It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
5
10
13
14
15
16
17
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 09, 2016
avatar
HypersomniacLive: Really curious, why do you want to stay on http?
I prefer https, but sometimes I use limited internet connections. So I use proxy to access some websites. Some proxy tools (or other anonymizers) don't load https websites smoothly.
Posted March 09, 2016
avatar
timppu: Covering all cases adds even more security, true, but for many of us it also causes so much extra inconvenience that we are forced to keep the whole new feature disabled, which is a shame in itself as we want to feel secure too. :)

My meaning was not to suggest to remove this current option. I'd hope that at some point you could add more options to that, so that people can tailor it more to their needs. Like three (or more) different levels for the security setting:

1. The current, most secure, implementation, ie. two-step login is triggered in many cases, even if trying to log in from a new browser (or having deleted cookies from your current browser).

2. My suggestion, ie. two-step verification is triggered only if you try to change account options (most important ones being the email address and password), and on top of that sending an information email to the user for possibly unauthorized connections (attempts) from elsewhere (e.g. from a new IP address or country), so that the user can react accordingly if needed, like changing the password. This is what I'd personally like to use.

3. Disabled, ie. what it is now by default.
Exactly this. Seconded.
Posted March 09, 2016
avatar
timppu: Sorry i missed this reply earlier (no reply flag?):

avatar
songoqu: We think that covering all cases is much safer then only chosen ones, and don't forget that to do those actions you need to re-enter your password.
avatar
timppu: Covering all cases adds even more security, true, but for many of us it also causes so much extra inconvenience that we are forced to keep the whole new feature disabled, which is a shame in itself as we want to feel secure too. :)

My meaning was not to suggest to remove this current option. I'd hope that at some point you could add more options to that, so that people can tailor it more to their needs. Like three (or more) different levels for the security setting:

1. The current, most secure, implementation, ie. two-step login is triggered in many cases, even if trying to log in from a new browser (or having deleted cookies from your current browser).

2. My suggestion, ie. two-step verification is triggered only if you try to change account options (most important ones being the email address and password), and on top of that sending an information email to the user for possibly unauthorized connections (attempts) from elsewhere (e.g. from a new IP address or country), so that the user can react accordingly if needed, like changing the password. This is what I'd personally like to use.

3. Disabled, ie. what it is now by default.
Already expressed my full support for your plan, but doesn't hurt to do so again.
Posted March 09, 2016
+ for timppu's post. Hear, hear!
Posted March 09, 2016
Yes! It's about time to see GOG finally starting to implement some decent security. There's still some obvious work to do though: https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=www.gog.com

Also, please tell me you're storing passwords securely, and not just as an unsalted SHA-1 hash...
Posted March 09, 2016
Glad to see 2FA is here now, can we please have an option for mobile apps like Authy and Google Authenticator?
Posted March 09, 2016
avatar
timppu: Sorry i missed this reply earlier (no reply flag?):

avatar
songoqu: We think that covering all cases is much safer then only chosen ones, and don't forget that to do those actions you need to re-enter your password.
avatar
timppu: Covering all cases adds even more security, true, but for many of us it also causes so much extra inconvenience that we are forced to keep the whole new feature disabled, which is a shame in itself as we want to feel secure too. :)

My meaning was not to suggest to remove this current option. I'd hope that at some point you could add more options to that, so that people can tailor it more to their needs. Like three (or more) different levels for the security setting:

1. The current, most secure, implementation, ie. two-step login is triggered in many cases, even if trying to log in from a new browser (or having deleted cookies from your current browser).

2. My suggestion, ie. two-step verification is triggered only if you try to change account options (most important ones being the email address and password), and on top of that sending an information email to the user for possibly unauthorized connections (attempts) from elsewhere (e.g. from a new IP address or country), so that the user can react accordingly if needed, like changing the password. This is what I'd personally like to use.

3. Disabled, ie. what it is now by default.
Thanks for writing this.
Posted March 09, 2016
avatar
Leroux: The problem is that this "unusual" behavior seems to be the default for me. It's like that on Humble, I need to enter a code EVERY time I log in because apparantly I'm always using a "new" browser when I start a new browser session. Not sure if this is to do with me regularly cleaning out cache and cookies, or dynamic IP or whatever ... :/
avatar
skeletonbow: Yes it is. (...)
Thanks for the detailed reply! :)
Posted March 09, 2016
avatar
skeletonbow: But the functionality cookies provide is absolutely necessary for certain features to work at all, or for them to work across browser sessions etc. If we disallow cookies then we disallow these features, and some of them are mandatory for the web to work properly such as for logins. If we delete cookies always or when we exit the browser, or with private browsing etc. then it works fine for the session but all of those features are lost for the next session and one has to relogin, reconfigure their favourite Youtube video resolution, reconfigure other random settings on every other website and do it every time.
Yep yep. I gladly take all those downsides, for the benefits I get by flushing the cookies (and other data the browser might save locally for sites, like passwords, history etc.).

My main reasons to flush cookies (and other offline data) after a browsing session automatically:

- The aforementioned case where I could see other person's email because he had forgotten to log out of his email account on my browser, before closing the browser. Maybe he thought closing the browser is enough to clear the session, I don't know. This wouldn't have happened if the browser would have cleared cookies etc. at the end of the browsing session. This was the wake up call to me.

- I actually prefer logging in to my services etc. every day, instead of the browser either memorizing my password(s) for me, or me continuing the same login session between browsing sessions with cookies. Earlier when I did that, I quite often ended up forgetting my passwords, and couldn't remember them when trying to log in from another device etc. Relogin is my way of memorizing my passwords to different sites.

This has happened to me a couple of times on Steam too, in fact I even forgot which email I used for Steam. Hence I always re-enter my password also to Steam client.

- A bit dubious reason: there is a news site I check occasionally that give you like 5 news articles free per week, after which you are supposed to subscribe to their web news service (or wait another week). They use cookies to track this (and prevent you from seeing the sixth article), so merely exiting and restarting your browser allows you to view yet another 5 news articles. Or use another browser, or or or...

Yeah I know, I guess I should just subscribe if I want to read their news, or alternatively just not use their web site. This is news piracy, reading news for free!
Post edited March 09, 2016 by timppu
Posted March 09, 2016
Good work setting this up. You've managed an A rank on here:
https://www.ssllabs.com/ssltest/analyze.html?d=gog.com


You still don't use HSTS (super important, since a connection to www.gog.com will be plaintext and can be intercepted for a MITM before the first redirect)
Also, you still allow TLS 1.0. That's been considered insecure for a while.


Still, a step in the right direction.
Posted March 09, 2016
avatar
skeletonbow: But the functionality cookies provide is absolutely necessary for certain features to work at all, or for them to work across browser sessions etc. If we disallow cookies then we disallow these features, and some of them are mandatory for the web to work properly such as for logins. If we delete cookies always or when we exit the browser, or with private browsing etc. then it works fine for the session but all of those features are lost for the next session and one has to relogin, reconfigure their favourite Youtube video resolution, reconfigure other random settings on every other website and do it every time.
avatar
timppu: Yep yep. I gladly take all those downsides, for the benefits I get by flushing the cookies (and other data the browser might save locally for sites, like passwords, history etc.).

My main reasons to flush cookies (and other offline data) after a browsing session automatically:

- The aforementioned case where I could see other person's email because he had forgotten to log out of his email account on my browser, before closing the browser. Maybe he thought closing the browser is enough to clear the session, I don't know. This wouldn't have happened if the browser would have cleared cookies etc. at the end of the browsing session. This was the wake up call to me.

- I actually prefer logging in to my services etc. every day, instead of the browser either memorizing my password(s) for me, or me continuing the same login session between browsing sessions with cookies. Earlier when I did that, I quite often ended up forgetting my passwords, and couldn't remember them when trying to log in from another device etc. Relogin is my way of memorizing my passwords to different sites.
...snip
I totally agree with timppu, and this was what I was expecting from 2 step authentication. Most other sites do this, i.e. if I try to change the email address, it will send a en email to the current email address, and ask for confirmation before proceeding. This has nothing at all to do with cookies. Its a simple backend email confirmation.

As for cookies, they are one of the biggest security risks available, and they tend to clog up and even break web browsers, I mean just phone you helpdesk with a browser question, first response will be did you clear all browser cache. Its madness to use that.

As said before, I was one of those that voted for this feature and really want it, but the current implementation is broken, hence I can't use it.
avatar
Cheater87: Glad to see 2FA is here now, can we please have an option for mobile apps like Authy and Google Authenticator?
Never heard of these, but I am pretty sure I wouldn't want a ThirdParty app by Google to do my security.
Post edited March 09, 2016 by nightcraw1er.488
Posted March 09, 2016
I have to agree with timppu and everyone else saying that the current 2FA scheme is just not good. I get too much email as is, and for security reasons, I don't keep my phone or other devices connected to my email server. Which means frequent email verifications would become a major annoyance. And I definitely want to see better account security; password or email address changes would be infrequent enough, and important events to note, in case someone is trying to hijack my account.
Posted March 09, 2016
avatar
Cheater87: Glad to see 2FA is here now, can we please have an option for mobile apps like Authy and Google Authenticator?
avatar
nightcraw1er.488: Never heard of these, but I am pretty sure I wouldn't want a ThirdParty app by Google to do my security.
Google Authenticator is simply an implementation (a fairly basic one) of RFC 6238: Time-Based One-Time Password Algorithm, an Internet standard which, amusingly, does not require an Internet connection to function. Google services are not actually involved, and there are many other implementations. I use FreeOTP
Post edited March 09, 2016 by JKing
Posted March 09, 2016
avatar
nightcraw1er.488: Never heard of these, but I am pretty sure I wouldn't want a ThirdParty app by Google to do my security.
avatar
JKing: Google Authenticator is simply an implementation (a fairly basic one) of RFC 6238: Time-Based One-Time Password Algorithm, an Internet standard which, amusingly, does not require an Internet connection to function. Google services are not actually involved, and there are many other implementations. I use FreeOTP
I am aware, I use Authy,
Posted March 09, 2016
Steam practically always thinks I'm logging in from some strange and mysterious device. Same browser and computer every time, it doesn't matter, Valve is just perpetually convinced that I'm a criminal trying to hack into my account. So well done on the https I guess, but add another voice agreeing with timpuu: I'd use two-step verification, but only in a stripped back, less irritating form.
Pages:
1
5
10
13
14
15
16
17
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)