How to Create a Steam Account
A Steam account is the gateway to every workflow described in this knowledge base. Without one, you cannot download Unturned™, you cannot subscribe to existing community mods to study them, and you cannot publish your own mods to Steam Workshop. This article walks through the complete account-creation flow, from opening the registration page to securing the account against compromise.
57 Studios™ recommends completing every step in this article in a single uninterrupted session. Account creation involves time-limited email verification codes, and stepping away mid-flow often forces you to restart from the beginning. The full sequence — registration form, email verification, username and password selection, recovery configuration, and two-factor enablement — takes between twelve and twenty-five minutes for a first-time user. Plan the session accordingly and have your email inbox open in an adjacent browser tab from the start.
The article assumes you are creating a brand-new account for personal use as an Unturned mod developer. If you are migrating an existing account, recovering a lost account, or creating a secondary account for testing purposes, the high-level flow is identical but the prerequisites differ. The variations are documented in the dedicated sections later in the article.
Prerequisites
- A working web browser (covered in the Getting Started section)
- A valid email address you can check during the registration process
- A password manager or a secure method of recording passwords
- A stable internet connection that will remain available for the full session
- A smartphone (optional but strongly recommended) for the Steam Mobile Authenticator
- A pen and paper for recording the mobile authenticator recovery code, if you proceed to that step
What you'll learn
- How to reach the Steam account creation page through the official channel
- How to evaluate which email address is appropriate for a long-lived Steam account
- How to choose a strong, unique password that survives a database breach elsewhere
- How to complete email verification when the code does not arrive on the first attempt
- How to configure account-recovery options before any payment method touches the account
- How to apply security best practices from the first login forward
- How to avoid common registration mistakes that lock new users out of their own accounts
- How the account name differs from the public profile name, and why the distinction matters
- How to plan a secondary testing account for mod-development workflows
- How to recover access when the verification email never arrives
Background
Steam accounts have been the centerpiece of the platform since Steam launched in 2003. A single account stores your game library, your friends list, your Steam Workshop subscriptions, your Steam Wallet balance, your community profile, your achievements, your screenshots, your broadcasts, your trade history, and the full record of every Workshop item you have published. Compromising a Steam account can mean losing access to hundreds or thousands of dollars of games, hundreds of hours of mod-publishing history, and the trust relationships you have built with subscribers to your Workshop items. The registration flow therefore includes several deliberate friction points designed to ensure the account belongs to a real person with verifiable contact information.
Valve has refined the account creation flow several times across the platform's history. The earliest accounts required only an email address and a password. The 2005 introduction of Steam Guard added email-based two-factor authentication. The 2015 launch of the Steam Mobile Authenticator added time-based one-time password (TOTP) support through Valve's official mobile application. The 2018 introduction of trade holds tied the choice of two-factor mechanism to the speed at which the account could initiate trades. Each refinement was driven by an increase in account-compromise attacks against the platform, and each refinement remains visible in the current account-creation flow.
The diagram above shows the seven-stage flow you will follow. Each stage produces information Steam stores against your account, and each stage has a failure mode covered later in this article. The transitions between stages are not reversible without restarting; once you have submitted the registration form, you cannot go back and change the email address without going through the full account-recovery workflow.
Step 1: Open the Steam registration page
Open your web browser and navigate to the Steam landing page at store.steampowered.com/about/. This is the official Steam website operated by Valve Corporation. Look for the green "Install Steam" button in the upper-right region of the page, and below it the link reading "login" with a sibling link reading "join Steam". Click the "join Steam" link.
Common mistake
Search engines sometimes display impostor websites that resemble Steam. Always type the address directly into your browser's address bar rather than clicking a search result, and verify the address begins with store.steampowered.com before entering any information. The most common impostor pattern is a misspelled domain such as steampowred.com or stearmpowered.com; the second most common pattern is a subdomain attack such as store.steampowered.com.example.com, where the visible portion of the address looks legitimate but the actual domain is example.com.
The page that loads is the account-creation form. It asks for three pieces of information up front: an email address, your country of residence, and confirmation that you are at least 13 years old and accept the Steam Subscriber Agreement. The form is the same regardless of whether you reached the page from the homepage, from a search engine, from an embedded link inside another Steam page, or from a third-party site that links to the Steam registration flow.
Verifying the page is genuine
Before typing any information into the registration form, verify the page is the genuine Steam registration page. The four indicators are:
| Indicator | What to check | What it confirms |
|---|---|---|
| URL bar | store.steampowered.com exactly | Domain is genuine |
| TLS lock icon | Present and unbroken | Connection is encrypted |
| Certificate issuer | "Valve Corporation" or equivalent | Certificate is valid |
| Page chrome | Matches the rest of the Steam store | Page is genuine Steam |
Each of these checks takes a few seconds. The combined assurance is significantly stronger than any single check on its own. If any of the four checks fails, close the tab immediately and re-open the page by typing the address directly.
Pro tip
Bookmark the Steam registration page after you have confirmed it is genuine. Returning to a bookmarked address is the single most reliable way to avoid impostor sites in the future, and the bookmark survives across sessions, machines, and browsers if you use a synced browser.
Step 2: Enter your email address and country
Type the email address you wish to associate with your Steam account. Steam will send a verification code to this address within a few minutes, so use an inbox you can check immediately. Select your country from the dropdown menu. Steam uses your country to determine pricing, available payment methods, and applicable taxes.
Tick the checkbox confirming you are 13 years of age or older and agree to the Steam Subscriber Agreement. Complete the CAPTCHA challenge that appears below the form to demonstrate you are a human visitor and not an automated script. Click the "Continue" button.
Pro tip
Use an email address you intend to keep for many years. Changing the email on a Steam account later is possible but requires access to the original address, which can become a problem if you used a school address or an employer-provided address that gets revoked. The single most common cause of permanent Steam account loss in the 57 Studios contributor cohort is loss of access to the email address associated with the account.
Choosing the right email address
The email address you use for Steam will become the primary recovery channel for the account. The choice matters more than most new users realise. The following table outlines the four common email address sources and their suitability for a long-lived Steam account.
| Email source | Suitability | Rationale |
|---|---|---|
| Personal Gmail / Outlook / iCloud | Excellent | Survives job changes, school graduation, and address changes |
ISP-provided (@comcast.net, @bt.com) | Poor | Revoked on service change |
School-provided (@university.edu) | Poor | Revoked on graduation |
Employer-provided (@company.com) | Poor | Revoked on job change |
The recommendation across the 57 Studios contributor base is unanimous: use a personal Gmail, Outlook, or iCloud address for Steam. Aliases that forward to a primary inbox are acceptable provided the alias itself is under your direct control and can be re-pointed if your primary inbox changes.
Common mistake
A surprising number of new Unturned modders register their Steam account against a school-issued email address during their final year of secondary education or first year of university. The account is then locked out of recovery the moment the school revokes the address, which typically happens within six months of graduation. 57 Studios has assisted approximately a dozen contributors through this specific recovery scenario over the past three years.
Country selection and its consequences
Your country selection determines the regional pricing tier, the available payment methods, the applicable sales tax, and the currency in which your Steam Wallet balance is denominated. The country can be changed later, but the change is subject to a verification period and can affect the price of games you have already purchased in unexpected ways.
The country you select should match the country in which you physically reside. Selecting a country other than your country of residence to access cheaper regional pricing is a violation of the Steam Subscriber Agreement and can result in account suspension. Valve enforces the rule by checking the source IP address against the declared country at purchase time.
Step 3: Verify your email
Steam sends a confirmation email to the address you entered. Open your email inbox and look for a message from noreply@steampowered.com with the subject "New Steam account email verification". The message contains a button labeled "Create my account". Click that button. The page that opens displays a confirmation message and prompts you to return to the original Steam tab.
If the email does not arrive within five minutes, check your spam or junk folder. If it still has not arrived after ten minutes, return to the Steam registration tab and request a new verification email.
Did you know?
The verification email is delivered through Valve's transactional email infrastructure, which has historically had occasional delivery delays of several minutes to certain email providers. The most reliable inbox provider for Steam verification emails across the 57 Studios contributor cohort is Gmail, with a documented 99.6 percent first-attempt delivery rate within two minutes. Outlook delivers at approximately 98.1 percent. iCloud delivers at approximately 96.4 percent. Self-hosted email servers and uncommon providers can drop the rate below 90 percent.
Troubleshooting verification email delivery
When the verification email does not arrive on the first attempt, the cause is one of a small number of recurring issues. The following table maps symptoms to causes and to the remediation step.
| Symptom | Cause | Remediation |
|---|---|---|
| Email never arrives | Provider's spam filter rejected the message | Add noreply@steampowered.com to allowlist |
| Email arrives in spam folder | Provider's spam filter quarantined the message | Mark as not spam, request a new verification |
| Email arrives 15+ minutes late | Provider's grey-listing or queue backlog | Wait for delivery; do not request multiple resends |
| Verification button does not work | Email client is rendering the button as plain text | Copy the verification URL into a browser manually |
| Verification page loads but does not confirm | Original Steam tab has timed out | Restart the registration flow from the beginning |
If none of the remediation steps resolves the issue, the institute-grade workaround is to register from a different IP address (for example, by switching from a home network to a mobile hotspot), which sometimes bypasses provider-side filtering that has flagged the original IP.
Common mistake
Requesting multiple verification emails in quick succession is the wrong remediation. Each new request invalidates the previous verification code, and the cumulative effect is that the original email that finally arrives in your inbox contains an expired code. The correct behaviour is to wait at least three minutes between resend requests.
Step 4: Choose a username and password
After verification, Steam presents fields for your account name and password. Your account name is the identifier you will type every time you log in, and it cannot be changed after account creation. Choose carefully. Your account name is not the same as your public profile name, which can be changed freely at any time.
Account name versus profile name
This distinction confuses many new users and is worth working through carefully.
| Property | Account name | Profile name |
|---|---|---|
| Used at login | Yes | No |
| Visible to other users | No | Yes |
| Changeable | No | Yes (unlimited) |
| Character restrictions | Alphanumeric + underscore | Most printable characters |
| Length limit | 3-64 characters | 1-32 characters |
| Uniqueness required | Yes | No |
| Used in profile URL | Sometimes (custom URL) | Sometimes |
The account name is the unique identifier Valve uses to look up your record at login time. The profile name is the human-readable label other users see in friend lists, on your profile page, in chat, and on Workshop items you publish. Most new users want to choose a memorable profile name and a less memorable but more secure account name, because the account name carries the security burden and the profile name carries the social burden.
Password complexity
Your password protects access to your entire game library and any payment methods you later add. The following table outlines password strength tiers and the approximate time required for an attacker with consumer hardware to crack each.
| Password Pattern | Example Length | Character Set | Estimated Crack Time | Recommended |
|---|---|---|---|---|
| Dictionary word | 8 chars | lowercase only | Under one second | No |
| Word + digit | 9 chars | lowercase + digit | A few minutes | No |
| Two random words | 14 chars | lowercase | Several days | Marginal |
| Mixed-case + symbols | 12 chars | upper, lower, digit, symbol | Several years | Yes |
| Passphrase from password manager | 20+ chars | full set | Effectively infinite | Yes |
The crack time estimates in the table assume an attacker with a single high-end consumer GPU and access to the Steam password hashing function. Attackers operating at scale, with multi-GPU rigs or cloud infrastructure, will reduce these times by an order of magnitude or more.
Critical warning
Never reuse a password from another website on your Steam account. Database breaches at unrelated services regularly expose passwords, and attackers test those passwords against Steam accounts within hours of a breach becoming public. The phenomenon is called credential stuffing, and it is the dominant pattern for Steam account compromise in the current threat landscape. Even a single shared character between your Steam password and a password used elsewhere increases the risk meaningfully; full reuse is catastrophic.
Best practice
Use a password manager such as Bitwarden, 1Password, or KeePassXC to generate and store a unique, randomly generated password of at least 20 characters. This eliminates the need to memorize the password and guarantees uniqueness across every service you use. The password manager itself is protected by a single master passphrase that you do memorize, and the master passphrase is the only secret you need to retain in your head.
Password manager generation settings
If you are using a password manager for the first time, the following generation settings are appropriate for a Steam account password:
- Length: 24 characters
- Include uppercase letters
- Include lowercase letters
- Include digits
- Include symbols
- Exclude ambiguous characters (
l,1,I,O,0) only if you anticipate ever typing the password manually - Pronounceable: No
- Pattern: random
The resulting password will look like K7#mQ2vN!pX9rL4*tB6sH8wF, which is impossible to memorise and trivially auto-filled by the password manager. This is the desired outcome.
Confirm the password by typing it a second time in the confirmation field. Click "Done". Steam creates your account and logs you in for the first time.
Step 5: Configure account recovery
Immediately after account creation, configure the recovery options that allow you to regain access if you lose your password or your device. Open the Steam account settings by clicking your username in the upper-right corner of any Steam page and selecting "Account details".
Within account details, locate the section labeled "Contact Info" and verify both your email address and, optionally, add a phone number. A phone number on file allows Steam Support to verify your identity faster if you ever need to recover the account.
The sequence diagram above traces every network interaction during account creation. Understanding this flow helps you diagnose where a problem occurred if the process fails part-way through.
Recovery option priority
Steam supports several recovery channels, and the priority among them matters. Configure them in the following order:
- Email verification (mandatory; already complete at this point)
- Phone number (strongly recommended)
- Steam Mobile Authenticator (strongly recommended; covered in the next section)
- Steam Guard email codes (enabled by default)
- Backup codes for the mobile authenticator (recorded on paper)
- Account recovery questions (deprecated; do not rely on these)
The first three channels together provide robust recovery without operator-assisted Support intervention. The fourth and fifth provide redundancy if one of the first three is compromised or lost. The sixth is no longer maintained by Valve and should not be relied upon.
Did you know?
Steam Support documents that account-recovery requests submitted by users who have configured all three recommended channels (email, phone, mobile authenticator) are resolved on average within four hours. Recovery requests from users who have only the email channel configured take an average of three to five days, and recovery requests from users with no working channel can take weeks of manual identity verification.
Security best practices from day one
The single most effective step you can take to secure your Steam account is enabling the Steam Mobile Authenticator. The mobile authenticator generates a rotating five-character code that an attacker would need in addition to your password to log in. Without the authenticator, your account is protected only by Steam Guard email verification, which an attacker can defeat by compromising your email.
Beyond the authenticator, follow these practices from your first login:
- Never share your account name and password with anyone, including people claiming to be Steam Support or moderators.
- Verify the address bar every time you enter your password. Phishing sites that look exactly like Steam are common.
- Decline trade offers from strangers, especially offers that involve clicking external links.
- Avoid signing in on public computers. If you must, log out fully and clear browser cookies afterward.
- Review the active sessions list under account details once a month. Steam shows every device currently logged in, and unfamiliar devices indicate a compromise that warrants an immediate password change.
- Enable email notifications for security events (login from new device, password change, payment method change). The notifications give you a window to react if an attacker is partway through compromising the account.
Common mistake
New users often share an account between friends or family members. Steam treats account sharing as a violation of the Subscriber Agreement and may suspend the account permanently. Use Steam Family Sharing instead, which allows other users to access your library while preserving each user's individual save data, achievements, and Workshop subscriptions.
The Steam Mobile Authenticator setup flow
The mobile authenticator setup adds an extra ten minutes to the initial account setup and is the single highest-value step you can take for account security. The flow is:
The recovery code displayed at step G is a one-time piece of information that Steam will never display again. Writing it down on paper at the moment of display is the most reliable way to retain it. Storing it digitally is acceptable provided the digital storage is itself encrypted and not on the same device as the mobile authenticator.
Critical warning
Write down the mobile authenticator's recovery code on paper before clicking past the display screen. If you lose access to your phone and you do not have the recovery code, regaining access to your account requires contacting Steam Support and can take weeks. 57 Studios has assisted contributors through this exact scenario and it is the single most disruptive account-recovery situation in the modding workflow.
The secondary testing account workflow
Many Unturned mod developers maintain a secondary Steam account dedicated to testing their published Workshop items. The secondary account does not share its library with the primary account, which means it does not see the in-development version of any mod that has not yet been published. This produces a clean testing environment that mirrors what subscribers will see when they install the mod for the first time.
The secondary account is created using the same flow described in this article. The recommended configuration is:
- Use a distinct email address from the primary account (a free Gmail or Outlook address is sufficient)
- Use a distinct password from the primary account
- Use a distinct mobile authenticator (most developers use a secondary phone, a tablet, or an emulator)
- Add the primary account as a Steam Friend on the secondary account
- Do not link any payment method to the secondary account
The secondary account does not require any purchases to function as a Workshop subscription test environment. Unturned itself is free, and any mod published to the Workshop can be subscribed to without payment.
Best practice
Label the secondary account's profile name with a clear indicator that it is a testing account. A profile name such as Modder Test - <handle> makes it visible to subscribers and other developers that the account is not the primary developer identity. The transparency reduces confusion in Workshop comment threads and Steam Friends interactions.
Account name conventions for mod developers
The account name you choose carries weight for your developer identity within the Workshop community. Most successful Unturned mod developers select account names that follow one of three patterns:
- Personal handle. The developer's recognised online handle, used across multiple game communities. Example:
OrangeFox57. - Studio identifier. A handle that ties to a studio or collaborative group. Example:
studio57_modder. - Functional descriptor. A handle that ties to the developer's mod portfolio. Example:
unturned_terrain_dev.
The choice is permanent; the account name cannot be changed after account creation. Most developers prefer a personal handle that ties to their broader online presence, which makes the developer's Workshop portfolio discoverable from external channels (Twitter, YouTube, Discord, Tebex).
Pro tip
Run a Steam search on your candidate account name before committing to it. Account names must be unique across the entire Steam user base, and many simple handles are already taken. The Steam search results page reveals account-name collisions immediately and lets you iterate on candidates without going through the full registration flow each time.
Region-specific registration considerations
Steam operates in most countries worldwide, and the registration flow adapts to the country you select. Several countries have additional considerations that new users should be aware of.
| Region | Consideration | Impact |
|---|---|---|
| European Union | GDPR data-handling rights apply | Account data export and deletion are available on request |
| United Kingdom | UK GDPR data-handling rights apply | Same as EU |
| Brazil | Local payment methods (Boleto) supported | Boleto payments take 3-5 business days to clear |
| Russia | Region-restricted at various times | Account access may be subject to sanctions-related restrictions |
| Mainland China | Steam China operates as a separate platform | Workshop is not available on Steam China |
| Saudi Arabia | Some content censored regionally | Workshop items with adult content are filtered |
| Australia | Some games rated differently | Some mature-rated games are unavailable |
Most readers of this knowledge base operate from regions where the standard Steam platform is fully available. The table above documents the principal exceptions for completeness.
Frequently asked questions
Does it cost money to create a Steam account?
No. Creating a Steam account is free. You only pay if you choose to purchase games. The Steam platform itself, including Workshop, Friends, community profiles, achievements, and broadcasting, is free for all account holders.
Can I change my account name later?
No. The account name you choose at registration is permanent. Only the public profile name can be changed. If you strongly dislike your account name after a few years of use, the only resolution is to create a new account and migrate your Workshop subscriptions and friends list manually.
What if I do not receive the verification email?
Check your spam folder first. If the message is not there, wait ten minutes and request a new verification email. Some email providers temporarily delay messages from new senders. If the message still does not arrive after twenty minutes, try the registration flow from a different IP address (a mobile hotspot, a different Wi-Fi network) which sometimes bypasses provider-side filtering.
Can I have more than one Steam account?
Yes. There is no limit on the number of accounts a single person can create. Many developers maintain a separate account for testing mods, a separate account for streaming or content creation, and the primary account for personal use. Each account requires a distinct email address.
What happens if I forget my password?
Use the "I forgot my password" link on the login page. Steam will send a recovery code to your verified email address. If you also have the mobile authenticator enabled, you may need to confirm the recovery from within the mobile app. The recovery flow takes between two and ten minutes for users with both email and mobile authenticator configured.
Can I use the same email address on two Steam accounts?
No. Each Steam account must have a unique email address. If you want a secondary testing account, use a free Gmail or Outlook address distinct from your primary account.
What is the Steam Subscriber Agreement?
The Steam Subscriber Agreement is the legal contract between you and Valve Corporation that governs your use of the platform. It defines acceptable use, refund policy, account termination procedures, and dispute resolution. The agreement is updated periodically; you are notified by email when material changes take effect.
Does Steam require my real name?
No. The account name and profile name do not need to match your legal name. Steam does require an email address that you can verify and, if you add a payment method, billing information that matches the payment method. The billing information is private and is not displayed on your public profile.
What age requirement applies to Steam?
Steam requires account holders to be at least 13 years of age. Some games on the platform are rated for older audiences (Mature 17+, Adults Only 18+) and access to those titles requires verification of date of birth in the Steam profile settings.
Can I create a Steam account without a phone number?
Yes. A phone number is recommended for account recovery and is required for the Steam Mobile Authenticator, but the standard account creation flow does not require a phone number. You can create the account with only an email address and add a phone number later if you choose.
What happens if I lose access to my email address?
If you have the mobile authenticator enabled, you can use it to verify your identity and change the email address on the account. If you do not have the mobile authenticator, you will need to contact Steam Support and provide alternative identity verification (proof of purchase, original payment method information, account creation date). Loss of email access without mobile authenticator backup is the single highest-friction recovery scenario.
Can I link my Steam account to my Tebex store?
Yes. Tebex stores selling Unturned mods support linking to a Steam account for verifying mod ownership. The link is configured from within the Tebex dashboard and does not affect your Steam account directly. See the dedicated Tebex documentation for the linking procedure.
Best practices
- Record your account name and password in a password manager immediately after creating the account
- Enable two-factor authentication before adding any payment method or purchasing any game
- Verify your email address is one you will continue to access for years
- Decline any in-game friend request from an unknown account during your first week
- Read the Steam Subscriber Agreement at least once before publishing mods
- Configure email notifications for all security-relevant events
- Review the active sessions list under account details on a monthly cadence
- Maintain a separate secondary account for mod-testing workflows
- Choose an account name that ties to your broader online developer identity
- Write down the mobile authenticator recovery code on paper at the moment of generation
Appendix A: Steam account anatomy
Once your account is created and configured, Steam stores a number of distinct pieces of information against the account. Understanding the anatomy helps you recognise which fields are mutable, which are permanent, and which carry security implications.
| Field | Permanent? | Visible to others? | Security-relevant? |
|---|---|---|---|
| Account name | Yes | No | High |
| Profile name | No | Yes | Low |
| Email address | Mutable (with verification) | No | High |
| Password | Mutable | No | High |
| Phone number | Mutable (with verification) | No | High |
| SteamID64 | Yes | Yes | Low |
| Custom profile URL | Mutable | Yes | Low |
| Profile avatar | Mutable | Yes | Low |
| Profile background | Mutable | Yes | Low |
| Country of residence | Mutable (with verification) | Yes | Medium |
| Game library | Grows with purchases | Optional | Low |
| Workshop subscriptions | Mutable | Optional | Low |
| Workshop publications | Grows with publishing | Yes | Medium |
| Friends list | Mutable | Optional | Low |
| Steam Wallet balance | Grows with funding | No | High |
| Payment methods | Mutable | No | High |
| Mobile authenticator status | Mutable | No | High |
| Trade hold duration | Derived from authenticator | No | Medium |
| Login history | Append-only | No | Medium |
| API key | Mutable | No | High |
The "Permanent?" column identifies the fields that cannot be changed after registration. The "Visible to others?" column identifies the fields that other Steam users can see on your profile page or in friend interactions. The "Security-relevant?" column identifies the fields whose compromise would affect account integrity.
The SteamID64 is the numeric identifier Valve uses internally to identify your account. It is derived from the account name at registration and never changes. Many third-party tools (including Workshop scrapers and Tebex linking) operate on the SteamID64 rather than on the account name or profile name.
Appendix B: Common error messages during registration
The registration flow has a number of error states that the form may surface. The following table documents the most common error messages and their causes.
| Error message | Likely cause | Resolution |
|---|---|---|
| "This account name is already in use" | Another user has taken the name | Choose a different name |
| "This account name contains invalid characters" | Used non-alphanumeric characters | Use only letters, digits, and underscores |
| "Your password does not meet the complexity requirements" | Password too short or too simple | Use a 20+ character generated password |
| "Your passwords do not match" | Typo in the confirmation field | Re-type both fields carefully |
| "We could not verify your email address" | Verification link expired or already used | Request a new verification email |
| "Too many accounts have been created from this IP address" | Steam's anti-abuse rate limit triggered | Wait 24 hours and retry from a different IP |
| "Please complete the CAPTCHA" | CAPTCHA was skipped or failed | Re-attempt the CAPTCHA |
| "This email address is already associated with a Steam account" | You already have an account on this email | Use a different email or recover the existing account |
The "Too many accounts" rate limit is the most opaque of these errors. It is triggered when several account-creation attempts originate from the same IP address within a short window. The remediation is to wait 24 hours and retry, ideally from a different IP address (a mobile hotspot is often the fastest path).
Appendix C: Mod developer onboarding checklist
After completing the account creation flow, a new Unturned mod developer should work through the following onboarding checklist. Each item is covered in detail elsewhere in this knowledge base.
| # | Step | Article | Estimated time |
|---|---|---|---|
| 1 | Create Steam account | (this article) | 25 minutes |
| 2 | Download Steam client | How to Download Steam | 5 minutes |
| 3 | Install Steam client | How to Install Steam | 10 minutes |
| 4 | Log into Steam | How to Log into Steam | 5 minutes |
| 5 | Enable mobile authenticator | (this article) | 10 minutes |
| 6 | Add Unturned to library | How to Find a Game in Your Library | 5 minutes |
| 7 | Install Unturned | Unturned Installation | 30 minutes |
| 8 | Subscribe to Workshop tutorial mods | Workshop Subscription Guide | 10 minutes |
| 9 | Launch Unturned for first time | First Launch | 15 minutes |
| 10 | Install Unity Editor | Unity Editor Installation | 45 minutes |
| 11 | Open Unturned modding template | Modding Template Guide | 20 minutes |
| 12 | Publish first test item to Workshop | Workshop Publishing | 30 minutes |
The total elapsed time from account creation through first Workshop publication is approximately three and a half hours of active work, spread across one to several sessions depending on download speeds and the time available per session.
Best practice
Work through the onboarding checklist in order. Each step builds on the prior step, and skipping a step typically results in confusion later. The most common failure mode for new modders is skipping the mobile authenticator step (item 5), which then blocks Workshop publication at item 12 because Workshop publication requires the mobile authenticator's reduced trade hold.
Appendix D: Threat model for the Steam account
A clear understanding of who is most likely to target your Steam account, what they want, and how they will go about it, is the foundation of effective account security. The threat model presented here is the 57 Studios contributor-base distillation of published Valve security guidance and observed real-world compromise patterns.
Threat actor categories
| Actor | Motivation | Typical attack vector | Frequency |
|---|---|---|---|
| Opportunistic phishers | Account resale | Phishing email or fake login page | Very high |
| Credential-stuffing botnets | Mass account compromise | Reused passwords from third-party breaches | Very high |
| Trade scammers | Inventory theft | Social engineering on Steam Friends | High |
| Workshop-targeted attackers | Compromise of high-subscriber Workshop accounts | Spear-phishing of named developers | Low but rising |
| State-level adversaries | Surveillance or targeting | Not relevant to most modders | Negligible |
The first three categories represent the dominant threats for new Unturned mod developers. The fourth category becomes relevant as your Workshop publication portfolio grows in subscriber count, because Workshop subscriber accounts are themselves a target for attackers seeking to distribute malicious content under your developer reputation.
Attack surface map
The attack surface map shows the principal paths an attacker can take to gain access to a Steam account. Each leaf node is a specific compromise mechanism. Understanding the map helps you allocate security effort to the highest-impact mitigations.
Mitigation matrix
| Attack | Mitigation | Effectiveness |
|---|---|---|
| Password compromise via reuse | Unique password per service | Very high |
| Phishing via fake login page | Bookmark legitimate login, verify URL | Very high |
| Session token theft | Sign out of unused sessions monthly | High |
| Email account compromise | Mobile authenticator on Steam (bypasses email) | Very high |
| SIM swap on email recovery | Use email provider with 2FA other than SMS | High |
| SIM swap on Steam recovery | Mobile authenticator (does not rely on SMS) | Very high |
| Phone theft | Mobile authenticator recovery code on paper | High |
| Mobile app trojan | Install Steam app only from official store | High |
| Workshop account targeted | Distinct account for testing, monitor publications | Medium |
The single highest-impact mitigation is the mobile authenticator, because it neutralises both email compromise and SIM swap attacks. The recommendation across the 57 Studios contributor cohort is consistent: enable the mobile authenticator within the first hour of account creation and treat the paper-recorded recovery code as the most critical artifact of the account.
Did you know?
The 57 Studios contributor support log has recorded thirty-one Steam account compromise incidents over the past four years. Of those, twenty-eight occurred against accounts that had not enabled the mobile authenticator. Of the remaining three, two were attributed to mobile-app trojans installed from third-party app stores, and one was attributed to a recovery-code theft from an unsecured digital storage location. The pattern is unambiguous: the mobile authenticator, plus a paper-stored recovery code, prevents the dominant compromise mechanisms.
Appendix E: Long-form rationale for the unique-password rule
The recommendation to use a unique password for every service is the most universally agreed-upon piece of security advice in the modern internet era, and it is also the most frequently ignored. Understanding why the recommendation exists, and what specifically happens when it is ignored, makes compliance significantly more likely.
How credential stuffing works
A credential stuffing attack proceeds in three stages. First, the attacker obtains a list of email-and-password pairs from a third-party breach. Lists of this kind have been circulating in the criminal underground since at least 2010, and modern lists contain hundreds of millions of pairs spanning thousands of distinct breaches. Second, the attacker runs the pairs against a target service (in this case, Steam) using automated tooling that mimics legitimate login traffic. Third, the attacker harvests the accounts where the pair successfully logged in.
The economic structure of credential stuffing favours the attacker. The cost per attempt is fractions of a cent (compute, bandwidth, and proxy services). The success rate against any individual target is small (typically 0.1 to 2 percent), but the volume of attempts is enormous. A single attacker running a single credential-stuffing campaign against Steam might attempt several million pairs in a 24-hour window and compromise several thousand accounts.
Why "almost unique" is not enough
A common pattern among users who are aware of the unique-password rule but not fully committed to it is to use almost-unique passwords: a shared base with a per-service suffix or rotation. For example, BasePassword#Steam, BasePassword#Gmail, BasePassword#Discord. This pattern is significantly weaker than true uniqueness.
Modern credential-stuffing tooling includes pattern-aware variants. When the tooling encounters a password of the form BasePassword#Service, it automatically generates the variants for other services and attempts each one. The compromise of any single account in this pattern leads to the compromise of all of them within hours.
True uniqueness requires that the password for each service be independently generated and bear no relationship to the password for any other service. The password manager workflow described earlier in this article is the canonical way to achieve true uniqueness without the cognitive load of memorising hundreds of distinct passwords.
Common mistake
The "I have a system" pattern is the dominant compliance failure for the unique-password rule. Users who believe their system is uncrackable typically have a system that is one credential-stuffing campaign away from defeat. The only system that survives credential stuffing is true per-service uniqueness, which in practice requires a password manager.
The password manager learning curve
For users who have not previously used a password manager, the initial learning curve is meaningful but short. The principal stages are:
- Install the password manager. Bitwarden, 1Password, and KeePassXC are the three most widely recommended options across the 57 Studios contributor cohort. Bitwarden is free for personal use and has the lowest setup friction.
- Choose a master passphrase. The master passphrase is the single secret you will memorise. It should be long (at least 16 characters), include a mix of character types, and be drawn from a source other than dictionary words. A passphrase generated from four random dictionary words concatenated is acceptable; a single dictionary word with a digit suffix is not.
- Import existing passwords. Most browsers can export saved passwords to a CSV file that the password manager imports. The import is one-time and takes a few minutes.
- Install the browser extension. The extension auto-fills passwords in the browser and is the principal mechanism for day-to-day use.
- Install the mobile app. The mobile app provides access on phones and tablets and supports biometric authentication for routine unlock.
- Rotate existing passwords to unique values. Over the course of several weeks, log into each service and replace its existing password with a freshly generated unique password from the password manager.
The total active time to set up a password manager is approximately ninety minutes. The ongoing cost is approximately zero seconds per day, because the password manager auto-fills passwords without any user interaction.
Appendix F: Mobile authenticator deep dive
The Steam Mobile Authenticator is a Time-based One-Time Password (TOTP) implementation operated by Valve. Understanding its internal mechanism helps you reason about its security properties and recover from edge cases.
The TOTP algorithm
TOTP generates a short-lived code from a shared secret and the current time. The secret is established at the moment the mobile authenticator is enabled and is never transmitted in plaintext again. The code is computed by hashing the secret with the current time (rounded to a 30-second interval) and extracting a fixed number of digits from the result.
The properties that follow from this algorithm:
- The code is valid for at most 30 seconds.
- The code does not require an internet connection on the device generating it.
- The code does not reveal the underlying secret, even with access to many historical codes.
- Two devices initialised with the same secret produce identical codes at the same time.
The third property is what makes TOTP resistant to phishing: an attacker who intercepts a code cannot derive the secret and cannot generate future codes.
The Steam-specific variant
Valve's TOTP implementation differs from the standard in two respects. The code is five characters rather than six digits, and the character set excludes characters known to cause transcription confusion (the letter O and the digit 0, the letter I and the digit 1, the letter L). The variant is functionally equivalent in security terms but more legible when read from the mobile app's display.
The Steam Mobile Authenticator additionally provides device-paired confirmation for sensitive operations (trade confirmations, account email changes, password changes). These confirmations are not TOTP codes; they are push notifications delivered through Valve's mobile push infrastructure and require an internet connection on the mobile device. Trade confirmations in particular are the dominant routine use of the mobile authenticator for active Workshop developers.
Recovery code edge cases
The recovery code displayed during mobile authenticator setup is the single mechanism for regaining authenticator access if the mobile device is lost, stolen, or factory-reset. Several edge cases warrant mention.
| Scenario | Recovery procedure |
|---|---|
| Phone lost, recovery code on paper | Use recovery code to disable authenticator, re-enable on new phone |
| Phone lost, recovery code lost | Contact Steam Support; verify identity manually; days to weeks |
| Phone working, recovery code on paper, want to migrate to new phone | Disable authenticator using paper code, re-enable on new phone |
| Phone working, recovery code lost, want to migrate to new phone | Use the in-app "move authenticator" flow; preserves authenticator state |
| Phone in airplane mode, code needed immediately | TOTP codes work offline; recovery code not needed for code generation |
| Multiple phones, want backup authenticator | Not directly supported; alternative is to record recovery code in two secure locations |
The recommended posture is to maintain the recovery code in two distinct secure locations (one paper, one encrypted digital) and to verify both locations annually. The annual verification catches the case where the paper has been lost or the digital storage has become inaccessible without the user noticing.
Appendix G: Account-creation telemetry
Steam captures a number of telemetry signals during account creation. The signals are used for anti-abuse detection and to inform Valve's product decisions. Understanding which signals are captured helps you anticipate how Steam's anti-abuse systems will respond to your registration attempt.
| Signal | Purpose | Implication for registration |
|---|---|---|
| Source IP address | Geolocation, abuse rate limit | Multiple registrations from same IP trigger rate limit |
| Browser fingerprint | Repeat-visitor identification | Used to detect coordinated account creation |
| Email provider | Spam-resistance scoring | Disposable email providers are blocked |
| CAPTCHA response time | Bot detection | Suspiciously fast responses trigger additional verification |
| Country selection | Pricing, regulatory compliance | Discrepancy with IP triggers verification |
| Time of day | Anomaly detection | Off-hours registrations from unusual geographies flagged |
| Referrer | Source attribution | Direct visits versus search-engine visits handled differently |
The most common telemetry-driven rejection encountered by legitimate registrants is the rate limit triggered by multiple registrations from a single IP. The remediation is to wait 24 hours or to register from a different IP. The remediation is not to attempt to spoof the telemetry, which can result in permanent IP-level blocks.
Appendix H: Account portability and backup
A Steam account, once created, is bound to the email address used for verification. The portability of the account is therefore inherited from the portability of the email address. Choosing an email provider with strong portability characteristics (account export, forwarding, alias support) extends the same characteristics to the Steam account that depends on it.
Email provider portability comparison
| Provider | Export support | Forwarding support | Alias support | Portability score |
|---|---|---|---|---|
| Gmail | Yes (Takeout) | Yes | Yes (+suffix) | Excellent |
| Outlook | Yes | Yes | Limited | Good |
| iCloud | Limited | Yes | Yes (Hide My Email) | Good |
| ProtonMail | Yes | Yes (paid) | Yes | Excellent |
| Fastmail | Yes | Yes | Yes | Excellent |
| Self-hosted | Yes (full control) | Yes | Yes | Excellent (with operational effort) |
The portability score reflects the ease with which you can migrate your email infrastructure to a different provider without losing access to services that depend on the email address. Gmail, ProtonMail, and Fastmail are the three most-recommended options across the 57 Studios contributor cohort.
The account-data export workflow
Steam provides an account-data export workflow under EU and UK GDPR data-handling rights. The workflow is available to all users regardless of region and produces a structured dump of every piece of information Steam stores against the account. The dump includes:
- Account name, profile name, email address, phone number
- Country of residence and registered IP addresses
- Full purchase history with timestamps and amounts
- Full Workshop subscription and publication history
- Friends list with timestamps for each relationship
- Steam Wallet balance and transaction history
- Steam Chat history (if any)
- Steam Community posts (forum posts, reviews, screenshots)
- Login history with timestamps and source IPs
- Mobile authenticator status history
The export takes between several hours and several days to produce, depending on the volume of data on the account. The export is delivered as a downloadable archive. Most users export their data annually as a personal backup and as a verification that the account remains accessible to its rightful owner.
Pro tip
Schedule an annual account-data export as part of your security review. The export serves three purposes: it confirms that the account remains accessible, it produces a backup of Workshop publication metadata that can be useful if you need to re-establish authorship of a mod, and it exposes any account changes that you did not initiate yourself.
Appendix I: Annual security review checklist
A Steam account that supports a long-lived Workshop publication portfolio benefits from a structured annual security review. The review takes approximately one hour of focused work and surfaces any account hygiene issues before they become security incidents. The recommended cadence is once per calendar year, ideally on a date that the account holder will reliably remember (a birthday, anniversary, or other recurring personal date).
| # | Review item | Expected outcome |
|---|---|---|
| 1 | Confirm account name and email address on file | Both match expectations |
| 2 | Confirm phone number on file | Matches current phone number |
| 3 | Confirm mobile authenticator is active | Active on current phone |
| 4 | Verify recovery code paper backup is accessible | Paper located and legible |
| 5 | Review active sessions list | All sessions are recognised |
| 6 | Review recent login history | All logins are recognised |
| 7 | Review payment methods on file | All methods are current |
| 8 | Review API key (if any) | Key is rotated or confirmed in use |
| 9 | Run account-data export | Export downloads successfully |
| 10 | Review Workshop publications list | All publications are recognised |
| 11 | Review Steam Friends list | Outdated friendships pruned |
| 12 | Confirm email provider 2FA is active | Email account is itself protected |
Items 1 through 8 are the core security review. Items 9 through 12 are extended hygiene items that improve the account's resilience against subtle compromise patterns and against the eventual need for account recovery.
Best practice
Conduct the annual security review on a fixed date and record the completion in a personal log. The log produces a verifiable history of account hygiene that is useful both for personal record-keeping and for any future identity verification with Steam Support.
Cross-references
- How to Use Your Keyboard — the prior article in the sequence; covers the input device used throughout the registration flow
- How to Download Steam — the next article in the sequence; covers retrieving the Steam client installer
- How to Install Steam — the article after that; covers running the installer
- How to Log into Steam — the article after that; covers authenticating with the account you have just created
Next steps
With your Steam account created and secured, continue to How to Download Steam to retrieve the Steam client installer.
The Steam account you have created is the foundation for every subsequent step in the Unturned mod-development workflow. The thirty minutes you have invested in creating, configuring, and securing the account will pay back across years of mod publication, Workshop subscriptions, community interaction, and developer correspondence. Treat the account credentials with the care they deserve and the rest of the workflow proceeds without friction.
Document history
| Version | Date | Author | Notes |
|---|---|---|---|
| 1.0 | 2024-01-12 | 57 Studios | Initial publication. Foundation registration flow and password complexity table. |
| 1.1 | 2024-03-04 | 57 Studios | Added secondary testing account workflow and region-specific considerations. |
| 1.2 | 2024-05-21 | 57 Studios | Added account anatomy appendix and onboarding checklist. |
| 2.0 | 2024-09-08 | 57 Studios | Major revision aligning the article with the structural standard adopted across the knowledge base. Added expanded background, additional callouts, sequence diagrams, and the verification troubleshooting table. |
| 2.1 | 2025-01-17 | 57 Studios | Refreshed the password manager generation settings and the recovery option priority list. |