Tried that; didn't work. I'm now stuck with two pending orders. You evil thing! ;P

Well, I wasn't. :P

That should actually be the default for any 2FA system, to ask for validation each and every time, since any cases which bypass 2FA could possibly be exploited and be used for cases which shouldn't bypass it. But "I have to use 2FA each time? Why? Not using it, too much hassle", thus we get cases to ignore 2FA (cookies).

2FA has nothing to do with that. It's similar to saying that your card's PIN number is what sends you your monthly statement, and thus it doesn't prevent card fraud, since by the time you see the statement, the fraud has already happened. And if someone has access to your 2FA mails, he already has access to your mail, thus whether before or after, he could still verify it.

This sounds really cool. I'll have to play around with it sometime to see the ins and outs of its uses but it sounds exactly like something I've wanted GOG to adopt for a while. Thanks!

Indeed, that is why you should never have identical passwords (same password in other websites), specially for emails.
There's nothing gog can do if your email and gog password are abc123. =p

Delete the cookies set by GOG and see if it fixes (it should).

Then it should be. Gifts are only good when they're a net positive. Someone went to New Zealand and brought me a compass so that I don't get lost on marathons (an in-joke). Someone went to SanFran and brought me a reference book of lies and excuses and a picture of rhododendrons. Someone saw a bar of oldschool Polish soap in a purple foil box and bought it for me. The gifts aren't only personal, they're also logistically costly or outright impossible to get for myself. I can't afford to go to SanFran to look at their fluffy rhododendrons, and I can't buy myself a bar of soap if I don't know it's being sold.

The other case of "net positivity" is when I just buy someone something for them to have without expectations of direct financial reciprocity. Maybe you're a starving artist and I can't draw to save my life, I give you a Cintiq and then get to look at your new and improved art. Maybe you want to play a videogame but can't afford it and I want to play it with you or hear your impreshunz, so I give you a game code. Etc.

Two people buying each other something preordered off the (probably virtual) shelf is a shitty practice. It doesn't need defending. It can't be defended from a rational position. Appeal to common practice is not rational.

Nope. They're still there. I even opened my account in incognito mode, to no avail.

It shouldn't be hard to implement optional 2FA just for certain cases like attempted password change or mail change. In that case it would prevent hijacked accounts and fraud, but wouldn't bother users who don't want to enter the code every single time they log into their account.
See my answer to JMich for an easy solution.

I'd say that Spanish America (Argentina/Uruguay/Peru/Colombia/Chile/Mexico and some more) are next, amigo! ;)
Cross your fingers! :P

But didn't you just said a few minutes ago, that the current security option doesn't prevent hackers? How would reducing the amount of times you need to insert codes, be a solution to that?

Do we make interest on our wallet account ^^

If there would be more choices I could deactivate 2FA for everyday login, but activate it for mail and password changes. In that case I wouldn't be bothered every time, I log in, but would get warned when someone from outside tries to change important settings. That would prevent takeovers of accounts.

Right at the moment I only get a warning after the password was changed (no matter if I use 2FA or not). That's pretty useless in my eyes.

I get a new email every time I access my account in a different computer. I'm forced to insert a random code, otherwise I can't access my stuff.
Wouldn't I receive an email if someone else tried accessing my account, too?
It most likely would, the system doesn't know who is trying to login (unless Skynet is real xP), it would assume it's me, and would send me the code, by email.
I would change my passwords immediately after receiving this suspicious email. Pretty useful, in my book.

Yes, it should be possible to set areas as low and high risk, and demand authentication when attempting to visit a high risk area. And that is what GOG was doing before 2FA, since you were required to reenter your password to be able to change the settings, thus a random person sitting on your session wouldn't be able to change them.
That could still lead to issues though, mostly because my guess would be that the whole /account/ part would be considered high risk, and that includes the chat (yes, I want to have to use 2FA to be able to see my chats). Having to use 2FA to log in is much less hassle than having to use 2FA to check chat, especially if talking to multiple people.

Still, 2FA has nothing to do with the notification that your settings have been changed. 2FA does prevent unauthorized changes, unless of course you decide it's too much hassle and don't use it, in which case the only one at fault is you.