Accept QR codes with type 'steam' (e.g otpauth://steam/....)

[rossengeorgiev]

Hi, I'm the author of https://github.com/ValvePython/steamctl, which can now generate a QR code for Steam. The QR code works, but the user still need to manually select Steam as type. Do you think that something that can be added?

Sample QR code

[michaelschattgen]

Ah, nice! I think it would be nice to add support for these Steam QR codes, however I don't support the suggested method. Normal QR codes with the issuer name 'Steam' will be imported incorrectly. I think it would be better if you add a new parameter which doesn't break other features.

What do you think @alexbakker?

[alexbakker]

I would suggest changing the host in the URI to steam instead of totp. This would violate Google Authenticator's URI spec, so other authenticator apps will reject the URI, which is good because they're not going to be able to display the code correctly anyway.

Aegis doesn't support steam as the host yet either, but we can add that easily.

[rossengeorgiev]

@michaelschattgen That's a good point. I think Steam used to support regular TOTP, and the secrets still contain a uri for that.

A custom type is the best solution as it is exactly for this, but I wasn't sure how willing people would be to break the spec.

[alexbakker]

One could argue that pretending a Steam OTP secret is TOTP in the Google Authenticator URI is also breaking the spec, haha. I'm still a fan of replacing totp with steam in host of the URI. That way, apps without support will reject it and apps that do support Steam only need to make one small change to their code.

[rossengeorgiev]

I also raised the same issue on a different 2FA app, and the author agreed that type is best way forward. In fact, the change is now in: https://github.com/andOTP/andOTP/issues/510#issuecomment-615835977

[alexbakker]

Excellent! Here's the equivalent PR for Aegis: #366.