I had to reinstall Windows 8 and I signed back in and it didn't ask me for the code nor send me one, I checked and it was enabled in my settings.

It's working, I just checked. Reason why you don't need it is because your IP address didn't change.

Christ do they realize how easy it is to get and copy someone else's IP address? This is insane.

You also need a uniquely generated cookie in your browser to evade the 2FA, not only the same IP address.

Edit: Ok, apparently that's not the case any longer... not sure if it's a momentary glitch or a permanent situation (in which case you're right, an IP address based 2FA is hardly that secure).

>2017
@
>verify machine by IP
*heavily facepalms*

Why not browser fingerprint? Why not cookies? WHY IP?
There are dozens of people behind NAT, and ever more with grey IP, who wont get any profit from such "two-factor", and, moreover, will have illusion of safety ("If I didnt get any messages on my email, then my account is fine"). GoG, please...

I don't work for GOG. ;)

Do you use Firefox and did you copy your config from a backup to the new install? AFAIK it normally uses a Cookie, too, but when you copy an old config you already have that cookie set.

It used to use cookies (which I had added to my "always keep" list), but I cleared all my cookies and logged back in a minute ago without triggering 2FA.

Ik, my questions was rhetorical

Yeah. See, the person REINSTALLED windows and should not have a valid cookie.

I had to sign back into everything, went from 10 to 8.1 due to 10 freezing so much.

The GOG 2FA is definitely screwy from a security perspective. Last time I changed my password I was successfully logged out of all web browsers that were logged into GOG at the time, and when I went to log in the next time I was greeted with the 2FA verification popup as expected.

After that, my expected results were:
- To be forced to check my email and grab the 4-digit 2FA code they emailed to me.
- To successfully provide their web prompt with the successful 4-digit code I received.
- To be denied access to my account if the 4-digit code was not supplied.

The actual results:
- I did not receive the email right away due to reasons unrelated with GOG themselves, and had to wait several hours.
- During this time period I was unable to log in because the 2FA security prompt wanted that 4-digit code and would not let me in without it.
(all good up to that point)
- Several hours later I still had not received the 4-digit code, but I reloaded the GOG web page that had been asking me for 2FA code for about 8 hours, and it just magically logged me in without requiring the validation code at all.

When all was said and done, I was able to log into GOG from 3 different computers with 4 different browsers plus Galaxy, all without ever entering any 2FA codes once, even though I did receive them in the mail later on.

As for "clear your cookies/cache" etc. - no user should ever have to do these things for security purposes and any requirement to do so by the user from GOG is a massive security hole. Regardless of that - the site did initially notice that 2FA was required regardless of the state of any cookies - it did prevent me from logging in for several hours and thus apparently it did its job for that time. It was only after a few hours longer that simply reloading the same page that previously denied me access for security - now freely allowed me in without any security checks at all.

That's pure broken in my books. :)

I can confirm with several computers in my network . It's definitely broken . I perfectly reproduced that glitch or whatever .

Test with different profiles in *fox.

Strangely, my Linux laptop with Sabayon Gnome + Firefox = asked for a code every time I try to log in.

Windows 7 + CyberFox = no code.

And I del everything each time I close the browser, and sometimes even when I brows. They both have the (fairly) same profile with almost the same plugins. The win pc even has a plugin to get supercookies.

EDIT: This is also a problem in EVE. When I asked CCP if they were aware of some problem, they actively removed the option by mail, only leaving Google authenticator app for mobile. Not goog at all..

I hope this gets fixed soon.