PSA: Do not use Steam Guard Authenticator
Steam Guard Authenticator is designed to be a 2FA solution for your Steam account, to help keep it safe. I'm here to tell you that you should deactivate it post haste.
Recently I switched mail provider to Proton Mail and with it also gained access to Proton Pass[↗]. After transferring all my passwords across from BitWarden, I've been going through all my online accounts and updating or deleting them. Apparently Proton Pass considers a lot of the passwords I generated with BitWarden to be weak, so for a lot of my accounts I've also been generating new ones.
Steam was one of those accounts where I hadn't updated my password since I first created it over a decade ago. In order to improve my account security, I thought I might quickly change it. This lead to a bizarre series of errors and bugs which left me wondering what the development workflow looks like at Valve.
Steam: the Catch-22 account lockout
Years ago, as per Steam's recommendation, I had enabled Steam Guard Authenticator for my account. This requires 2FA via the Steam app on your phone in order to log in to the Steam desktop application and the website. Seems like a sensible security measure, especially considering the amount of money I've spent on games linked to my Steam account.
After updating my password in the desktop app I was immediately logged out and asked for my username and password. Also a sensible security measure on Steam's part.
However, upon trying to login again I was asked to verify myself using Steam Guard Authenticator. So I opened up my phone, opened the Steam app and found that I was logged out there as well. Except, in order to get to the 2FA screen of the app you need to be logged in. Attempting to login on my phone also asked me to verify myself using the exact device and app I was attempting to login on. Bug number 1.
This was already a bizarre situation to end up in and one that should certainly have been caught by Steam's QA team, but my woes didn't end there.
Underneath the login form there was a helpful link "I don't have access to my mobile app". Clicking this link lead me to a second form where I could fill in my account email and do a reCAPTCHA. However, no matter what I did, the reCAPTCHA would always fail. I attempted this multiple times, clicking correct and incorrect options, and always got the exact same error message. Bug number 2.
Going back to the initial login form, there was also an option to recover my account using a Backup Recovery Code. 10-year-ago me had had the forethought to save this code in my password manager so I had one readily available. Copying it and pasting it into the recovery code field showed however that Steam had apparently changed the code format within the last decade and the codes now consist of 7 characters instead of 6, which is what my code was. Bug number 3.
Recalling that the Steam desktop app is actually just a webview inside a wrapper and suspecting that my earlier issue with the reCAPTCHA had something to do with this, I opened my browser and navigated to the Steam website as a last ditch effort. Clicking the "I don't have access to my mobile app" link once again gave me a reCAPTCHA, but this time it worked correctly. Hurrah!
I immediately disabled Steam Guard Authenticator for my account and logged in again on my phone. The app then crashed to a black screen and refused to open until I deleted it and reinstalled, but that's a separate issue.
I'm now on Community Marketplace cooldown due to deactivating Steam Guard Authenticator, but I'll just have to deal with the backlog of Counter-Strike crates at a later date.
A plea to Valve
Despite my advice to remove Steam Guard Authenticator, I do lament the loss of 2FA for what is probably my most valuable online account. So, hereby a plea to Valve to allow the use of third party 2FA apps to secure Steam accounts. Ones which are by default available without being logged in to your Steam account.