To be fair, password change would be the least of my concerns, it's usually fairly easy to prove to support what happened even tho it's hassle. People using my account for, say, purchasing gift codes with a stolen card or any other similar activity disturbs me far more - even tho, admittedly, I'm not sure why would someone go trough the trouble of gaining access to an account instead of just creating a fresh one. Still, I would feel safer having two layers of protection, altho I wouldn't feel a thing then. I'd last far longer tho. Something to consider.

Oh my, we need confirmation emails right now!!

This isn't funny!

Just last week some asshole hacker got into my account and unbundled all my games!

We need to do something about this!

Then don't rely on an online service. Download immediately anything brought, systematically order, and back up every item. I keep Excel grids on what I own, where brought etc, quarterly drive backups, two external, two internal. Relying on any online system will just lead to trouble eventually. This is the best thing about DRM free, you can do this, yourself, free to organise and keep the items you buy! Imagine a world where you can switch on a computer which isn't connected to the world wide tracker, and be able to install any of your owned software and play away!

I do however agree, that an email notification of changes to an account is in order.

Same asshole hacker got my account too and he tripled my games!!!

This thread requires a blue post.

That looks like a full time job ;)
just kidding, know about backups and related stuff ...

Trust me, it is to setup. But then it gets better only having to keep up to date with patches. They say you can't take it with you when you go, but I am going to sneak one of my backups in somehow :o)

I guess the question is, why not enable it? It may not contain sensitive materials like say an email account, but why should I not have the option to enable it if I so choose? It's not as if sending an additional email or sending a push notification to approve before logging in is expensive to implement. Every two factor solution out there is opt in as well, so if you choose to not enable it you certainly could. Why not further protect your customers given the option? Why would the Galaxy client matter? It's entirely possible to enable two factor on the standard GOG webpage. If it was just implemented in one place it would be sort of pointless.

And what exactly is so bad about this two factor authentication? How does it limit you, exactly?

I to an extent do not mind anti-piracy topic, as ripping games is IMO most disloyal to gaming immediate or long term, and workers like us - none of us would particularly love our payroll being stolen, or ... you are a most principled, prole, or what? ;-)

I do expect privacy and convenience - and I am not sure if flying transatlantic would allow me to go off-line and consistently play a heavy DRM title, or if ticking off "do not send gaming feedback" really sticks.

I wish I knew about the latter, because this would be a matter of principle. But on good faith principle, if one can go off-line this is fine - and there is always BG or Morrowind or Divinity etc to entertain one on-board anyway if this really is about off-line gaming on transit.

I like those sunglases at the bottom.

When you log in from an unauthorized computer, they send you a randomized security code on your email which you also need to log in besides your user name and password to authorize the machine. All further log ins from that machine will work without the code. Basically, whenever you're accessing account from a new computer, the website also checks if you really are owner of email registered with that account.

How does it track that the computer is "authorized"?

At least on Steam, it seems I have to re-enter that damn code every damn time I want to enter the site through a web browser. Is it possibly using e.g. cookies to track it? I've set Firefox to wipe out all the offline crap (caches, offline data, cookies, history etc.) whenever I close the browser, as some sites use them for purposes I don't want them to (like limiting how many times per week I can access their pages, etc.), and also make sure all personal data (browsing history, saved passwords etc.) are also deleted when I close the browser. I wouldn't want e.g. my wife to enter different sites with my account just because I forgot to log out. Not to mention the case when I was able to access and read my friend's personal emails, just because he had used my PCs web browser to check them. That wouldn't have been possible if the browser had deleted all cached data when he closed browser.

I'm for GOG checking via email if you or someone else tries to change the account password (that just makes sense, and I am surprised if GOG doesn't so that already now). I'm against that "enter the code all the time" shit which is present in Steam.

Of course, in Steam it is now less important to me because I simply don't access their site with web browsers anymore. Only with the client (where I don't apparently even have an option to delete any tracking cookies automatically and whatnot). Fine by me I guess, as the client is not used for anything else besides accessing the Steam site.

Settings -> Account -> Disable Steam Guard. That's precisely what I want GOG to do as well.