Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save zudsniper/b67a6e4daec9f0df048539f86aa62282 to your computer and use it in GitHub Desktop.
Save zudsniper/b67a6e4daec9f0df048539f86aa62282 to your computer and use it in GitHub Desktop.
Steam Bots: How to get shared and identity secrets from Steam Guard TOTP

Steam Bots: How to get shared and identity secrets

If you're looking into automating transactions in your Steam Account using Steam Bots, you most likely will need to:

  1. Have TOTP ("MFA" or "2FA") enabled via Steam Authenticator (Steam Guard)
  2. Have in hands both shared secret and identity secret

Having Steam Guard enabled for your Steam Account ensures that there will be no holds on transactions such as trades. Having the shared and identity secrets are necessary for complete autonomy of your Steam Bot, meaning it won't require any human interaction from you.

There is a tremendous lack of information about all of this as Steam does not provide official support for implementing Steam Bots. The information available in this guide was gathered through lots of blood and sweat hard research, reverse engineering, asking around, trials & errors, hitting countless dead-ends / outdated info and whatnots.

That being said, please drop a comment if you find inaccurate information or if something works out differently for you as YMMV during this journey :)

Disclaimer 1: With this method you will need to RESET your Authenticator

Before you go on, know that this method is based on removing the current Steam Guard Mobile Authenticator from your account and adding it again. You will still be able to use Steam Guard Mobile Authenticator on your phone, but you will need to remove and re-add it first.

>> This means that your account will end up with a 15-day trade hold after the re-activation! <<

In most cases it is not possible to retrieve shared secret and identity secret for already existing TOTP setups. Those secrets are revealed once and only once right upon activation of Steam Guard for the Steam Account.

Side note: Apparently it's possible (via rather shady, unclear and hacky methods) to retrieve those secrets if you currently have your TOTP set up via SteamDesktopAuthenticator or in Steam Guard in an Android phone. Please take note this guide won't cover these options.

Disclaimer 2: You're dealing with your Steam Account security

Before proceeding, make sure you understand everything you are doing - don't just run steps blindly or skip warnings! If you end up with your Steam Guard in a bad state without your TOTP backup code, you can lose access to your Steam Account.

Know what you're doing, or ask before running any steps if in doubt. Perhaps create a new Steam Account to try these out beforehand if you're feeling unsure. You are the sole responsible person for your own accounts!

Needless to say: never share any of your account secrets with anyone! If you will ask for help, make sure to dictate and remove any sensitive information from your codes or examples before posting anything on the internet.

Check out the Steam Guard FAQ if you have any questions about how it works.

Requirements

  • Minimal programming understanding (Python)
  • Python 3.4+ installed along with pip
  • Minimal understanding of how to use a terminal in Linux/Mac or Powershell in Windows

Keeping all of the above in mind, let's get on with it!

What are the shared and identity secrets?

If you already know this, feel free to jump down to the next section: Generating shared and identity secrets.

These secrets are key components for the computation of the TOTP algorithm. They ensure the uniqueness of your account's 2FA and make it virtually impossible for a 3rd party to gain access to your account.

The shared and identity secrets are generated once and only once: when two-factor authentication (Steam Guard Mobile Authenticator) is being set up for your account. They are generated by Steam's API and sent to your device when you first set up 2FA for your account. It's your device's responsibility to store these values locally (Steam's Mobile apps does that automagically for you) - and it's your responsibility to store the recovery code somewhere safe as that's your only way to regain access to your account should you lose access to your 2FA device.

What are they used for in a Steam Bot?

Having these secrets when setting up your own Steam Bot ensures full autonomy of the bot i.e. there will be no need of human interaction (from you) for the bot to function!

shared secret

With this secret, bots are able to generate the 2FA codes themselves. This means they can log into their Steam Accounts on their own, and you won't ever need to pick up your phone for your bot to log in. Even if their login session expires, they will be able to log in again on their own.

identity secret

Further ahead, the identity secret is necessary to allow the bot to perform Trade and Market Confirmations on your behalf. If your bot will be either making trades or buying & selling in the Community Market, it will be able do so autonomously without you approving each transaction manually.

Generating shared and identity secrets

As explained extensively above, these are generated only when setting up Steam Guard; so start by removing your current 2FA method.

Remove your current Steam Guard

Follow Steam's official instructions to learn how to remove your current Steam Guard. It's possible to do it either via your mobile phone or via web browser using your recovery code.

Worth mentioning one more time:

Removing the authenticator means any trades or Community Market listings will be held by Steam for up to 15 days.

Set up Steam Guard with ValvePython/steam

Now we will make use of ValvePython/steam to add Steam Guard to your account again. This project has really good documentation and provides a lot of useful functionalities, so check it out if you're comfortable with Python!

Setting up your local Python environment

As mentioned in the requirements, it's assumed you already have Python 3.4+ installed along with pip.

Open up your terminal (Linux/Mac) or Powershell (Windows) and navigate to whichever folder you want run this script on:

# Linux/Mac
cd /home/USERNAME

# or, if on Windows:
# cd \Users\USERNAME

mkdir gen-steam-2fa
cd gen-steam-2fa

In the example above, USERNAME should be replaced by your Operating System's username. The name gen-steam-2fa was chosen for the folder in which we will run the scripts from.

Python 3.4+ comes with venv by default, so we will use it to create a virtual environment and install our dependencies within it:

python -m venv venv

# Linux/Mac
source venv/bin/activate
# on Windows:
# venv\Scripts\activate.ps1

Note: depending on your Python installation, you may need to invoke python3 instead of python as the command-line executable for Python

You should notice in your terminal/Powershell that the venv virtual environment is now active. Go ahead and install the required dependencies:

pip install wheel protobuf steam

That's it for the dependencies! The next step is creating the Python script and running it.

Create the Python script

See the code for generate.py in the file below. Copy its contents and save it to a file with the same name in your working folder. Make sure to edit line 12 and insert your actual Steam Account username there.

Running the script

Before running the script, remember: you should finish the setup in your mobile phone!

This script is only meant to start the process of setting up Steam Guard for your account (and generate the needed shared and identity secrets). The script does NOT finalize the Steam Guard setup; so if you don't conclude it in your phone, your account will not have 2FA active.

Watch closely the output of the script in your terminal/Powershell. The script will first ask for your Steam Account's password, but it may ask for additional things such as:

  • A confirmation code that will be sent to your email address;
  • For you to solve a captcha. For that an URL will be displayed in the terminal, follow it and solve the captcha to validate the login;

If it asks for your 2FA code, that means your old 2FA is still active in your account. You should go back and remove it first!

Time to run the script:

python generate.py

When all goes well, the script will show you a dictionary containing both the shared_secret and identity_secret. Save those safely along with revocation_code (that's your "recovery code" in case you lose access to your mobile phone). For convenience, the script will also save those secrets into a 2FA-secrets.json file locally. Make sure to delete it once you have the data safely stored somewhere!

You will also receive an SMS with a confirmation code in your mobile phone! That's expected as you are activating Steam Guard Mobile Authenticator, so let's finish off the setup on your mobile phone!

Finishing the setup on your phone via Steam Mobile app

Now open the Steam Mobile in your phone. Log into your account if it's not logged in already.

Go to the "Steam Guard" tab, select "Add Authenticator" and follow the steps as you normally would to add the authenticator to your account.

You should receive a second SMS. Take note that it should contain the exact same confirmation code as the one in the previous SMS. If they don't match, chances are you took too long between these steps and a new authenticator request was done. In that case I would suggest restarting the process by running the generate.py script again.

If both SMSs have the same code, go ahead and input the code in Steam Guard to conclude the setup. Once done, you will have Steam Guard enabled for your account in this phone! Notice that Steam will alert you to safely store the recovery code somewhere. This recovery code should also match exactly the code you got as revocation_code from the Python script.

Conclusion

All done! You should now have Steam Guard properly working on your phone again as usual. Along with that now you know exactly what are the shared and identity secrets for your account, so you're ready to bot away!

Feel free to comment with suggestions, corrections, improvements or if you're stuck at any given steps. Hope this guide was helpful to you in one way or another :)

import json
import pprint
import sys
import steam.webauth as mwa
import steam.guard as g
#############################################
# Insert your Steam Account's username below
#############################################
steamUsername = "mySteamAccountUsername"
#############################################
# No need to edit anything else from here!
#############################################
# Instantiate and initialize the ValvePython/steam library's MobileWebAuth
user = mwa.MobileWebAuth(steamUsername)
user.cli_login()
# Verify that the login worked, otherwise exits
if user.logged_on != True:
sys.exit("Failed to log user in")
# Add SteamAuthenticator to your account
sa = g.SteamAuthenticator(backend=user)
sa.add() # SMS code will be send to the phone number registered in the Steam Account
print("2FA Secrets:")
pprint.pp(sa.secrets)
# Save the secrets to a file for safety
bkpFile = './2FA-secrets.json'
json.dump(sa.secrets, open(bkpFile, 'w'))
print(f"\n\nSecrets saved to {bkpFile}")
print("\n\nYou can now finish setting up Steam Guard Mobile Authenticator in your phone!")
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment