It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
5
10
15
17
18
19
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted October 16, 2016
Hopefully the blues will see this:

Add an clickable sub option to only do the verification when login in with with an new ip.
ex:
My voip provider does offer some sort optional of protection if you login with another ip or trigger only if that ip is outside your country/tor node/public vpn.
Since my ip rarely change I would be ok to enable with that. Like I did with my voip. In a few years the majority uses ipv6 they will have same opportunity.
Posted October 17, 2016
avatar
haldrie: As someone who got their Steam account hacked once due to my email getting hacked (they changed my password, email and everything and I only got the account back thanks to Steam Support being a separate account which they did not hack) I don't like the way this two-step authentication works by sending an email with a code. I would prefer something like using the open Google Authentication system instead at least as an option. Having an email sent to me as a second authentication doesn't make me feel any more secure then the long, randomly generated password I'm now using for my account password using Lastpass.
avatar
timppu: ... So that raises the question: how was it possible your email account was hacked?...
Because I was stupid and used the same password as I had used on another site that got hacked and never changed it. I also am using an email address tied to a shared server I own and not Gmail or any of those for my GOG email address...might want to consider changing that. That has been rectified but I feel that if security is GOG's main concern with this system then maybe don't use an inherently insecure method of communication as part of that security...aka sending an email with a one time use code that can be intercepted especially when it's impossible for GOG to know if the person in control of the email address is the person they think it is and not someone who hacked it as what happened to me with Steam and in that case I was using the same one time use code system Steam has to protect my account just like GOG is doing now.

As for the other things you said that I cut out of this reply Google Authenticator is open source as is the protocol meaning anyone can use it freely without having to buy a license or what not. You don't have to give up any information and the phone app does not require any special permissions other then access to your camera to be able to scan QR codes. At the same time there is a manual code you can use as well and a PC tool so you aren't force to have a smart phone to use it. In the case of gogrepo GOG can always implement a static password system similar to what Google does with their accounts for programs that don't support the 2 factor authentication system (such as with Mozilla Thunderbird for emails). It means you have to trust whatever program you give that password to not to be malicious but it is something and a method to revoke those passwords would also be needed.
Posted October 17, 2016
Thank you!!
Posted October 17, 2016
As long as people can opt out of it, I think the majority of people will be fine.
Posted October 17, 2016
Nth-ing the calls for a Google Authenticator compatible authentication option (TOTP I think?), as an alternative to - but not a replacement for - email authentication.
Post edited October 17, 2016 by raveturned
Posted October 17, 2016
+1 for open standards such as HOTP/TOTP, or as most people will know it "Google Authenticator", Authy, FreeOTP et. al.

I'd also like to point to U2F, which would be super great. ;)
Posted October 17, 2016
Nowadays even smart users will get hacked, not because they re use the same passwords on every account but because hacking is so common today.

i have copied some of the advice from the GoG mail.

Very rarely, some external services can get hacked, and their login and password combinations “leak out”. Unauthorized parties can then try to use these logins and passwords to access accounts on secure services, like GOG.com.
Forget the very rarely: incase of mail services:

Yahoo says they were 'state sponsored ' hacked and millions of accounts have been compromised.

So who f-ed up bigtime ? NOT we the users but THEY the big guys who cant keep online email service safe.

If they can hack into the system, forget about using extremely difficult paswords, they can get in anyway.

Normally when you would use 24 random chars they had a hard time getting it and only the big boys would make it.

example:

kids make accounts like this:

acountname: myaccount123
password: lovely teddybear (or some easy stuff like that)

Before they started 'state sponsored' hacking as yahoo calls it, you'd be very safe if you had a simple mail with no interesting data on it.

this kinda passwords would have kept you safe in the 80-90s:


@0%-Y^#1@+B_Nk_RuQsif%__I_l)V@_The&N$CYH_#1_sOnd@+B_Nk_RuQsif_RTYEW&$JF*$(FK%OF*(RKLF*(RKLF

But not to day.

i assume you know the fast and the furious movies ?
The one with the safe behind 2 cars (its bull but the movie is fun to watch)
The safe is a fake , a copy while the real one is being taken away to a safe hiding place.

So what i want to say is: today then can get anything they want if they really want it
Posted October 24, 2016
Jesus Christ, if they ask me whether my email address is current one more time, I swear to god.

*clicks yes for the 34th time*
Posted October 24, 2016
avatar
mintee: I've had to disable this feature, which I appreciate totally, due to my settings of deleting cookies etc when I log off daily. Having to reenter the code every time I log into gog was becoming a hassle.
Same, which is a pity as I liked the idea of this feature. Also remember having to get the code sent more than once on a regular basis.
Posted October 24, 2016
Thanks for keeping features optional. Me, I like this one though. I turned it on a couple of days ago, it's not a big hassle when logging on and I appreciate the extra security layer. What's a bit of a drag is that reCAPTCHA on login is still here.
Posted November 01, 2016
Well, i don`t like this. But seems i don`t have a choice. Now i have to open my email too if i want to access my account. Just, pleaase, PLEASE, DO NOT FORCE US TO ACCESS WITH AN APP. I lost my steam account for six months for that.
Posted November 01, 2016
avatar
seikus: Well, i don`t like this. But seems i don`t have a choice. Now i have to open my email too if i want to access my account. Just, pleaase, PLEASE, DO NOT FORCE US TO ACCESS WITH AN APP. I lost my steam account for six months for that.
You have a choice. Two-Step login can be disabled under account settings if you really want to, it's just not really recommended.
Posted November 01, 2016
avatar
Vainamoinen: Jesus Christ, if they ask me whether my email address is current one more time, I swear to god.

*clicks yes for the 34th time*
try to log on a game page , not the main page, when i log on a game page the site doesn't ask me if i want to continue to use my current e-mail....
Posted November 04, 2016
avatar
seikus: Well, i don`t like this. But seems i don`t have a choice. Now i have to open my email too if i want to access my account. Just, pleaase, PLEASE, DO NOT FORCE US TO ACCESS WITH AN APP. I lost my steam account for six months for that.
avatar
BKGaming: You have a choice. Two-Step login can be disabled under account settings if you really want to, it's just not really recommended.
Thank you, i just disabled it. I don`t usually check my email, it doesn`t have many activity.
Posted November 14, 2016
So...why now I can access on my account without the 2S Verification, that I have enabled since day one?
Pages:
1
5
10
15
17
18
19
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)