Valve’s 2FA Mandate for Game Developers Shows SMS Stickiness

Valve's 2FA Mandate for Game Developers Shows SMS Stickiness

October 23, 2023 at 04:25PM

Game maker Valve announced that it will require developers on its Steam platform to provide their phone numbers for SMS-based two-factor authentication (2FA) starting October 24. However, SMS-based 2FA is not entirely secure, as attackers can bypass it through various methods. Despite its flaws, SMS-based 2FA is still used by consumer-facing online services because it is relatively simple for end users. However, app-based factors such as Google’s or Microsoft’s authenticators offer better security options. Steam plans to implement additional security measures in the future.

Valve, the game maker behind the Steam platform, recently announced that developers will be required to provide their phone numbers for two-factor authentication (2FA) using SMS. However, SMS-based 2FA has been known to be vulnerable to various methods of attack. Attackers can bypass this security measure through methods such as machine-in-the-middle attacks, social engineering, or SIM swapping. Cellphone numbers are also commonly leaked on the internet, making them easily accessible to attackers.

Despite these vulnerabilities, SMS-based 2FA is still favored by consumer-facing online services because it is a relatively easy and seamless security mechanism for end users. While it may not be foolproof, any form of multi-factor authentication (MFA) is better than no MFA at all. Companies want to reduce friction for their customers while still providing some level of protection against hacking attempts.

To enhance security, companies can consider using app-based factors that are already widely adopted, such as Google’s or Microsoft’s authenticators. These apps offer an additional layer of security and are not susceptible to SIM cloning or malware that can intercept SMS messages. App-based 2FA can be protected by passkeys or biometrics, providing a more secure authentication method.

For game companies like Valve, improving security is crucial as cybercriminals target in-game assets and attempt to gain unauthorized access to players’ accounts. Valve plans to implement further security measures in the future to safeguard developers, customers, and its reputation.

Full Article