Steam

Steam

358 оценки
How to Use WinAuth Properly For Trading
От Satoru
WinAuth has now integrated trade confirmations into its client. So you're probably chomping at the bit to use it

The problem is that you're probably doing everything wrong. Why do I say that?

Having the authentciator on the same computer as where you're trading is of course convenient. But it also means if you get hijacked your attacker owns you, your email, your steam account and your authenticator!

Since you're violating a basic security protocol for 2FA you need to protect yourself from potential hijackers basically bypassing all the security you've put in. This guide will help you through how to set this up.
   
Награда
Добавяне към любими
В любими
Премахване от любими
Download WinAuth - Must be at least version 3.4.23 (beta)
First you'll need to get WinAuth

http://winauth.com/download/

For now, as of December 22 2015, you have to use the beta version of WinAuth version 3.4.23

If you're using an older version none of these options will appear. If you don't see them use the absolute latest version of WinAuth. For now that means you need to use the beta 3.4.23

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH

IF YOU DO NOT SEE TRADE CONFIRMATIONS YOU ARE ON THE WRONG VERSION OF WINAUTH
Add The Steam Authenticator to WinAuth
Run the winauth.exe



Click "Add" then "Steam"



Type in your Steam Account name and password. Then click Login



You will now receive a SteamGuard code in your email. Type the SteamGuard code you get into the box and click "Continue"

Possible Error If You Don't Have a Phone # Registered On Steam
Skip this section if you already have a phone number registered with Steam


To use the Steam Mobile Authenticator, even on WinAuth, you need an SMS phone number registered on Steam. If you don't you will get the following message after the step above



You'll need to register a phone # on Steam before you can proceed. My guide below has a section on how to add a phone # to your account

Refer to the section "Adding a Phone Number to your Account"

http://gtm.you1.cn/sharedfiles/filedetails/?id=495405494

Then proceed on with this guide
Getting Your R-Code - WRITE YOUR RCODE DOWN
You'll now be prompted for a code that you will receive via SMS

Put that SMS code into the "Confirmation Code" box which is circled in yellow



Now refer to the red circles

This is your R-code

If ANYTHING happens to your authenticator you MUST have the R-code.

Place this code somewhere safe and separate from your computer

Check the "I have written down my revocation code". You cannot proceed until this checkbox is selected.

Click "Confirm"



Click "Close"
!!!WRITE DOWN YOU RCODE!!!!
WRITE DOWN YOUR R-CODE

I am not kidding about this. If anything happens to your authenticator you NEED this code.

If you don't have it, you'll be reenacting "50 Shades of Steam Support" for 8 weeks

You really don't want that

WRITE DOWN YOUR R-CODE
Critical Security Section - DO NOT SKIP THIS STEP
These steps are NOT optional. You MUST do these otherwise you are defeating the entire purpose of why you're using the authenticator.

THIS IS THE MOST IMPORTANT STEP IN THIS PROCESS



Password Protection

You MUST check the box for "Protect with my own password"

If an attacker hijacks your computer and this is NOT checked off, they can
1) extract your R-code
2) create an exact duplicate of your authenticator

Now your attacker can log in, as you, anywhere they want. Does that sound awesome? Yeah didn't think so.

DO NOT USE THE SAME PASSWORD AS STEAM OR EMAIL

By now your attacker probably has hijacked your steam account and your email.

Don't be a fool. Make sure the password you use for WinAuth is DIFFERENT than your Steam or email accounts

Encrypt WinAuth Files

For double protection you can encrypt the files using the local account and computer.

Note if you do this, if you MUST disable this feature before reformatting your system, or you can't recover any WinAuth settings.


How Do Trade Confirmations Work?
Right click on your authenticator and select "Confirmations"



Log in using your Steam username and password

DO NOT CHECK THE BOX TO SAVE YOUR PASSWORDS

I repeat DO NOT CHECK THAT BOX

Why? Because once I own your PC, and if you already have Winauth open, you are screwed. I can 'confirm' any trade I want because you let me do it.



From here you can now confirm any trades you have



IF YOU DO NOT SEE CONFIRMATIONS IT MEANS YOU'RE ON AN OLDER VERSION OF WINAUTH
I Need To See My R-Code Again
If you forgot your R-code and want to see it to write it down again you can do so.

Right click on the authenticator, select "Show SteamGuard and Recovery Code"



Here you must enter the password you protected your authenticator with

YOU DID PUT IN THAT PASSWORD RIGHT.



Here you can see your R-code that Steam uses, as well as a bunch of other stuff. We'll ignore that for now since really you should only need the R-code.



Generate Set of SteamGuard Backup Codes
http://gtm.you1.cn/sharedfiles/filedetails/?id=495405494

You need to have a set of SteamGuard backup codes in case you lose access to yoru SMS number. Refer to my previous guide on how to generate this

DO NOT SKIP THIS

If you ever lose your phone number the only way to remove it is either having your authenticator running or having SteamGuard backup codes
Stuff Is Not Working!
Trade Cannot Be Confirmed

Right Click in the Authenticator window
Click "Sync Time"

WinAuth Error - Boolean.System Runtime

Uninstall DotNET 3.5
Reboot
Install DotNET 3.5 SP1

No Oauth token in response

Install the latest DotNET 4.5.1

Ensure you're running at least WinAuth 3.4.23
No Amount of Security Can Protect You from Yourself
Remember most hijacks happen because USERS download some random trojan or click some link. Hijacks don't happen out of thin air.

You are the weakest link in the security chain.

Dont download shady garbage from teh internet

Dont click on random links from 'friends'

tl;dr version
1) You MUST use the password protection security on Winauth
2) WRITE DOWN YOUR R-CODE
3) DID YOU WRITE DOWN YOUR R-CODE?
4) SERIOUSLY WRITE THAT R-CODE DOWN!!!
5) Generate a set of Backup SteamGuard codes in case you lose access to your SMS number
6) WinAuth can't protect you from yourself. Don't download crap from the Internet
205 коментара
4Orzeszek 11 юли 2023 в 17:49 
The winauth program will not work properly until it is updated by the creator, the problem is that the confirmation system changed from html to JSON.
The winauth application has not been updated by the creator since 2017 year, so there will probably not be a new working version.

So, I switch to another app: Steam Desktop Authenticator v 1.0.14 Pre-release
The latest version of the program works fine on windows 10.

Link: https://github.com/Jessecar96/SteamDesktopAuthenticator/releases
MrL0G1C 29 юни 2023 в 12:48 
Nope, Steam Desktop Authenticator is also broken, the problem is that the confirmation system changed from html to JSON.

Archi's Steam Farm (ASF) does work and can do confirmations. ASF can import from WinAuth or SDA: https://github.com/JustArchiNET/ArchiSteamFarm/wiki/Two-factor-authentication . Not going to pretend it's easy though because it isn't!!
brake 28 юни 2023 в 23:39 
PowerFulBR, someone answered me that couple of days ago some Steam updates broke it and since WinAuth is not being worked on for a long time it might be done for good.

Hopefully, someone answers with a solution but I already moved my authenticator to my phone. Maybe you can try the desktop authenticator by Jessecar, but I've never used it and can't say anything about it.
PowerFulBR 28 юни 2023 в 4:00 
I have the same problem as brake, I can't confirm any trades as I can't login anymore.
brake 24 юни 2023 в 23:31 
Hello! Since about a day ago WinAuth is unable to confirm trades. That is because it has logged itself out of my Steam credential but every time I try to enter those credentials again, it says ''Invalid authenticator code. Are you sure this is the current authenticator for your account?''

Here's an image of the error: https://ibb.co/Zcfpzmk

I'd appreciate any help about this.
offline / off-line 25 ноем. 2022 в 6:43 
:darkheart:
MrL0G1C 7 авг. 2021 в 11:35 
YEEEEAAAAAAHHHHHHHHHH!!!!!!

I did it. https://youtu.be/WPl7cns5b3g

Lol, I managed to craft a maFile from WinAuth info and import it into SDA and it's fully wwooooorrrrking. YES!!

This means more to me than most people because I have a friendly and free bot that does literally hundreds of 1:1 card trades every day and shutting it down for 2 weeks would suck bad, it took a lot of effort to make the bot great.
MrL0G1C 7 авг. 2021 в 10:12 
Ah, only just saw your post Satoru, Steam-Desktop-Authenticator is working well enough but it's not ideal as it does not appear to be under development.
Satoru  [автор] 4 авг. 2021 в 13:10 
I haven't really used Winauth in awhile

If you have an alternative that works better I'd be happy to make an updated guide for that
Ratha Wynter 4 авг. 2021 в 13:08 
I forgot to check the log to see what the error was when confirmations were failing, but pressing the button 2-4 times per confirmation over the course of 2-3 minutes managed to get it through. My error message was not as detailed however, so probably something a little different. Disallowing Win10 to updates? Wasnt aware one could do that according to all of the people i know who used to disable updates in XP and 7 until they wanted to do the updates.