The essence of Steam's token is a 2FA (two-factor authentication), using the TOTP algorithm, so the mobile TOTP can be extracted to Bitwarden for use.
Note
Extracting the mobile Steam TOTP requires rooting the phone and installing the LSP.
After installing the SteamGuardExtractor or SteamGuardDump LSP module and applying it to Steam, entering Steam will automatically copy the token, as shown below:
{
"accounts": {
"xxxxxxxxxxxxxxxx": {
"shared_secret": "xxxxx+testxxxxxxxxxxxxxx=",
"identity_secret": "/xxxxxxxxxxxxxxxxxxxxx=",
"secret_1": "xxxxxxxxxxxxxxxxxxx=",
"serial_number": "xxxxxxxxxxxxxxxxxx",
"revocation_code": "xxxxxx",
"account_name": "xxxxx",
"token_gid": "xxxxxxxxxxxx",
"steamguard_scheme": 2,
"steamid": "xxxxxxxxxxxxxxxxxx"
}
}
}
According to SteamTools #2276 instructions and the provided Python script, we need to convert shared_secret from Base64 to Base32.
That is, replace YOUR_SHARED_SECRET with the value of shared_secret from the token example extracted above.
import base64
shared_secret = 'xxxxx+testxxxxxxxxxxxxxx='
print("Secret:", base64.b32encode(base64.b64decode(shared_secret)).decode())
Run this Python file; if your computer does not have Python installed, you can use the Python3 online tool from Cainiao Tools to run it.
After running, the terminal outputs Y4OHDR7LL2ZNY4OHDRY4OHDRY4OHC===.
Then my Steam TOTP is the Base32 format shared_secret prefixed with steam://.
steam://Y4OHDR7LL2ZNY4OHDRY4OHDRY4OHC===
Add this TOTP to Bitwarden's Authenticator Key (TOTP) and confirm that the generated 5-digit verification code is in sync with the mobile device. If they are in sync, it is correct.
*If your phone does not have root access, you can refer to the tutorials below to obtain shared_secret:
- Dogcraft: Export token from the new Steam app (3.5) without root
- SteamTools: #2129 (Inject JavaScript to obtain token)