timppu: I am all for more options, but I'd probably keep using the email 2FA in GOG because I feel it is less prone to problems. So at least I hope GOG would allow using email 2FA, even if they introduced also mobile app 2FA.
Case in point, I have no recollection of enabling mobile app based 2FA in itch.io, but there it is, blocking me from entering my account. I don't have any entry in my phone Google or MS authenticator apps for itch.io and no recollection of adding one. It may be I have added such a long time ago, forgotten about it, and lost the authenticator entry when updating my phone to a newer model, not remembering to go through the laborious task of migrating all the entries from different authenticator apps to the new phone, since apparently they fail to migrate automatically even when using the same Google account on the new phone.
I've tried to contact the itch.io support to get it sorted out, but they haven't replied. So now I am locked out of my itch.io account due to that stupid app-based 2FA. Luckily I don't have many games on itch.io, but still.
With email I feel there is less probability for this kind of issue, I don't have to migrate my email manually to a new device if I buy a new phone or a new PC. As long as I don't abandon that email account (why would I anyway?), I am fine.
Mobile app 2FA may be more secure than email (or SMS) 2FA but if it makes my life this hard and complicated, I rather not use it. I use it at my work because there it is required, and yes it was quite an ordeal to move all my work-related MS authenticator entries from the old phone to the new one, and a couple I couldn't move at all because they'd need to be re-established by some third-party company (our clients). Phuck them, I guess.
For a game service, email 2FA is good enough for me, just need to keep the email account secure. It is not even that hard because you it is 2024 and you can check your email easily even on your phone.
It's good for you, that it actually works fine for you. Really!
But I had to disable 2FA entirely as otherwise GOG was simply unusable for me. I have multiple reliable mail service provider, one being Google and another being Proton, but GOG has really bad mail service on mutiple days so just logging into my account was simply impossible as the Galaxy Client wanted 2FA because of whatnot - it was logged in a day before just fine - and the mail simply wasn't coming in. It didn't for over a day. Another attempt then came in after a few hours with the mail header and timestamps clearly showing it being delayed for hours in GOGs end.
E-Mail is NOT an instant medium. As someone working in IT network engineering we tried drilling that tidbit into brains of upper management persons for years. It simply isn't. And for a second security factor, that you would need within seconds to minutes of being requested, E-Mail is completely abysmal to use. It's "fine"/meh when it works properly and you get your code in a few minutes, but it's completely breaking when it's delayed for hours or won't arrive due to some stupid misconfiguration of DNS, DNSsec, DKIM, DMARC or any other service Mail relies on.
So NO. Simply no. Don't use Mail as a second factor. It is for reasons, that security relevant services at first used SMS (before sim swapping and cloning got easy enough as an attack vector) then swapped it out because it could be stolen AND was unrealiable when you had no phone near you or no reception. So they switched to either open standards like TOTP or OTP generators or use FIDO/U2F or their own app that implements some stupid nondefault variation of TOTP (like Steam did/does).
So for gods sake: just use TOTP or go the extra mile and allow FIDO/U2F Tokens. That's industry standard. Mail is not. SMS is obsolete and not very secure. Steam has their own stuff, Epic uses TOTP/Tokens, even Microsoft and Sony got their act together and allows TOTP.
So please do add a real usable 2FA already!
Thanks
