Valve is introducing a fresh authentication system for game developers in response to a significant security breach on Steam. While Valve acknowledges that this change might pose challenges for developers, the company views it as a necessary step to safeguard Steam and its users from potential future attacks.
Steam stands as the largest online distributor of PC games, catering to a wide spectrum of creators, from AAA studios to independent developers. However, Steam's prominence also makes it an attractive target for cybercriminals. Recently, malicious actors infiltrated the accounts of several Steam developers, enabling them to distribute malware through game updates. Although the impact of this attack was limited, affecting fewer than 100 players, Valve contacted them via email to alert them to the potential risk. Nevertheless, the incident underscored a substantial security breach within Steam's defenses.
In an effort to forestall future attacks, Valve will soon mandate that developers pass a two-factor authentication check before updating a released game. Steam partners will be required to link a phone number with their account, to which Steam will send an authentication code via text message. Developers will also need to employ two-factor authentication when updating a game or granting new users access to their Steamworks group.
Valve acknowledges in the Steam post's FAQ that some independent game developers might not have access to a mobile device. Nevertheless, Valve's stance is that they must have a means of receiving text messages if they wish to update their games on Steam or provide new users access. It's important to note that this policy applies solely to main branch updates, which Steam automatically installs on a user's computer, and not to unreleased games or beta updates.
In addition, only administrators of a Steamworks group will have the authority to invite new users. Steamworks developers will no longer be able to update their games using the SteamCMD tool, with the exception of beta testing. Instead, they will need to log in to the Steamworks website to update a game's default branch. Furthermore, developers employing SetAppBuildLive will require a valid Steam ID and must download the Steam App to continue updating their games through that method.
These new regulations come into effect on Tuesday, October 24, and Valve encourages Steamworks developers to set up their two-factor authentication in advance to avoid disruptions in access. Valve also indicates that it will expand the requirement for two-factor authentication to other Steamworks functions in the future, although the post doesn't delve into specifics.
It's important to note that these changes primarily concern Steamworks developers, and the average Steam user is unlikely to notice any significant alterations. The hope is that these new policies will help avert potential security breaches down the line.
