Here are a bunch of open source, cross platform 2FA apps for people who don't like to use Google Authenticator, Microsoft Authenticator, etc. I've also provided links for you to check them out.

A List of Authenticator Apps

Mobile
- Aegis - Android
- KeePassDX - Android
- Ente Auth - Android, iOS
- Strongbox - iOS
- KeePassium - iOS
- Bitwarden Authenticator - Android, iOS
- FreeOTP+ - Android (by @Gede)

PC
- KeePassXC - Windows, macOS, Linux
- GNOME Authenticator - Linux
- Strongbox - macOS
- KeePassium - macOS
- Numberstation - Linux (by @dnovraD)
- Ente Auth - Windows, macOS, Linux

---

FAQ

- Why should I use TOTP?
Here is a great answer to this question by @Gede.
https://www.gog.com/forum/general/you_can_now_use_authenticator_apps_to_keep_your_gog_account_secure_582bd/post41

Also, if you are using your email account for 2FA, it probably means you haven't set up 2FA for your email account. You should probably use one of these apps to protect that account as well.

You can also watch this 30 minute long YouTube video that explains the benefits of using TOTP in depth.
https://www.youtube.com/watch?v=iXSyxm9jmmo

- Will this affect third party clients like Heroic, Lutris, Mini Galaxy?
No, they should work without an issue as with email-based 2FA. They will ask for a TOTP code which you can provide by going to the 2FA app of your choice.

- Is it difficult to set up?
Not at all. If you're on mobile, you can use one of these apps to just scan the QR code shown during the initial setup for authenticator-based 2FA on GOG. On PC, just copy the "Secret" shown under the QR code to your app.

Here is a YouTube video that goes over TOTP and how to use it. You should watch the full video if you want to know more.
https://www.youtube.com/watch?v=iXSyxm9jmmo&t=624s

You can also check out this support page by GOG.
https://support.gog.com/hc/en-us/articles/115003660533-What-is-two-step-login-and-how-does-it-work?product=gog

- Will my TOTP secrets be automatically synced across all my devices? What if I move to another device?
Syncing your database across all devices or restoring it when you move to another device requires a cloud-based solution. Most of these apps provide some way of syncing or backing up your database via a third party cloud provider, like Google Drive, OneDrive, NextCloud, etc.

However, since they are free and open source apps, there is no in-built solution to backup/sync your secrets. If you need this feature, I recommend you to look at paid services like Bitwarden Premium and Proton Pass which also come highly recommended. Ente Auth has a free tier which you can use as well.

Another option is to sync your database across your own local network, perhaps using Syncthing or something similar.

- Can I trust these apps?
These are all open source apps that are generally popular and often recommended. None of them require an online account either as far as I know.

I haven't vetted every one of these apps, so you should do your own research to find an app that you like. I've provided links above for you to check them out.

Hurricane0440, greetings. (^_^) Your effort is appreciated! I wish to add a recommendation for totp.

On the official news thread, I had created a post pertaining to the usage of the program simply known as 'totp'.

The contents of which are as follows:

For interested parties: totp is a fastastic and simple TOTP (Time-based One-Time Password) program. Other than your preferred C library (such as: musl, glibc), this tool possesses zero additional library dependencies.

Note: It is best to ensure that the system clock on each chosen device is reasonably well-synchronized with an NTP server. Also, Time-based One-Time Password allows for this program (and others) to be simultaneously installed and used on an infinite number of machines, without upper limitations.

Upon enabling [Authenticator app] within account [Login and Security], one is presented with a 16-character Base32-encoded string (example: JVUW42LNMFWGS43U). Afterwards, it truly is as easy as decoding the aforementioned string, and piping the output to totp. The resulting 6-digit code can then be copied and pasted (or, entered manually) into the appropriate field on the GOG web prompt.

Input:
printf JVUW42LNMFWGS43U | base32 -d | totp

Output (at the time of creating this forum post):
739954

I use this very same program on my Linux and Android (manually compiled with Android NDK and run via Termux) devices. Of course, the back-up codes are stored on multiple physical storage mediums.

The inclusion of this feature by GOG is quite commendable, and, in my opinion, this method is far superior to electronic mail-based authentication (which one may be unable to access for whichever reason).

Nice idea for a thread.
Thank you very much.

I have not tried them, but it seems to be Free Software for Android:
Secur: github.com/SphericalKat/secur
FreeOTP+: github.com/helloworld1/FreeOTPPlus

This may be a little niche, but for Linux, and also Free Software:
passff: github.com/passff/passff

[url=https://sr.ht/~martijnbraam/numberstation]https://sr.ht/~martijnbraam/numberstation[/url]/
Numberstation.

Android:
https://f-droid.org/en/categories/security/ No shortage. There's also the Izzy repo and others if you need more choices.

Thanks for the recommendation, Palestine. I can't recommend a CLI tool, though, since this post is geared toward novices. Thanks again, @Gede! I completely forgot about FreeOTP. I haven't included passff since it requires quite a bit of manual setup, while Secur doesn't seem to provide any prebuilt binaries. Cool! I didn't know about this. It seems that it's provided in some Linux distro repositories as well.

Been testing KeePass for the first time and its really good!
GOG's implementation of this feature is really nice and welcome.

Wish we could get stronger hashes for it though.
SHA-1 (1990) is really outdated and quite dangerous nowadays I'd think.
(For some vulnerabilities examples, see source 2 and 7)

At least SHA-256 (2001, but still strong as part of the SHA-2 family) would be preferable, if possible, as there's also no need to change the length of the secret as seem in some of the sources below.

I also noticed that we can 'fail' the atempts many times with apparently no consequence.
(No anti brute force mechanism? Can't confirm.)
This is a huge vulnerability, please take a look into this!

Thanks as always and best of luck.

Sources and references for research of the tech team:

1 = https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf

2 = https://www.protectimus.com/blog/sha-256-vs-sha-1-for-totp-token-security/

3 = https://pangea.cloud/securebydesign/authn-using-totp/

4 = https://certera.com/blog/sha1-vs-sha2-vs-sha256-vs-sha512-hash-algorithms-know-the-difference/

5 = https://whenderson.dev/blog/two-factor-authentication-from-scratch/

6 = https://drewdevault.com/2022/10/18/TOTP-is-easy.html

7 = https://medium.com/permify-tech-blog/how-to-implement-two-factor-authentication-2fa-with-totp-in-golang-e08d0000766a

I'd go with offline security in regards of additional security. Though it rely on time synchronization and can be tricky for most of users, so I approve what Palestine have posted about the TOTP method as it will be very helpful for those who have no experience in this field.