On the main page it says that two-step login is being turned on for everyone. I noticed that it was automatically turned on for my account without my consent. This was a huge pain because:

1. My cookie/browser settings are such that every time I visit the GOG website, it thinks I'm using a different computer, so it makes me request a new number, check e-mail and type in what it tells me.

2. The e-mail address I have assigned to this account isn't technically mine, so I had to request that the owner logged into it and tell me the number, just so I could log into my account!

Once I did that, I could disable it, but are they going to re-enable it again without my permission?!

They're not supposed to, but it could happen, it's GOG, you never know. There is or at least was a way to opt out of it.

https://www.gog.com/forum/general/gog_will_enable_twostep_login_on_all_existing_accounts_on_oct_24_2016/page1

They still have enabled it (at least temporarily) for some people who opted out.

You should change your e-mail to an address that you control and read regularly so you won't miss important announcements. If you had done so earlier you would have received the e-mail in which two-setep login for everyone was announced. The e-mail also contained an opt-out link which would have prevented two-step login to be activated on your account in the first place.

As far as I know they do not plan to mess with the setting again.

Well that's ridiculous. I have to opt out? Why not just leave it alone by default, so I can opt in if I choose?

Easy, too many complained about hackers and they made it mandatory to level up against those easy hacks.

At least this way it is more or less certain, IF somebody complains they have been hacked (and 2 step is enabled) that the hacker had access to the email before the account was hacked. (You need to enter the 4 digit coed received by email)

EDIT: It also makes (default on) emails-addresses (found somewhere else) less useful.

I would hope not, but even if they did, I assume that they'd send an email first with the option to opt out beforehand, like they did this time.

I suggest you change to an e-mail you can control as said Geralt, for security reasons... and avoiding future problems.

actually the system really annoys me, but for security reasons i don't OPT-OUT...

Well if someone did hack your account, if you only buy things with PayPal or credit card and it doesn't store the information, then the worst they could do is download some games or buy them for you, right?

Once they are in, they can change the email address and password so that you can't log into your account anymore. Then you'd complain to GOG support that your account is stolen and GOG needs to verify somehow that you are really the original owner of the account etc. etc. etc., more work to GOG support... which is why they prefer to secure also less often used accounts against such hacking attempts.

The main reason someone would try to hack to existing GOG accounts is to e.g. buy gift codes through your account using e.g. stolen credit cards, and then sell the gift codes on places like G2A.

Sometimes they'd also try to sell your account to some unsuspecting person, but I'd think this is not as common.