What triggers new Steam Guard codes?

[MikeLund]

Hi,

I have a small handful of bots where I'm still using 2FA-email. I'm wondering, is it known what triggers that "It looks like you are trying to log in from a new device" email?

It's seemingly random, happening on a "random few" bots every few months. I have nothing else using these accounts, I'm confident they're secured, and I of course don't do anything with any of the files in the config directory.

So do you have any idea why, or do you think that it's 100% "random"? If you don't know either, I guess it's one of those Steam mysteries and we can close this. (Yes, I probably should convert to ASF-2FA anyways :))

[JustArchi]

Probably nothing we can do about that. I don't have any account that I'm actively using that is not used by ASF to confirm this, but I assume the same is happening from time to time to normal accounts as well.

ASF is keeping refresh tokens around and re-uses them if possible, for as long as they remain valid. In practice, this means that if you launch ASF at least once per month for given account, it should not ask for re-authorization. Nonetheless, Steam can force re-authorization at any given time by refusing previously saved ASF's refresh token, which is the reason for the situation you're describing.

Could even be that they've implemented a system that checks how long given session is established, and randomly decide to kill it if it looks too much like some phishing site, e.g. the session is on all the time for a very long time, indicating bot activity.

I can only suggest using ASF 2FA, as you've mentioned yourself.