Keep it clean
If you believe that a wish duplicates another one or is not meant for the category, use Options button above to report a duplicate or spam.
Add your wish
If there is an item you wish to have on GOG.com and it’s not yet on the wishlist, please add your wish
Two-Factor Authentication / 2FA Support for Mobile Apps via Open Standard
Added by
HiMyNameIsBob The current 2FA implementation only supports e-mail as a second channel. This is better than nothing, but offers no protection against a hacked e-mail account and is also lacking in usability / user experience.
It would be great if it was possible to use a custom mobile app authenticator via an open protocol such as HOTP [1] or TOTP [2].
[1] en.wikipedia.org/wiki/HMAC-based_One-time_Password_Algorithm
[2] en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
sparklegravy Sending a 4-digit code by email as your only 2FA method is absolutely madness in 2023. Hire me and I'll build a proper 2FA system for you.
jake_speed Another thread here with the same request. www.gog.com/wishlist/site/add_google_authentication_option
JonJaded add it NOW
pragnienie1993 WTF it's 2023 and they still havem't sorted this out?
Zigory100 2FA by mobile App or FIDO (hardware keys). E-mail based 2FA may be dangerous and it is inconvenient
dd31879 @JakobFel "I can support this if it's given as an option, rather than a replacement for the email verification. I don't use a smartphone and don't want to tie my account(s) to a single PC so my only option is stuff like email verification. "
I can sympothize with that. Being an IT Manager for many years I have seen many platforms and how they implement their authenticator. I even remember working with the old RSA key fobs.
I think a common misconception is that everyone has a smartphone. Really though not everyone does and in fact many people opt only for flip phones with basic calling. I think there should be options for:
1. Existing GoG email
2. A GoG proprietary authenticator app (possible?) kind of like how Steam has one, Blizzard has one, etc.
3. Option to use popular third party authenticators such as Microsoft, Google, Yubico, Authy, etc.
My honest opinion is I hate receiving 2 factor authentication by email. In fact its been widely accepted that this is NOT a secure way to handle it by all of the major industry players. The other thing I dont like is that it is only a 4 digit key vs a 6 or 8 digit key.
maxmag We need 2FA by App!
slycooperfan1 Please add these options! I don't want to use my email as a two-factor authentication system.
HikariWS Fk these mobile! We don't want them, we want FIDO! And TOTP for KeePass.
JakobFel I can support this if it's given as an option, rather than a replacement for the email verification. I don't use a smartphone and don't want to tie my account(s) to a single PC so my only option is stuff like email verification.
becauseimmanual First thing I missed coming from Steam as soon as I downloaded GOG Galaxy. I don't really feel safe spending a lot of money when there's no TOTP to protect the games I bought in case someone was to get ahold of my account
AfroScribble
Here is (yet another) demonstration of why SMS authentication is terrible and GOG should implement more secure auth methods like TOTP: <a <a href="href="https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80"" class="light_un" target="_blank">href="https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80"</a> class="light_un" <a href="target="_blank">https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80</a>" class="light_un" target="_blank">target="_blank">https://lucky225.medium.com/its-time-to-stop-using-sms-for-anything-203c41361c80</a></a>
SMS is not secure for anything. Please implement TOTP.
christopher.robot Gibborz app support nao.
GGLapkizzz Mobile app 2FA is the minimum security requirement nowadays. And YubiKey/FIDO2/WebAuth would be quite nice to have.
TD_derpy I'm equally annoyed by this, i needed to get my 2fac code and just opened my auth app.
Email is not strong enough any more!
ewhac Can't believe this has been sitting here for four years. Sending codes over email does not mean you have "solved" 2FA for the site (what if their email account has been compromised?).
This should have been done ages ago. TOTP is trivial to implement. Yubikey/FIDO2/WebAuthn would be extra nice.
GekkePrutser This is really absolutely needed. I'm sad GOG doesn't have it, as it's so great in all other ways.
Please add, guys! It's not even a huge job. TOTP would be great, Fido2 with CTAP2 would be amazing.
baffofred Please offer alternative and more secured two factor authentication methods
l3x_110 This is nowadays a must.
Khourchef 2020 is here and no mobile TOTP support or those Yubikey? c'mon !! its a must this days if you want to secure an account with games purchased in it.
AfroScribble Please do add support for mobile authenticators (and if not by an app made for GOG specifically, use the TOTP standard). SMS is a very poor method of authentication (re: SIM jacking) and email is quite cumbersome.
DefiCzech It is must have today. Pin via email or sms, seriously?
UnconBeing If security is at all a concern for GOG and they value their costomers I strongly believe 2FA TOPT should be the primary option avaialble. I was very shocked that it is a 4 digit pin sent to your email.
gregoryopera Yep, this gets my vote with a preference for TOTP.
Balthasa1983 agree please go for it
Chronon88 Authy support, please. Humble Bundle does that and it works perfectly.
imranf1 A competing platform offers both 2FA via email or app, which is a good idea because not everyone has access to both.
Fangh the email come in 5-10 minutes ! It's horrible ! I want to use Authy on my phone plz
agreee I second this request. It's nice to have one app (like FreeOTP) for all your logins
tones1208 I don't want to have to go out and buy a smart device just to access my account/etc.
Coreda Being able to use a QR code to sync with timed counter, with the option for disabling/resetting 2FA via email should the device go missing would be great. Some services also allow for setting up a backup phone for such situations.
HaydenRead Definitely prefer TOTP over HOTP... Have also voted for this: www.gog.com/wishlist/site/two_factor_authentication_with_totp
RandomFallout 1Password and Authy both support Google Authenticator which adds security and gives flexibility to the user.
ssokolow From what I remember from playing around with a YubiKey, HOTP uses a counter and, as such, doesn't play well with having more than one authenticator, so I'm against that.
However, I'm in favor of TOTP as long as it doesn't use something like Authy where you MUST use SMS to receive the TOTP seed and Authy will then zealously guard it. (My protable device is an OpenPandora running a non-Android Linux and, for desktop use, I do 2FA via KeePass2 with the TrayTOTP plugin.)
Google Authenticator is fine in that respect, making it easy to extract the TOTP seed from the QR code using libqrdecode if the site was mean enough to not include it in clear text below the QR code.
(Given my use of KeePass2 with a unique, strong, hard-random password for each site and my use of HTTPS Everywhere and rules like "never click a link in an e-mail", I fear getting locked out by a 2FA oops far more than getting my password compromised, so I must have at least two authenticators.)
Plus, given that the OAuth API LGOGDownloader uses is incomplete, I need TOTP so that LGOGDownloader can comfortably share the TOTP seed with my regular authenticators.
33 comments about this wish