Yesterday, Valve posted on their Steamworks Development site about some updates coming soon to Steamworks users.
They state that users that “setting builds live on the default/public branch of a released app” will be required to have a phone number associated with that account. This is so Steam will be able to text you an MFA code in order to login. The change will be taking place on October 24, 2023.
While no specific event has been cited to trigger this change, many are speculating that this may be due to the recent uptick of projects being hijacked by bad actors who have then upload malicious code. Valve is working to purge the projects that have been affected by these hacks along with the aforementioned security additions.
While the move overall is a good one for Valve to protect its users, it does raise some questions as to why they are using SMS verification instead of something more secure like using an MFA tool like Google Authenticator, Authy, or even iOS’ built-in code generator. Also, Steam has SteamGuard which can be used to both login users and be used as a MFA. SMS has been known to be very insecure as someone would only need to socially engineer a carrier to get access to the phone number, send it to a new SIM, and take codes.
