Steam and two-factor authentication

I think this works a bit like a home alarm system sign. Just the sign itself in your front lawn will deter burglars from even trying to get into your home because of how much more difficult it looks like it will be.

In a similar sense, having this achievement acts like the sign: if an attacker saw this they might not even try to get into this account because it's increased perceived difficulty.

Does this increase the likelihood of another account being targeted?

  • I'd say yes since the pool of potential targets just became smaller, any individual in that pool has an increased chance to be a target

What can those without the achievement do to reduce their chance of being attacked?

  • Put up a home security sign (Enable two factor authentication!)

Summary: It doesn't undermine two factor authentication but, hopefully, encourages others to follow best practices in securing their accounts.


It does not undermine the purpose of 2FA, but it might affect the security of users not using 2FA.

The goal of 2FA is to change login to require, well two factors. Specifically, something you know and something you have. Publishing a list of users that use 2FA does not reduce the security of 2FA. An attacker still must obtain the password and the device.

On the other hand, there may be attack strategies that only work for accounts that do not use 2FA. For example, if a password dictionary attack is possible, attackers may use the published list to identify accounts that don't use 2FA and hence are vulnerable to the password attack.


I think it is important to distinguish between three different questions one might ask:

  1. Does this undermine the security of a particular user who uses 2FA? Answer: No. If you're using two-factor authentication, making that public doesn't help the attacker break into your account. If anything, it helps you, by deterring some attackers from attacking you.

  2. Does this undermine the security of a particular user who doesn't use 2FA? Answer: Yes, somewhat, because it could make it easier for attackers to mount targeted attacks on users who don't use 2FA.

    That said, it's important to keep this in perspective. It's not harmless, but it's not devastating either. I don't think it's going to be a game-changer. Suppose 50% of users use 2FA. Then an attacker who tries attacking a bunch of accounts in succession will only be able to reduce the number of accounts they need to try by at most a factor of two, using the information leak pointed out in your question. That said, I suspect many attackers probably won't even bother to check the public profile and for those attackers this information leak will have no effect.

  3. Does this undermine the security of the ecosystem as a whole? Answer: Yes, somewhat. Of course, this is primarily relevant to Valve, rather than to its users. They have incentive to protect their own bottom line.

As a user, if you are concerned, one possible response is to enable 2FA on your Steam account.

Should you contact Valve to disclose this information leak? Sure -- why not?