Steam Guard Support for TOTP

[ibrokemypie]

Expected Behavior

Option to use steam's generation when setting up totp

Current Behavior

No option

Possible Solution

This has already been done as a plugin for the original keepass, so I would expect that since it is only an algorithm difference it shouldnt actually be too difficult.
link to mentioned project: https://github.com/victor-rds/KeeTrayTOTP

"The Mobile Steam Guard uses a standard time-based one-time password (RFC 6238) to generate the hash from the user’s secret key. However, Steam’s implementation differs from the standard in generating the actual displayed code. Rather than creating a 6 or 8 digit base10 code, Steam keeps compatibility with their existing email codes to create a 5 character string. This string is created from a specific set of 26 letters or digits."
https://winauth.com/2015/06/11/steam-guard-mobile/

Context

Currently stuck using my phone for totp on steam, which is certainly less than ideal, especially when I am often unable to access steam on it due to rom problems, so being able to access straight from my keepass vault would be awesome.

Your Environment

KeePassXC - Version 2.1.4
Revision: c3bd5d2

• Qt 5.8.0
• libgcrypt 1.7.6
  Operating system: Arch Linux
  CPU architecture: x86_64
  Kernel: linux 4.11.2-1-ck-haswell

[TheZ3ro]

The implementation in KeeTrayTOTP seems pretty trivial,
this is the Steam encoder and this is the Alphabet, the length is 5 and the step is 30 seconds

KeeTrayTOTP for Steam uses the TOTP Settings additional attributes but sets the digits value to S (so it knows it will use the Steam encoder and alphabet. Sadly we store the digits value in a QInt8 so we can really store it as S but I think -5 can be an alternative (5 is the real length, minus is for the Steam encoder).

Also should be nice to have a Steam option in the GUI for adding a new TOTP Token.

Can I assign this to you @weslly ?
Setting the Milestone to 2.3

[guihkx]

On a totally unrelated note: Does auto-type work for you guys in the steam client? It doesn't for me. It seems that {TAB} doesn't function properly so the password gets appended in the "Account name" field.

[weslly]

@guihkx Works fine for me, have you tried setting a delay?

[guihkx]

Adding a 100ms delay worked! Thanks

[droidmonkey]

If you are on linux this was a known issue that i corrected for 2.2.0. Linux now has a default 25ms delay between key presses, same as win and mac.

[guihkx]

Oh... so that's it then. I'm on Linux indeed

[C0rn3j]

Any chance that Steam trade confirmations tool could make it into KPXC?

https://github.com/winauth/winauth#new-features - like this one

Currently I'm forced to use WinAuth which is Windows only, which is not ideal to me as all my devices run Linux.

EDIT: Separate issue here #948

[droidmonkey]

Please create a new issue for this.

[Xinayder]

What's the status on this?

[droidmonkey]

Unfortunately this is not at the top of the priority list right now.

[C0rn3j]

Missing this feature is tearing me apart (WinAuth through WINE/VM is very annoying to use).

Is there a way to put something like $5 bounty on this feature so maybe some dev would be more willing to implement it sometimes this year?