Well i activated it, a bit of extra security wouldn't hurt, and its not that bothersome for me.

Thank you GOG for making this optional however, i know many users don't like this sort of thing.

Re-entering the password is no protection against someone who already got your password.

I rather had hoped to read from a Blue here that it already hasn't been possible to change the account password without an email confirmation in the past. But not that I have the choice between waiting for an email and entering a second code on every login or to abstain from a better protection of my password against unauthorized changes now. That's disappointing.

Nicely done.

Yes, this would have been the better implementation (as the protection against unauthorized password changes apparently hasn't been implemented so far).

Having a mobile authenticator isn't a bad idea and I wouldn't be surprised if they do that at some point in the future, but considering all the things that are on the radar that they need to do, I'd say that isn't the absolute highest priority per se.

While mobile phones are incredibly popular and it seems like the majority of people do own them - not everyone does. Certain parts of the world mobile phones are extremely popular and people can't live without them - hell they can't take their eyes off them for 10 seconds. Other parts of the world do have gamers but may not have the same level of penetration of mobile access for example. Then there are people like me that would rather jump into a swimming pool filled with hydrochloric acid than ever own a mobile phone.

Requiring a user to own a $900 telephone that they may not own and my not need now or ever just to log into a video game website while their bank uses 6 digit all numeric passwords seems like extreme overkill to me. (Note: I'm not defending banks shitty passwords, they suck, but they're protecting millions of dollars of people's money with their lame password systems and GOG is protecting video games).

Steam did this and it pisses me off so much. They now force you to use a mobile authenticator for various Steam operations regarding trading and whatnot. No mobile device? No service. Well I'm not going and buying a mobile phone or tablet just to log into a damn website that's for sure. The day some site forces me with no other options at all to log in with a mobile device is the day I am no longer their customer. :)

So I think it is fine to provide such a thing as an OPTION, so long as it is not the ONLY option, and that other users have a viable option to use too that does not require spending $900 on crap hardware they'd rather throw at cars off an overpass. Just sayin... :)

Thanks for implementing a form of two-factor authentication, this was long coming!

However, I would have personally preferred other mechanisms (they could also be added):

1. support OAUTH2 with Google Accounts (obviously feel free to support OAUTH with other provides too if adding it), that way I can use my existing, secure, Google Account 2 factor authentication system to login on GOG without having to read my email every time I login on GOG from a browser (which, with always starting my browsers in incognito mode, means every time I login to GOG)

2. Alternatively you could simply support the same OTP standard that Google Account system does, it's an open standard: https://tools.ietf.org/html/rfc6238 . Because it's an open standard, there are pre-existing (mobile, etc) applications to generate these codes and server side code for authenticating them.

I'm aware of Yahoo's disposable email address system which is OK for unique email addresses. I'd like to ask you, is there another solution which you'd recommend? I'm pretty curious on this one...

Can we use http version of GOG.com after this update?

If we enable this how does it affect the GoG Downloader ?

I know the GoG Downloader is not updated anymore and one day will stop working but until it does, I'll keep using it as it is extremely useful. Just worried how that works with this new login method.

Will it still work with the GoG Downloader ?

After more thorough tests, I wonder how that works:
- new private window in FF (equivalent to clearing cookies) - 2FA is required, as expected
- opening Galaxy on another computer for the first time after activating - 2FA is again required
- opening FF with remembered pre-2FA session on the same computer as Galaxy - neither pin nor password is required
- opening Chrome without remembered session (again on computer with Galaxy) - pin is required

Only thing that could explain (3) that comes to mind is that Galaxy injects the cookie into other browsers it finds installed, and maybe steals their cookie if it is already there. But that doesn't explain why in (4) standalone chrome wants a pin, along with password.

Not complaining, just curious. I have no problem with giving cookie exception to *.gog.com.

Nope. Not been fixed here. It still just reads "www.gog etc etc" with http not https

(yes I have the latest browser updates / firefox)

EDIT:
Odd. When I left this forum, went to the main page, had a look around came back to the forum, it works. Now HPPS is here too YAY :)
tp

The problem is that I believe that by the current solution GOG believes it does not need to do anything more for email/password changing, so I don't think they are planning to add another level of protection.

That brings a lot o fun for me...PPOE with dynamic IP....Will enjoy the spam of my email at leat twice a day....I bet you never thought at those type of accounts....

It's optional, though.


PS: Will you consider adding support for Authenticator apps?

If you do, please don't do it like Blizzard or Steam who require their own ego-app to work. Instead, make use of the already existing authenticator apps for iOS, Android, and Windows Phone/Mobile. That way you don't waste time and resources developing an authenticator app, and us Windows Phone folks don't get left behind in the dust, as it's usually the case.