Why phone 2fa is useless and just wastes your time

[K4sum1]

Many services and people will suggest to use phone 2fa to "improve security", however most of the time it does nothing except waste your time. Even if a hacker gets your password, most services worth hacking already have a form of email 2fa where they email you a code if a new computer or IP logs into your account. Discord, Steam, Google, etc all have this yet want you to use 2fa with your phone. Your phone is no more secure than email, and can be less secure in some cases. 2fa also does nothing if your authentication cookie or token gets stolen, which is what most account stealers target. There is no practical way to defend against such an attack, no amount of x factor authentication will help. I'm tired of this "2fa is more secure" bullshit that is being pushed upon us.

[tyl0413]

TOTP is good, just no good PC clients (Bitwarden and Proton Pass supports it if you pay) and I hate having to check the phone I soon won't even have.
Proprietary bullshit like Steam/Battle.net's can fuck off and SMSing a code even more so since it's completely insecure, harvests the phone number and yeah. Some even lock TOTP behind a phone like the complete retards they are like Battle,net and Twitch.

[K4sum1]

I found this, which seems like it would make Steam a lot easier to deal with.

https://github.com/Jessecar96/SteamDesktopAuthenticator

I would need to see how it stores it's data, how portable it is. I'll give it a try when I next need to use the Steam forums as they block that without 2FA.

[UCyborg]

Steam Desktop Authenticator's GitHub says it's unsupported. It's been years since I used Steam regularly. I wonder if they're changing algorithm for 2FA code generation with updates, in which case, lack of updates to authenticator is a problem.

For plain TOTP, there are still KeePass (2) and KeePassXC.

[UCyborg]

Seems both programs above can be used to store the secret for Steam's 2FA. Steam Desktop Authenticator seems to be able present itself to Steam servers like the Steam mobile app, it actually allows registering itself as the mobile authenticator for the account which credentials you give it. It stores data in the folder you run it from. You mustn't specify the password to encrypt the data if you want to be able to get the secret to put into KeePass.

Interestingly, regarding the two KeePass programs, the secrets for standard TOTP (Steam uses non-standard algorithm) can be stored in 2 different ways in the database. If using KeePass 2's native TOTP functionality as documented, it won't be picked up by KeePassXC, which stores the secret in a string named "otp" under database password entry.

Probably doesn't hurt having them stored both ways, it seems to increase compatibility with different KeePass compatible programs. For Steam, the secret is always stored under "otp" string, the difference is KeePassXC offers the ability to store it natively while a plugin is needed for KeePass 2.