You can set up Steam Guard to use the mobile Steam app for auth instead. It's annoying as hell though and I wish they just supported normal OTPs.
Deep dive into the topic: https://www.youtube.com/watch?v=ChKpf5HjcSY
For a handful of sites financial, dns registrar I use my static IP address as part of the account restriction. People can bang away at passwords, SIM-jack my phone and get nothing. It's not for everyone and I am apparently one of the few that only browse the web from a Linux workstation these days based on feedback but I have managed to get a handful of companies to support IP restrictions. They hate doing it because many people apparently don't know the difference between a paid dedicated static IP and an IP that has not changed in a year so they get locked out and it becomes a customer support PITA. It will always be my preference. Nearly all banks have the capability but the bigger banks hide it from the bankers in their UI and it requires opening a ticket with their operations staff. Many B2B SaaS providers also have and despise this option.
As heavily targeted as Valve account are I think they would have far fewer account take-overs if more people had static IP's and they supported having say 3 or 5 permitted IP's, or at very least permitted CIDR blocks or AS numbers. The over-provisioned ISP's that use CG-NAT would have to use CIDR or AS number for example. This would require a fall-back method should the ISP reassign AS numbers as unlikely as this would be. Not perfect but perfect is the enemy of good.
I only suggest this because I do not want yet another RSA dongle or phone app. I plan to launch my "smart" phone from a clay pigeon launcher and get a tiny dumb phone should I find one that supports VoWifi SIP and yet is truly a real dumb phone and not a mini phone running some ancient unsupported Android. I know several people that do not even have a phone. That is my long term goal.
[dead]
What external identity information that is immutable would you like them to use? Your state or government issued ID? Because those change over time as well. Your physical address, that changes too. 2FA app on your phone sometimes those get lost or broken in an unrecoverable way as well. Perhaps submitting a DNA sample would be sufficient identity information that doesn't change over time.
As far as I can tell there is no perfect identity information that is immutable across time. For things like this you must keep the information up to date. It is unfortunate that there is not a centralized management or brokerage for this kind of thing but having a centralized identity management system comes with another set of problems whereas you have one system to breach instead of dozens of systems.
Steam does support email addresses as a second factor login and their app. It is always wise to periodically check that your identity information on every platform is up to date especially if you've moved or changed phones or things of that nature.