Sdfghj: No, two-step was definitely enabled by default, or I would have never noticed it!^^ And I must confess I am a bit angry about this. It is quite a change in gog's policy to force such a thing on users that they don't want or that my impair usability. And all this in the name of security.
And, yes, I have access to my e-mail account, but the codes were sent with great delay and weren't accepted or didn't work correctly with my browser. Maybe I didn't handle this correctly. It just didn't work good enough for me.
Again, it was enabled by default since Oct 24 UNLESS you opted out. There was an e-mail announcement about it a while back with an opt-out link, but not everybody received it. Not sure who didn't receive it though, some certainly didn't, was mentioned in this thread too, because I for one have announcements off in e-mail settings but still did.
So if you didn't opt out, yes, it was enabled by default, no argument there. About the code, it's only valid for 15 minutes (there's a claim that it's 15 min since it's received, but don't see how that can be tracked, so assuming it's 15 min since it's sent). If it arrives late or it's used late, it won't work, yep. Didn't have it take more than seconds to arrive in my case though, doubt it ever even was 30 seconds.
The problem may be that there's the Google recaptcha embedded in the login thing, and that actually started happening before the 2-step default enable thing. Doesn't always happen, but apparently it usually does for those who don't stay logged on. If you have something that blocks that, you'll have serious problems logging on, probably irrelevant of the two-step, not sure there.
Agree they really should have handled it better, but just pointing out a few things.