How would they even implement that?

Email based prevention:
- Multiple people can use the same email address and couples sometimes share a single address for example, and they may have different accounts.

- One person can trivially make multiple email accounts at any free mail service on the web, on their own mail server(s) or use email aliases. Even gmail provides free email aliases for all gmail users, giving infinite email addresses to anyone who needs them.

IP address based prevention:
- Many people can be behind one single IP address due to using NAT within a single dwelling, apartment complex, office, or perhaps even small banana republic country, or North Korea for example.

- Some ISPs out there already deploy CGN (carrier grade NAT) which puts multiple customers in multiple households on the same shared IP address.

- Someone might have multiple computers on their LAN behind NAT either in a household or in a business like a login-cafe for example, and have a separate GOG account for each computer so that they are not violating the End User License Agreement of each individual video game. Such agreements usually restrict the installation and/or playing of a game to a single computer at a time. In order for an individual or business to comply with the EULA they would need to own several copies of the game(s) if the game's EULA requires a separate license per simultaneous use, and that would require owning several GOG accounts to have multiple licenses.


There is no other simple way that I can think of to try to conclusively determine that someone is purposefully making multiple accounts for the purpose of beating the system or scamming people other than observing their behaviour over time via automated software and statistical analysis and based on customer complaints etc. Any other methods that might attempt to target people would almost certainly require specialized software which almost certainly would both fall under the category of being called DRM, and also would completely fail miserably at doing what it intends to do while harming all of the legitimate usage cases that I outlined above as well as many more I probably haven't thought of yet.

Having said that, it might make sense to have restrictions on how many accounts per minute/day/week/month or whatever can be created on a single email address or IP or IP block, and potentially put a cap in place as to a maximum, but that too will be ineffective to someone hell bent on beating the system, not to mention that about 11% of the world is now connected to the Internet via IPv6, and while GOG is not yet IPv6-enabled on any of their services they will be some day. When that happens, every single living breathing person who is connected to the Internet over IPv6 will have more IP addresses available to them on their home computer network than there are stars in the sky and grains of sand on every beach in the world. Trying to block them or restrict them individually is fruitless, and trying to block netblocks can affect multiple users very easily.

In short, there isn't a heck of a lot that can be done about problem users like this other than to detect them after the fact and restrict or remove their accounts. They could also put restrictions on what new accounts can do which do not have a credit card tied to them yet, how many accounts can be tied to a single card before needing to contact support to make a manual special request for more, and to prevent people from using features on the site or something - but that ends up affecting all users until they make a purchase or are around for a certain time frame.

In every scenario the honest person gets screwed in some way and the bad guy finds a way to work around it. Much like copyright protection/piracy.

Nice job with adding HTTPS but some of the security could be a bit better, check this out:

This one could be better, no huge issues though: https://www.ssllabs.com/ssltest/analyze.html?d=www.gog.com
These seem good:
https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=gog.com
https://www.ssllabs.com/ssltest/analyze.html?d=images.gog.com&latest

You should fix the issues to get a better grade on that site, also check back because they change the tests around.

EDIT: here is another B: https://www.ssllabs.com/ssltest/analyze.html?d=login.gog.com

Also the favicon on the posting popup is not secure, gives firefox a warning.

I would have suggested filing a bug report for the mantis website issue, but there is no way to file a bug against the website nor mantis itself inside mantis. :) One could bounce a report through support though. :)

Google Authenticator option when?

Indeed. The SHA1 intermediate certificates are bad, because major browsers are in the process of shitcanning SHA1 support and making a very strong push to site owners to upgrade to the SHA2 suite. It wont be long now, maybe as early as June or July if I remember correctly when Firefox and Chrome as well as possibly other browsers will no longer support SHA1. Mozilla just recently gave a particular vendor a 90 day pass to get their certs updated to SHA2. Older certs are supported for longer but the clock is ticking.

There is a good chance that GOG's CA has an SHA256 intermediate cert available also, so it's probably just a matter of a firing off a one liner in ansible or whatever they use to manage the backends.

Updating Chrome didn't fix it, but that link works. Thanks and thank you guys for finally bringing two-step to gog, makes me feel a bit more comfortable after those accounts got stolen during the release of The Witcher 3 and Galaxy.

This is a very nice start, I hope you'll add more options for how you do 2FA (I don't mind email, and I'm glad it's not tied to google), as well as allow us to configure when we'll need to do 2FA

Nevermind should read before asking questions :(

I have to agree here - I obviously have not thought this through enough. Still it would be great if someone could figure something out to make scamming and impersonating a bit less easy. Any ideas?

Thanks for doing something to strengthen the security of the site.

As others have already said, the way Two Step Login is being implemented, it will remain unused by me. I clear my browser(s) of everything at the end of each session, and I don't see me changing this routine.
I also use unique email addresses and passwords for each and every site I've got an account with, so if my GOG account ever gets hacked, there will be no doubt that it was a breach of GOG's own security.

The HTTPS everywhere is very welcome, even if this late. I couldn't wait for you to finally implement it, so I've been using the HTTPS Everywhere add-on for ages now, forcing all your pages to open over a secure connection. Will see how well it works without the add-on. Nice to see, for one more time, where your priorities lie, cheers.



So much this!



While I agree with your points, and second them, I disagree with this one. Imagine how that will work for those on dynamic IPs, like myself. If you were talking about attempted access from an IP that's not within the range of one's ISP provider, then I'd agree.



[emphasis added]

I think you're missing the point - if the account has been compromised, then my own (real) password is already in the hands of someone else. They can re-enter it as many times needed before changing it to something unknown to me, locking me completely out of my account. Asking for verification via email before the action is completed, allows one to act and prevent it in the case of a compromise.

Thanks for not requiring 3rd party applications or a mobile phone for the two-step login. And thanks for making it optional.

To trigger the verification for a new location or a different browser is a good idea. But storing the data in a cookie is a very bad idea.

I clear all my browser data on exit and it's already bad enough that you store settings for my game library in a cookie and not in my user account. But storing the data for the two-step login in a cookie will trigger it every time I log in and makes it unusable for me.

I still say the perfect solution is to paygate the forum. No posting in the general forum until you've purchased a full priced game on GoG.

Give an account access to any subforum for which they have a game in their account (for support purposes) and hell maybe even create a "New User" general forum in which any member can participate.

But bar access to the general forum until an account has purchased a game valued at $5.99 (or whatever your regional equivalent is) or above. Hugely reduces the number of alts right there. Sure, someone might still create a few alt accounts but they're not making 47 just to scam $10 worth of games anymore.