Sorry, I should’ve clarified: I didn’t try it with BG3 (I use the gog version) - hence my “I don’t think so”; I simply assumed it wouldn’t work because that’s the case with like 99% of steam games.
This means Larian specifically implemented their calls to the steam API in order not to exit if it fails to connect; that’s indeed pretty good and in fact I know of only one other such exception to the rule: rimworld.
While SHA1 might be considered problematic security-wise in terms of collision (using it for certs today would be very bad, for example), it is not problematic in terms of preimage attacks (even MD5 isn’t broken that way IIRC), which is what truly matters in the context of 2FA / TOTPs
As for “why not SHA256”, compatibility