Hm, went to another browser and logged on, no captcha, but did show up after clearing cookies and trying to log on again right away, yeah.

Well, I didn't notice this two-step login until it locked me out of my account today. Finally, after working on this for an hour, I have found a way to access my account again and disable this two-step login. Maybe, this could have been avoided if two-step login was disabled by default and interested parties could enable it. Forgive me for being rude, but if I had wanted to be patronised by my games dealer, I would have chosen steam in the first place.

That's how it was until a few days ago. And you could still opt out of the default enable if you got that e-mail and clicked the link (though as the blues said the disabling is done some time after the enabling, so there may be a period when it's enabled even for those who opted out, but I'm thinking that should be over by now). Problem is that not everyone got the mail and they didn't make a big (or, in fact, any) front page announcement of it.
But makes me wonder, having issues with signing in with two-step... Would that mean you no longer have access to the e-mail you signed up with?

No, two-step was definitely enabled by default, or I would have never noticed it!^^ And I must confess I am a bit angry about this. It is quite a change in gog's policy to force such a thing on users that they don't want or that may impair usability. And all this in the name of security.

And, yes, I have access to my e-mail account, but the codes were sent with great delay and weren't accepted or didn't work correctly with my browser. Maybe I didn't handle this correctly. It just didn't work good enough for me.

Again, it was enabled by default since Oct 24 UNLESS you opted out. There was an e-mail announcement about it a while back with an opt-out link, but not everybody received it. Not sure who didn't receive it though, some certainly didn't, was mentioned in this thread too, because I for one have announcements off in e-mail settings but still did.
So if you didn't opt out, yes, it was enabled by default, no argument there. About the code, it's only valid for 15 minutes (there's a claim that it's 15 min since it's received, but don't see how that can be tracked, so assuming it's 15 min since it's sent). If it arrives late or it's used late, it won't work, yep. Didn't have it take more than seconds to arrive in my case though, doubt it ever even was 30 seconds.
The problem may be that there's the Google recaptcha embedded in the login thing, and that actually started happening before the 2-step default enable thing. Doesn't always happen, but apparently it usually does for those who don't stay logged on. If you have something that blocks that, you'll have serious problems logging on, probably irrelevant of the two-step, not sure there.

Agree they really should have handled it better, but just pointing out a few things.

Indeed, I meant the Google captcha. So far blocking Google analytics seems to have no consequences for your access to the GOG website. But you can't block the captcha if you want to log in.

I never have gotten the captcha for login before. I only got it once when I wanted to redeem a code. To require answering the captcha and thus allowing Google to track your logins directly is about the worst implementation of the two-step login I can imagine. So the "for people that clear cookies it should be less intrusive that you might have suspected" sounds like a bad joke now.

Google Analytics always could be kept blocked, and it's a good thing.

Yes, sounds that GOG traded one annoyance for another.

I agree about trading one annoyance for another but the captcha is even worse as it's annoyance plus tracking.

I disabled it on the 25th... then had to disable it again today.

I have my browsers set up to clear cookies on exit. I use two browsers, one at work and one at home. Yet I have to enter the code every single time I log in.