Frequently Asked Questions - HilliamT/Vapor-Authenticator GitHub Wiki

You can find any questions previously asked by other users here. This is not a conclusive list and will be constantly updated with each question that is asked.

How did you come about Vapor?

As a long-term investor, it can be tricky sometimes for me to manage all of my alternative Steam storage accounts, especially during each seasonal TF2 event and CS:GO operation. This involves both having to login to that account by logging out of your main account and then logging into each one individually or programmatically should you need to process (list on Steam Community Market, send them elsewhere to someone else etc.) or store any items.

Solutions for this either include having all of your accounts use your mobile authenticator app, which may be a nuisance if you treat it like so, or having to use Steam Desktop Authenticator (SDA) or WinAuth. SDA requires installation of several software packages and can be difficult for some users to set up. Similar to SDA, an out-of-the-box solution like WinAuth unfortunately doesn’t support MacOSX (which I use).

I’ve created this desktop authenticator application to help me standardise management of my alts as well as experiment more with Steam’s APIs for my other projects, and I thought that it would be helpful for others to make use of should they be in a similar position.

What are the security risks with using Vapor?

One of the key things I should note is that this application does defeat the purpose of 2FA, in which a virus infecting your computer may hijack the authenticator app if it is actively aware of it, meaning that you unknowingly installing a virus on your desktop becomes the single point of failure to your stored accounts being compromised.

As such, it is advised that you should not use this as a primary means of Steam authentication, unless you accept full responsibility of preventing unauthorised access to your computer and are definite that the tradeoff of convenience outweighs the security risk.

I should also note that I do not encrypt secrets at the moment as I've personally haven't come across a need for it. For those who are cautious, I would highly and greatly recommend sticking to Steam Mobile Authenticator / encrypted Steam Desktop Authenticator / WinAuth or assisting in adding a secure file encryption method that does not cheap out on security. Bad security (e.g obfuscation) is as good as no security.

(MacOSX) I recently installed Vapor but have received a message in which it could not be loaded because it did not come from an identified developer. What should I do?

The cost of receiving certification as an identified developer for Apple devices to sign software and certify it is $99 or £79.99. As a project I've just built in my free time that I use purely for myself, I don't look as to make anything from this and thus, the certification costing isn't sustainable for me to take on.

If you do get an error, you can load the application by going to System Preferences > Security & Privacy and click Open Anyway.

How can I update to the latest version of Vapor?

Download the installer, delete your shortcut of the application and load the installer.

Do you ever store my password?

Unless your account is not using any authentication method (just username and password), no.

Where can I found my shared_secret / identity_secret / any info stored for my accounts?

You can find any information used by the authenticator saved in your operating system's respective Application Support / Data folder, saved in config.json. For example, on MacOSX, this is ~/Library/Application Support/vapor-authenticator/config.json.

The format of the data can be seen here.

Do make duplicates of this file from time to time. If you lose the details in this file, you may be screwed. You will need to let Steam know that you have lost your authenticator for the accounts that are using Vapor as their authenticator.

How does the application login to my account password-less after the first login?

This is enabled for all accounts that do have some sort of 2FA process attached to the account, not necessarily Vapor. After a login is performed, an OAuth token is returned to allow you to log you back into a previous session. This token can last for quite some while (upwards of a month) before the user has to login again using their username and password, and will be saved on your disk to utilise.

What happens if I am using Vapor as my authenticator and I get logged out?

As long as your secrets are saved on your disk, Vapor will just need your username and password and it will smartly generate a 2FA code on your behalf.

I encountered a bug. How and where can I report this?

You can report any bugs here.

The application will have the top-bar option for you to toggle on Developer Tools of which you will be able to see any output or errors in the Console section. Please take a screenshot of this when making your bug report.

How can I contribute?

You can read details on how to contribute here.

What features can I help to add?

You can find a roadmap of features I would like to add. Fork this repository, make a work-in-progress pull request, and make your commits of the feature. This will help with letting everyone know that you are working on implementing that feature.