At a glance (haven't enabled yet, will later today), GoG uses the RFC standard TOTP model. This means you can use whatever app you want whether that is the google authenticator that ties it to your cloud account, something related to your password manager (e.g. keepass or bitwarden), or even just a python script you have in a random directory. It gives you control of your 2FA and protects you in the event you lose a device without properly de-authenticating it.

Valve use their own model that, to my knowledge, is only accessible through the Steam mobile app. Which is a huge nightmare if you ever have a device stolen/damaged (and is why you back up the recovery code)

Just enabled. Yup, bog standard TOTP and they even provide the plaintext key so that I don't have to extract it from a QR code.

[–] Ulrich@feddit.org 7 points 5 days ago* (last edited 5 days ago) (1 children)

It ~~presumably~~ works with a normal TOTP app.

E: confirmed it works

[–] Sonotsugipaa@lemmy.dbzer0.com 4 points 5 days ago (1 children)

Steam works with a normal TOTP app for me, hell, it works with two normal TOTP apps for me

[–] Ulrich@feddit.org 5 points 5 days ago (1 children)

I'm pretty sure it doesn't but I'll bite: How did you set that up?

[–] Sonotsugipaa@lemmy.dbzer0.com 3 points 5 days ago (1 children)

I don't recall, I've set it up a few years ago - I've been trying to look for instructions for another comment, but it seems that they made it VERY difficult for people without rooted Android to obtain the TOTP secret.

Though it is RFC 6238 compliant, using 5 digits instead of 6.

[–] Ulrich@feddit.org 5 points 4 days ago* (last edited 4 days ago) (1 children)

Okay, let's say there's currently no native support for normal TOTP, mostly because Steam doesn't give you access to your TOTP key.

[–] Sonotsugipaa@lemmy.dbzer0.com 2 points 4 days ago (1 children)

That much I can agree with at this point.

Actually, it's arguably even worse - it's not that Steam doesn't support normal TOTP, it's that Steam goes out of their way to prevent TOTP from being used without switching to an entirely new algorithm.

[–] Ulrich@feddit.org 2 points 4 days ago* (last edited 4 days ago) (1 children)

Could be worse. GOG's approach is super annoying, and a lot of platforms (like fucking Apple) actually require the use of insecure and invasive SMS verification. And as far as I know Steam hasn't been hit with any data breaches since 2011.

[–] Sonotsugipaa@lemmy.dbzer0.com 4 points 4 days ago

require the use of insecure and invasive SMS verification

My honest reaction:

[–] ramble81@lemm.ee 2 points 5 days ago (2 children)

Unless I’m missing something, Steam only does code to email 2FA, not an actual TOTP app

[–] Ulrich@feddit.org 10 points 5 days ago (1 children)

They have TOTP but only in their app.

[–] ramble81@lemm.ee 3 points 5 days ago (1 children)

So effectively, they don’t do what GOG is doing.

[–] Ulrich@feddit.org 3 points 5 days ago

Not exactly, no

[–] Sonotsugipaa@lemmy.dbzer0.com -1 points 5 days ago (1 children)

Steam works with a normal TOTP app for me, hell, it works with two normal TOTP apps for me

[–] ramble81@lemm.ee 2 points 5 days ago (1 children)

Teach a brother how? I swear I couldn’t find it anywhere in the account settings.

[–] Sonotsugipaa@lemmy.dbzer0.com 3 points 5 days ago* (last edited 5 days ago)

I don't quite remember how to get the TOTP secret from the Steam app (they could in fact take notes from GOG here), iirc you have to extract it from the Android app via adb;
but once you have it, if this GitHub comment is correct you simply have to set the code size to 5 digits.

If your phone has a rooted Android install, I found this guide.

... I swear when I did it, it wasn't this hard ._.