[butz]

The worst offender in 2FA business is Steam, as it uses custom 2FA and you must install their app - no way to use 3rd party OTP without jumping through hoops and risking security.

[mid-kid]

At work we use OneLogin, set to require the app. However, it stores a regular TOTP code in the app, it's just encrypted with the android keystore. I had to hook the base64 decoding function on my rooted phone to extract it, and put it in my password manager instead. I've been unable to figure out how to decrypt keystore-encrypted secrets in any other way.

[patrakov]

You could have also used "fridump" [0] to dump the app memory and search for strings that look like TOTP secrets.

[0] https://github.com/rootbsd/fridump3

[1oooqooq]

same with the european commission. they are turning standard otp off and requiring a custom phone only app.

guess they cannot wait for passkeys to tie you to one apple or google account.

[wahlis]

I believe Aegis has you sorted with Steam as well

[FinnKuhn]

Couldn't Steam break this any second though?

[butz]

Or one could run into some edge case, e.g. when Steam asks for different code when trying to change Steam password - https://github.com/beemdevelopment/Aegis/issues/1613 .

[mdaniel]

https://github.com/beemdevelopment/Aegis/blob/v3.4.1/app/src...

> // NOTE: this assumes that a global root shell has already been obtained by the caller

:-/

My recollection when I last tried this stunt is that it's a boatload of nonsense to try and exfiltrate the Steam credential material, and I wasn't able to find any supporting docs in the Aegis nor on their site about any alternative they have to "root your phone and sniff the keys out of the sibling app"