Trading on Steam has gone from a wonderful community-oriented experience, to a major hassle. Not only are there at least sixteen different reasons you might not be able to trade, but you also need to install Steam’s proprietary two-factor auth app to your phone before you can confirm any trades.
The process is very cumbersome for anyone who trades frequently, and it’s even worse for anyone doing development on the platform who needs to test things where multiple accounts are exchanging items.
Luckily, there’s a way around all of this It will require a bit of work up-front though, and isn’t exactly the most secure solution if your local computer is shared.
First, we need a way to generate the one-time-use two-factor codes the same way the Steam app does.
Setup The 2FA Server
Dr. McKay has created a mimicked version of the Steam Guard 2FA app. You can run the server as either a node.js application, or my own personal preference, a PHP application (since my workstation is already running nginx/php). Clone the repo from here: https://github.com/DoctorMcKay/steam-twofactor-server.
Note: My workstation is running Linux (Fedora). The concepts apply everywhere, but your setup steps may differ.
I edited my /etc/hosts
file to point steam-secrets.local
to 127.0.0.1
, and the nginx config to match.
127.0.0.1 steam-secrets.local
server {
listen 80;
index index.php index.html;
server_name steam-secrets.local;
root /var/www/html/steam-twofactor-server;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST' always;
add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
location ~ \.php(/|$) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# Make sure that the base script exists
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
}
When you’re done following the readme, test it by hitting: http://steam-secrets.local/steam_twofactor.php/code/test. The response should error with:No secret is available for that account
.
Prepare For Steam Guard
Before you can enable Steam Guard, you need a phone number attached to your account. You can attach the same phone number to multiple accounts (there’s a limit per-month for the same number, but it’s relatively high–somewhere around 30).
- Login to the account on Steam
- Go to Account Settings
- Ensure your email address is validated. If not, validate it from this same page before continuing.
- Under Contact Info, click Add a phone number
- Check your email and click Add phone number within the email
- Close the new window, open the original tab with the account settings and enter the 5-digit code texted to you
- Press Done
Now your account meets the requirements to run the mobile authenticator.
Enable Steam Guard
In order to use the 2FA server, we need to get the client secret. This is only given during the setup process and you can never fetch the info from Steam again.
In my case, I’m using some alts just for trading so I’ll be setting them up from scratch. If you’re using your main account and want the steam guard code from your phone, good luck. You’ll need to have the phone rooted and search through the steam authenticator files.
Regardless of whether or not you used PHP for the server, we will be using node to make the requests for setting up 2FA. Specifically, we’ll be using this repo: https://github.com/DoctorMcKay/node-steamcommunity.
$ git clone git@github.com:DoctorMcKay/node-steamcommunity.git Cloning into 'node-steamcommunity'... remote: Enumerating objects: 129, done. remote: Counting objects: 100% (129/129), done. remote: Compressing objects: 100% (84/84), done. remote: Total 2124 (delta 72), reused 80 (delta 44), pack-reused 1995 Receiving objects: 100% (2124/2124), 421.43 KiB | 300.00 KiB/s, done. Resolving deltas: 100% (1284/1284), done. $ cd node-steamcommunity/examples $ npm i npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated har-validator@5.1.5: this library is no longer supported added 86 packages from 122 contributors and audited 86 packages in 2.386s 2 packages are looking for funding run `npm fund` for details found 0 vulnerabilities $ node enable_twofactor.js Username: my_test_account Password: my_test_password An email has been sent to your address at gmail.com Steam Guard Code: A12TV Logged on! Writing secrets to twofactor_76561197960287930.json Revocation code: R10111 SMS Code: 61361 Two-factor authentication enabled!
Congratulations! The hard part is done.
Grab the file that was generated and copy the contents it into a file called <your_account_name>.json
inside the secrets directory of the two-factor server.
$ mv twofactor_76561197960287930.json /var/www/html/steam-twofactor-server/secrets/gaben.json
Test that it worked by loading the project in your browser for that account: http://steam-secrets.local/steam_twofactor.php/code/gaben. If you see five random characters, then you’re done setting up the server.
Automate Code Entry
In order to enter the 2FA codes automatically, and to click the mobile trade confirmations, we’ll need a userscript. These are snippets of javascript that run locally in your browser when certain pages are accessed. You need a browser extension in order to run them, so ensure you have Greasemonkey (Firefox) or Tampermonkey (Chrome).
To install the userscript, load the following page in your browser after the extension is installed. https://github.com/DoctorMcKay/steam-twofactor-server/raw/master/userscript/Steam_Community_Mobile_Trade_Confirmations.user.js
Now go to https://steamcommunity.com/mobileconf/conf and paste the base URL of your 2Fa server.
http://steam-secrets.local/steam_twofactor.php/
Now, whenever a two-factor prompt appears on Steam, you will automatically enter and submit the code as long as the account is found on that server.
Accepting Trades From Mobile
Bookmark the following page for whenever you need to approve a trade: https://steamcommunity.com/mobileconf/conf