Yes, these things exist. I think SecurID by RSA is the most well known of these systems. They are not without flaws either, like you already said: they are cumbersome to set up by somehow adding the key to the system you are trying to authenticate against. And I personally don't feel very comfortable by there only being one key ever. That may be more for the professional grade security, not so much for GOG with so many end users.

Let's be honest, there is no ideal solution to this problem. ;) HOTP/TOTP seems to be the standard solution and is currently the most widely used. So that's what I would go for.

I honestly did not know that. Thank you for clarification.

It's ok how it is. My email is sms protected anyways.

How about we just reverse the polarity of the neutron flow?

hmmmmm

It won't fix the authentication problem, but it might get rid of Tauto.

Let's try it. :D

You can still disable this feature if you don't want to use it.

No google anything on gog.

Why not use a regular two-step implementation like Authy, Google Authenticator, 1Password, etc.?

No need to go all Steam-like.

...

Mandatory? This BS again… How long till I have to upload my id to confirm I me, GOG?

I must concur. Interest in 2FA is rising, largely due to all-too-frequent news stories of the exfiltration of enormous user databases and passwords. Verizon's plans to acquire Yeah-Who are on hold because of their user data breach, and may get cancelled entirely.

And yet, seemingly everyone jumping (late) to offer 2FA immediately gets it wrong by using insecure channels to transmit the authentication code.

One popular method is to send a text to your phone. I cynically interpret this as an excuse by the marketing department to get hold of your cell phone number. But even setting that possibility aside, SMS is not secure; you can find interception demos on YouTube. Sending an email with a code in it is the other popular method. However, unless you're using GPG encryption (spoiler alert: you're not), email is not secure, either.

You should not be relying on transmission of a token over insecure channels. The correct solution is to not transmit a token at all. This is what TOTP does. Implementation on the server side is trivial. Google Authenticator is but one implementation of a TOTP client; there are several others, as outlined above. There are even clients for the Linux command line.

So while I applaud GOG's efforts to ensure the security of their customers' accounts, there are far better approaches. I encourage GOG to seek them out and implement them.

https://youtu.be/R-4fkJiVeE4

You were saying?

(Be aware that video is four years old; the tech has only improved since then.)

*tosses Mick Jagger*

I'm currently working on a script that will enable a captcha every time you go to make a post in here.

I'll make sure to give you all the link when I'm done! :D

Ooh, can it only be in Klingonese?