It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
5
10
15
16
17
18
19
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 12, 2016
Nice. Thanks for adding another layer to my account.
Posted March 12, 2016
lgogdownloader does now support two-step authentification!

…and there was much rejoicing!
Posted March 12, 2016
Yo, you also have no server-side XSS protection of any kind even after that one XSS vulnerability was found a few years ago. Those settings are absolutely critical when you have any form of user-generated content (like a forum).
Posted March 12, 2016
I was really excited to see this announcement on the front page and then I read it... It's certainly a step in the right direction but I'd still prefer a software token. Though at the same time I could do without everyone creating their own separate app - I'm looking at you steam. *grumble*
Posted March 14, 2016
Any chance you'll implement support for Google Authenticator (and similar apps that use that standard) rather than email codes?
Posted March 14, 2016
Thanks for bringing it as an optional feature. I love optional features.
Don't behave like THAT company, that forces everything down our throats.
Good security feature, by the way.
Posted March 27, 2016
I remember reading this thread, and how many people said they don't wanna use 2-step verification because it's just too inconvenient and annoying - and I totally get you guys. I thought the same way. I've been using the internet for about 15 years now, and never had any problems with security or getting my account hacked.

But today it happened, and I had to annoy the support staff on Easter Sunday to help me out. So I really, totally recommend using 2-step verification now, even if it is slightly inconvenient. But getting your account stolen is a lot more inconvenient, trust me!
Posted April 13, 2016
Is there any way we can use this on programs like Authy in the future?
Posted October 15, 2016
As someone who got their Steam account hacked once due to my email getting hacked (they changed my password, email and everything and I only got the account back thanks to Steam Support being a separate account which they did not hack) I don't like the way this two-step authentication works by sending an email with a code. I would prefer something like using the open Google Authentication system instead at least as an option. Having an email sent to me as a second authentication doesn't make me feel any more secure then the long, randomly generated password I'm now using for my account password using Lastpass. I don't really trust the security of my email especially when I don't know who is reading it along with me across the internet so using it as part of extra security doesn't sit well with me. If you were to have the option to allow Google Authenticator as a second factor authentication I would use it as I am using it with several other things (including for my Lastpass) but until then I'm leaving two-step login disabled. I appreciate what you guys are doing it's just the implementation that I can't help but question.
Posted October 15, 2016
Uh...guys? I just got an email saying that, apparently, two-step login will now be MANDATORY.
I mean, as much as I'm glad it's here, I'm not really sure I like the idea of it being mandatory.

Edit: Nevermind, I apologize, I misread the email. Apparently, they'll ENABLE it by default, but it's still optional as you can go into your account and turn it off.
Also, I apparently missed the thread for it (looked for one, but couldn't find it until just now).
Post edited October 15, 2016 by zeogold
Posted October 16, 2016
I opt out because your https server appears to be set in the us and I live in Australia so the system doesn't work

perhaps later but thanks for the option gog
Posted October 16, 2016
avatar
haldrie: As someone who got their Steam account hacked once due to my email getting hacked (they changed my password, email and everything and I only got the account back thanks to Steam Support being a separate account which they did not hack) I don't like the way this two-step authentication works by sending an email with a code. I would prefer something like using the open Google Authentication system instead at least as an option. Having an email sent to me as a second authentication doesn't make me feel any more secure then the long, randomly generated password I'm now using for my account password using Lastpass. I don't really trust the security of my email especially when I don't know who is reading it along with me across the internet so using it as part of extra security doesn't sit well with me. If you were to have the option to allow Google Authenticator as a second factor authentication I would use it as I am using it with several other things (including for my Lastpass) but until then I'm leaving two-step login disabled. I appreciate what you guys are doing it's just the implementation that I can't help but question.
Google Authentication would be awesome :)
Posted October 16, 2016
Once more I appreciate that this thing isn't mandatory, dealing with it would be horrible for me.
Posted October 16, 2016
avatar
haldrie: As someone who got their Steam account hacked once due to my email getting hacked (they changed my password, email and everything and I only got the account back thanks to Steam Support being a separate account which they did not hack) I don't like the way this two-step authentication works by sending an email with a code. I would prefer something like using the open Google Authentication system instead at least as an option. Having an email sent to me as a second authentication doesn't make me feel any more secure then the long, randomly generated password I'm now using for my account password using Lastpass.
Yeah more options are always ok, as long as they don't force people to use those phone-based auth services but keep the option for email-based two-step authentication. That way one needs to only make sure that their email account is as secure as possible.

So that raises the question: how was it possible your email account was hacked? Didn't you use two-step authentication on it, even that Google auth system you mentioned? Shouldn't that have stopped any hacking attempts to your email account? Or course if the the email account is poorly secured, then it is meaningless to use email-based two-step authentication elsewhere. The chain is only as strong as its weakest link.

The reason I still want to keep email-based two-step authentication (instead of e.g. Google authentication) is that:

- Those phone-based auth systems apparently require me to give my personal details, like my phone number. I rather not give that, unless there is no choice (e.g. paying with my credit card... I guess that identifies me in stores where I make purchases). Microsoft sure keeps bugging me giving them my phone number to "secure my email account", but phuck them.

- I am unsure if those smartphone auth systems are compatible with third-party tools like gogrepo? For instance, the email-based two-step auth is fully compatible with gogrepo, you just enter the code you got into your email for gogrepo, if gogrepo sees GOG requires such code. So would that cause any problems with "Google authentication", or is the only difference that the code (which you enter into gogrepo) comes to your phone, and not your email?
Posted October 16, 2016
A bloody miracle! A site that implements 2-step, but which actually allows you to opt out! Thank the gods. I have pretty much everything set as session cookies and it gets really irritating to log in to my spam traps, er, e-mail (thanks to spammers, that's now e-mail's only use), every time I want to log in and use a site.

EDIT: Just noticed how old the original message and thread is and that the only change is that it'll be enabled by default.
Post edited October 16, 2016 by JDOgre
Pages:
1
5
10
15
16
17
18
19
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)