It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
5
10
11
12
13
14
15
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 08, 2016
avatar
JudasIscariot: I believe that's been fixed :) Note I don't use any HTTPS plugins in Chrome :)
avatar
styggron: Nope. Not been fixed here. It still just reads "www.gog etc etc" with http not https

(yes I have the latest browser updates / firefox)

EDIT:
Odd. When I left this forum, went to the main page, had a look around came back to the forum, it works. Now HPPS is here too YAY :)
tp
I can confirm this GOG's behavior.
But i haven't logged out from GOG forums. I just went to the main page (being logged in), and it went full HTTPS.

I'm using Linux and stable version of Firefox (v44.0.2).
Posted March 08, 2016
avatar
senbon: This is excellent news. Cheers!

EDIT.
It might also be a good idea to add an optional number pad so the user can use mouse clicks to enter the security code. Could help reduce the effect of keyloggers.
avatar
amnesia: ctrl + c > ctrl + v
You do realize, that any and all apps may access the clipboard (which is why you can ctrl+c somewhere, and ctrl+v elsewhere), so if a keylogger is present, copy-pasting any sensitive info would be the last thing you'd want to do?

Then again, if a keylogger was running on your PC, you'd like to get rid of it instead of logging into GoG...
Posted March 08, 2016
avatar
Ixamyakxim: I still say the perfect solution is to paygate the forum. No posting in the general forum until you've purchased a full priced game on GoG.
Perfect solution for what problem? People are hacking into, stealing and reselling accounts with paid games. Buying games off promo doesn't magically make the account harder to hack. If you have an irrational hatred of people who wait for discounts to the point you want them banned from the forums, go see a shrink.
Posted March 08, 2016
How does the clear all logins feature work? As far as I'm concerned, it logged me out of my current browser, but not from GOG Galaxy. However, Galaxy is also installed on the same laptop as my current browser.

So, what gives?
Posted March 08, 2016
Finally! I recall that these features were really demanded here.

Good work!
Posted March 08, 2016
avatar
DreamedArtist: This is not a phone two-step? why did you choose email instead of phone text the code? It is a lot more secure and harder to break into.
Probably because it's basically free to email a code, but you have to pay to send texts.

Personally, I wonder what happens if somebody changes their email address, but forgets to change where the emails are being sent.

I'd also like to see them allow us to print a page or one time passwords in case we need them for some reason.
Posted March 08, 2016
avatar
wolfsrain: That brings a lot o fun for me...PPOE with dynamic IP....Will enjoy the spam of my email at leat twice a day....I bet you never thought at those type of accounts....
Dynamic IP shouldn't be a reason of constant two-step code requirement. Did you try it?
Posted March 08, 2016
avatar
Azhdar: Is "HTTPS everywhere" optional too?
I would think it's optional when not logged in... maybe.

But with PRISM and so many sources trying to steal any and all non-encrypted communication...

Suddenly I'm reminded of that one Episode on The Next Generation, where the crew are visiting a race far more advanced than them (to fix their hyper drive?) and they commented how all communication was heavily encrypted.

TNG, predicting the need for encryption before the internet was popular!
Posted March 08, 2016
avatar
Johny.: We won't bug you for entering code when switching browsers - we will when accessing from new browser for the first time, or when the cookies were cleared (unfortunately, you could trust our cookies though), or session expires.

Try it. :)
avatar
huan: After more thorough tests, I wonder how that works:
- new private window in FF (equivalent to clearing cookies) - 2FA is required, as expected
- opening Galaxy on another computer for the first time after activating - 2FA is again required
- opening FF with remembered pre-2FA session on the same computer as Galaxy - neither pin nor password is required
- opening Chrome without remembered session (again on computer with Galaxy) - pin is required

Only thing that could explain (3) that comes to mind is that Galaxy injects the cookie into other browsers it finds installed, and maybe steals their cookie if it is already there. But that doesn't explain why in (4) standalone chrome wants a pin, along with password.

Not complaining, just curious. I have no problem with giving cookie exception to *.gog.com.
Nope, Galaxy does not inject any cookies or other things into anyones browsers AFAIK.
See, if your session is intact (not expired, not cleared, no private window) you're not required to input code from email. For me your examples make sense without any injection. :)
Posted March 08, 2016
Good thing! Gonna activate that and change my password too. "ABCD" is safe enough right? ^^
Posted March 08, 2016
Good news and great job GOG.

I've already activated the 2 step login and I'll gladly waiting for the "https everywhere" for a few more days.

2 layer security is always better then one. If a login system is bugging you to make sure you are who you say you are, then it's a far better system then we had until now. One can never be safe enough. I personally don't mind the extra step. It gives me some extra peace of mind, knowing that my goodies are safe :)
Posted March 08, 2016
avatar
tinyE: All I know is that I feel a lot safer knowing that I no longer have to worry about someone breaking into my account and getting pimpmonkey's credit card number.
Why (and how) do you have pimpmonkey's credit card number in your account? o_O
Posted March 08, 2016
Nice step, but it'd be nicer if there were support for an authentication app rather than emailed codes.

Several of the 2FA apps have an API that can be used, and most people already have at least the Google app installed.
Posted March 08, 2016
Always happy to see GOG.com improve and give us a choice! :)
Posted March 08, 2016
Thank you gog and I for one am really glad it's not some app or message to phone that's needed but a simple email. Two factor auth is perfectly safe and sound via email and has much less privacy implications this way than by forcing people to give out their phone numbers to you.
Kudos and very well done gog! :D
Pages:
1
5
10
11
12
13
14
15
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)