It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
avatar
Destro: Verifying email is not only useful for those who enable two-step but for all users (you don't need two-step to get locked out of your account due to a typo). And all it takes to hide this notification is a single click - is it really such a problem?
Well, TBH the galaxy advertising note is MUCH more annoying. Because I'm sitting on a Linux computer (as the script can easily see), so there is nothing to advertise......

As for the 2FA: I did get the mail, and today I had to use it the first time. Worked without any issues. Mail was very fast, but the 4 different boxes for the numbers are quite confusing to enter things - somehow it shuffled the numbers I entered and I had to select, mark and change every single number. There the single text field Humble uses is more convenient.

But IMHO GOG is one of the very few that do it right. You can switch it off. It's not forcing you to use apps and/or (smart)phones. I'll happily leave it enabled and see how (in)convenient it is, assured that I can switch it off.

As a counterexample, paypal today decided I have to use 2FA via an automated phonecall (no other option!) just because I use Vivaldi (Firefox just logs me in). Consequence there: If they don't change it, I'll nuke my acount.....
avatar
Der_Pit: Well, TBH the galaxy advertising note is MUCH more annoying. Because I'm sitting on a Linux computer (as the script can easily see), so there is nothing to advertise......
If you use Barefoot Essentials I could add a feature to hide that if you like.
avatar
Der_Pit: Well, TBH the galaxy advertising note is MUCH more annoying. Because I'm sitting on a Linux computer (as the script can easily see), so there is nothing to advertise......
Get uBlock Origin. You can easily create a filter rule to block any offending element as long as it's not using a randomized class (generated on every page load) or such.
avatar
Destro: Don't worry, it works as intended. Two-step is not only related to your cookies but multiple other factors too, so for people that clear cookies it should be less intrusive that you might have suspected.
That's interesting, thank you for reporting.
I've had problems logging in. My email provider is often slow, taking up to half an hour, and the code expires in only 15 minutes.
avatar
symptomatic: the code expires in only 15 minutes.
If that's true, GOG needs to change it. Email was designed to be a robust protocol, not a realtime messaging protocol. Delays and temporary failures aren't unusual, they're in part normal operation. Service providers use a variety of batching strategies to manage load, and techniques such as greytrapping (which *intentionally* delays messages) are fairly common. Email was built to be robust in face of such failuers and delays, and any application requiring sub 15 minute deliveries are just abusing the protocol assuming guarantees that aren't there.

RFC 5321 ("Simple Mail Transfer Protocol") says that that in general, mail delivery retry interval should be at least 30 minutes, and delivery should be attempted for a few days.

For reference: https://tools.ietf.org/html/rfc5321#page-67

Blues take note...
high rated
avatar
Destro: Don't worry, it works as intended. Two-step is not only related to your cookies but multiple other factors too, so for people that clear cookies it should be less intrusive that you might have suspected.
Can you clarify this ^

Have you started to save ip data, device and browser data connecting it to the security code so that we don't need to use the code everytime we login? Or does it work some other way? Cause every other service generates a new security code if I login to it after I close my browser which erases all cookies on shutdown. Some clarification is definitely needed. I mean at this point it looks as if there is no two point login on gog anymore. Just saying.
Post edited October 26, 2016 by Matruchus
high rated
avatar
Matruchus: Can you clarify this ^

Have you started to save ip data, device and browser data connecting it to the security code so that we don't need to use the code everytime we login? Or does it work some other way? Cause every other service generates a new security code if I login to it after I close my browser which erases all cookies on shutdown. Some clarification is definitely needed. I mean at this point it looks as if there is no two point login on gog anymore. Just saying.
^This. Destro's post is pretty ambiguous, I'd definitely appreciate some clarification.
avatar
Destro: Don't worry, it works as intended. Two-step is not only related to your cookies but multiple other factors too, so for people that clear cookies it should be less intrusive that you might have suspected.
Yes. I've noticed when I login to other computers it just asks me once and doesn't ask me again. I personally use public computers on occasion so it would be nice if there was a toggle for public computers on login so that information doesn't save. Or you could have the Logout All button remove that info.

I sometimes use a public computer so I can use the forums - easier to type with an actual keyboard. I use my smartphone for my 2FA email. So if the public computer is compromised I can just change my password. With this setup someone could brute force/hack their way past and ignore 2FA.
Changing this to remember the computer in other ways as well definitely requires a "don't remember this computer" option. With it, those who frequently clear cookies won't be bothered on their home computer, but will remain safe otherwise. Without it, like it was just pointed out above, there are some pretty big security gaps left there, even if it should normally prevent common hacking attempts.
While I agree that 15 minutes might be quite short it is worth to mention that the email states the code expires 15minutes after you RECEIVE the mail. So greylisting etc. should not affect it.
Not sure how long some providers keep mails in their queue after accepting it from the sender....
avatar
Der_Pit: While I agree that 15 minutes might be quite short it is worth to mention that the email states the code expires 15minutes after you RECEIVE the mail. So greylisting etc. should not affect it.
Not sure how long some providers keep mails in their queue after accepting it from the sender....
Yea, there's no reliable way to know when someone receives a message. Sending an email is a bit like leaving a parcel or letter to be sent at the post office. It gets accepted, it's going somewhere. It might take a while. It might or might not get there, but if it doesn't, you'll get notified of it later on.

The only place where GOG can always make a timestamp is on their server. Greytrapping and other delays will always count towards the expiration of such a stamp.
Post edited October 27, 2016 by clarry
avatar
Destro: Two-step is not only related to your cookies but multiple other factors too, so for people that clear cookies it should be less intrusive that you might have suspected.
That sounds promising. I still would prefer a better protection for password and email changes, but at least it may be worth to give your two-step login implementation another try.

Edit: After enabling two-step login I'm forced to allow Google tracking to log in. Nice implementation! ;)
Post edited October 28, 2016 by eiii
avatar
eiii: Edit: After enabling two-step login I'm forced to allow Google tracking to log in. Nice implementation! ;)
Hm? You mean Analytics or something else?
avatar
Cavalary: Hm? You mean Analytics or something else?
I assume he's referring to the CAPTCHA thing, as apparently one gets it at every login with two-step enabled if they clear their cookies/cache at exit.


EDIT: typo
Post edited October 28, 2016 by HypersomniacLive