It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionEmail changed without my permission(30 posts)(30 posts)
(30 posts)
Pages:
1
2
This is my favourite topic
Posted June 10, 2016
avatar
tinyE: I thought Oompa Loompas did all the labor at GOG.
that would be SO cool!
Posted June 10, 2016
high rated
avatar
Konrad: I'll pass this on to our support team to hopefully speed things up a bit. Once you get your account back, I STRONGLY recommend two-step login (https://www.gog.com/account/settings/security) to make this sort of thing just about impossible.
Seeing this thread, I came to ask, once again, to change the way this works. I see that the Cookie Monster covered it already, but I still want to add my voice - giving a user the heads up after the fact is backwards and useless, it needs to be the other way around.
Posted June 10, 2016
Hillary, is that you?
Posted June 10, 2016
deleted
Posted June 10, 2016
avatar
Firek: I asked one of my Minions to look into your case ASAP. We're overloaded with work due to the promo, which is slowing down response times, unfortunately. You should get a response in a couple of minutes, though.
So I still haven't heard anything, sorry if I sound pushy I just want to try and fix this as soon as possible,
Posted June 15, 2016
Hi, I just received the very same email, and I've wrote to the support mail.

Hope I can get my account back ASAP.
Posted June 15, 2016
high rated
avatar
HypersomniacLive: Seeing this thread, I came to ask, once again, to change the way this works. I see that the Cookie Monster covered it already, but I still want to add my voice - giving a user the heads up after the fact is backwards and useless, it needs to be the other way around.
I wholeheartedly agree with that notion. There has to be an upfront notification to confirm a change before it happens to make two-factor authentication actually useful in such a scenario. Would save GOG and it's customers a lot of trouble by not having to deal with a potential mess afterwards.

Midoryu

Edited 11:12: Fixed typing error.
Edit 2 13:41: Another one... sigh.
Post edited June 15, 2016 by Midoryu
Posted June 15, 2016
avatar
Konrad: Once you get your account back, I STRONGLY recommend two-step login (https://www.gog.com/account/settings/security) to make this sort of thing just about impossible.
avatar
PaterAlf: Could you please implement two-step authentication for account-critical stuff (e.g. changing of the mail adress) only? Many of us clear the cookies at the end of each browser session and don't want to be bothered every time we log into our account. We would still be happy if we get informed when somebody tries to change our mail adress. Informing us afterwards (the way it works now) is useless.
Meh, make it optional, I like the current system although my browsers also clear all data except passwords after closing them.

Better would be to start supporting Google Authenticator
Posted June 15, 2016
avatar
Konrad: Once you get your account back, I STRONGLY recommend two-step login (https://www.gog.com/account/settings/security) to make this sort of thing just about impossible.
avatar
PaterAlf: Many of us clear the cookies at the end of each browser session and don't want to be bothered every time we log into our account.
You can use a separate user account in your operating system just for logging into GOG.
Posted June 15, 2016
Imho the benefits of 2FA outweigh the downsides. Everyone should use it, else they risk exactly this, loosing access to their account.
Posted June 15, 2016
avatar
HypersomniacLive: Seeing this thread, I came to ask, once again, to change the way this works. I see that the Cookie Monster covered it already, but I still want to add my voice - giving a user the heads up after the fact is backwards and useless, it needs to be the other way around.
avatar
Midoryu: I wholeheartedly agree with that notion. There has to be an upfront notification to confirm a change before it happens to make two-factor authentication actually useful in such a scenario. Would save GOG and it's custumers a lot of trouble by not having to deal with a potential mess afterwards.
As I understand it, it already works like that (provided you have enabled two-step authentication). What PaterAlf was suggesting was actually more or less the opposite, namely that the two-step authentication be restricted to only affect account changes, and not logins. In both scenarios, two-step authentication would need to be enabled for the account in question though.

Personally, I agree it would be nice to have the two separated, with account change authentication being opt-out, and login authentication being opt-in.
Posted June 15, 2016
high rated
avatar
Wishbone: As I understand it, it already works like that (provided you have enabled two-step authentication). What PaterAlf was suggesting was actually more or less the opposite, namely that the two-step authentication be restricted to only affect account changes, and not logins. In both scenarios, two-step authentication would need to be enabled for the account in question though.
Personally, I agree it would be nice to have the two separated, with account change authentication being opt-out, and login authentication being opt-in.
I just changed my e-mail address to check on this and I received a mail afterwards that begins with
"Hi Midoryu, your e-mail address was changed" and ends with "If your email address was changed without your knowledge please contact our support team."
So it seems like two-factor authentication doesn't trigger on this one.

Also GOG states this on the ORDERS & SETTINGS/LOGIN AND SECURITY page:
"Two-step login is an optional extra layer of protection for your GOG.com account. With two-step login enabled, your identity will be verified through your email address whenever you log in from a new device, browser and/or location." Only used for login apparently, nothing else.

And yes, I understood what PaterAlf was suggesting and I'm all for it, because having more options is always better than having less. It should not be the main concern, however.
While this fixes a convenience issue, what HypersomniacLive brought more insistently to the table is a glaring security issue. Since he quoted a Blue, he obviously wanted to bring this to GOG's attention (again) and I just chimed in on that, because, like him, I believe it needs to be fixed and to be focused on above all else. I myself didn't knew about it beforehand, though. (So thanks for that.)

I hope I provided a better insight of what my intentions were with that earlier post.
(and for it to appear less confusing now)

Midoryu

PS: Gonna change my e-mail back now... And don't even get to confirm it!
_________________________________________________________________________

Edited 13:48: Added GOG two-step login explanation.
Edit 2 15:04: Rephrased the text to make it more obvious that PaterAlf mentioned the whole idea, already.
(Also typing errors.)
Post edited June 15, 2016 by Midoryu
Posted June 15, 2016
high rated
avatar
Midoryu: [...] what HypersomniacLive brought to the table is a glaring security issue, instead. Since he quoted a Blue, he obviously wanted to bring this to GOG's attention (again) and I just chimed in on that, because, like him, I believe it needs to be fixed. I myself didn't knew about it beforehand, though. (So thanks for that.) [...]
Exactly. When an account change is attempted, one should get a verification email in order for the change to go through, not an email telling you "hey, so and so changed, if it wasn't done by you, contact support".

This is how it works on other places I have accounts. And this is how it should work here too, especially since the current "two-step login" works the way it works, which, from my understanding, doesn't affect the way account changes work.

But even if I have it wrong, since it's optional, the way account changes work should be fixed to offer protection to people that opt-out from the "two-step login" system.
Posted June 15, 2016
avatar
Midoryu: [...] what HypersomniacLive brought to the table is a glaring security issue, instead. Since he quoted a Blue, he obviously wanted to bring this to GOG's attention (again) and I just chimed in on that, because, like him, I believe it needs to be fixed. I myself didn't knew about it beforehand, though. (So thanks for that.) [...]
avatar
HypersomniacLive: Exactly. When an account change is attempted, one should get a verification email in order for the change to go through, not an email telling you "hey, so and so changed, if it wasn't done by you, contact support".

This is how it works on other places I have accounts. And this is how it should work here too, especially since the current "two-step login" works the way it works, which, from my understanding, doesn't affect the way account changes work.

But even if I have it wrong, since it's optional, the way account changes work should be fixed to offer protection to people that opt-out from the "two-step login" system.
In that case, I stand corrected. If two-step authentication really only affects logins and not account changes, then it's next to useless.
Posted June 15, 2016
Also GOG states this on the ORDERS & SETTINGS/LOGIN AND SECURITY page:
"Two-step login is an optional extra layer of protection for your GOG.com account. With two-step login enabled, your identity will be verified through your email address whenever you log in from a new device, browser and/or location."
So I got my 'XP' by turning on 2SA - thanks for the reminder, gOg. I regularly login from three devices: my fingerprint-locked phone, our kitchen PC, and my work laptop. Only the phone login required 2SA after turning it on, and that was only the first time I visited the site. The other two simply let me in like always. Granted, I did save the log-in credentials in the browser so I previously did not need to log in each time, but shouldn't it have required authentication at least the first time I visited the site on each device after turning on the feature? Or are those other logins getting a pass because the system recognizes the location by IP address?
Pages:
1
2
This is my favourite topic
Community
General discussionEmail changed without my permission(30 posts)(30 posts)
(30 posts)