you either have to a) be a moron and ignore the certificate warning or b) have a compromised machine.

SSL is still vunerable to MITM using a compelled certificate creation attack.

2) The key is a "One-Time Password," which to me implies that each key will only be valid once, so the attacker will have to crack Intel's key cycling algorithm as well.

Meaning the key is time based, leaving the MITM 30 sec to complete authentication.

 

[WhiteTigerShiro]

I would prefer just using an authenticator. Blizzard really did have the right idea.

Unless I misread something, this feature pretty much IS the exact same thing as the Blizzard Authenticator, just built-in to the processor rather than being a separate device.

Well the thing about it being on my iphone instead is that I can play wow on my laptop, work computer, and home computer without needing 3 new processors .

But thanks for the heads up.

Unless you're frequently changing your Steam account info from your laptop, work computer, and home computer, I don't see how this is an issue.

 

[theultimateend]

I would prefer just using an authenticator. Blizzard really did have the right idea.

Unless I misread something, this feature pretty much IS the exact same thing as the Blizzard Authenticator, just built-in to the processor rather than being a separate device.

Well the thing about it being on my iphone instead is that I can play wow on my laptop, work computer, and home computer without needing 3 new processors .

But thanks for the heads up.

Unless you're frequently changing your Steam account info from your laptop, work computer, and home computer, I don't see how this is an issue.

I was under the impression that once you authenticate your steam to the system with that processor it'll only work on systems with that processor.

 

[WhiteTigerShiro]

I was under the impression that once you authenticate your steam to the system with that processor it'll only work on systems with that processor.

The article itself is admittedly vague, but the bold-faced header is quite clearly stated:

Valve has announced a new hardware-based security system for Steam called Steam Guard, which will allow users to link their account management options to a single PC.

Note the underlined part.

So in other words, I wouldn't be able to hack your password, then go into your account management to change it and lock you out.