Today, we're making some changes to the way two-factor auth operates, as well as slightly changing how you manage the email addresses associated with your account.
First, a brief explanation of the way the two-factor auth system worked before today. After setting up two-factor, you will be asked to enter a code upon login, as well as when you must enter "sudo mode". Sudo mode is simply "elevated privileges" on your account. For example, to request a payout, change your email, set an item's price, etc., you must be in sudo mode (or not have two-factor auth enabled). To enter sudo mode, you are prompted for a code from your two-factor app. Sudo mode persists (for a single login session / IP) for a few hours before requiring another code to perform elevated actions.
Sudo mode is designed to increase account security beyond the initial login gate; requiring an additional code ideally stops most phishing attacks. However, there are still scenarios in which unauthorized access to an account can be devastating; for example, changing your payout email requires sudo mode, but if you are sudo'd or don't have two-factor, there is no further verification required. The same is true for requesting a payout.
To solve these issues, we're making some changes to two-factor as well as how you change your payout email.
If you use two-factor, here's what changes for you:
Here's what changes for everybody:
We highly recommend that you use two-factor on your Marketplace.tf account. To set up two-factor authentication, click here. If you sell items or retain any credit on Marketplace, these are inherently at risk if you do not use two-factor authentication. We are committed to account security, but it's a two-way street: your account is most secure when you take the steps provided to protect it.