It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
5
10
15
16
17
18
19
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 11, 2016
avatar
skeletonbow: ...snip
Do you use "Privacy Browsing" or "Incognito" mode or similar privacy mode in your browser(s), or use any addons that protect privacy by deleting cookies, or configure cookies to be session-only? If you do not permit a website to set cookies, then it can't remember who you are and you are a stranger next time/every time.
That is exactly the point, and why those features have been created. Which is also why email authentication should be done at GOG's end when a request for an account change happens and not based on a cookie on the users machine - which is likely to be heavily compromised by hundreds of advertising and tracking cookies because they never clear the cache.

I want to be anonymous until I log in, and only need it to check if I am me when I actually make a change to the account which could affect the operation of the account, not if I want to check out a reply on a forum post!
Post edited March 11, 2016 by nightcraw1er.488
Posted March 11, 2016
avatar
vv221: Rest assured that when they want to send you targeted advertising they have *lots* of other method than dropping a cookie ;)
avatar
Johny.: Yup - this one is very interesting: https://github.com/Valve/fingerprintjs2 - you create a fingerprint out of users data like screen resolution, supported fonts, supported features (webGL for example) etc., they are so unique that you can rely on them and pair user fingerprints with their account. It can basically get the same fingerprint in private mode, or after clearing cookies and identify you.

Sooo... The cookies and localStorage (many users is not aware of this one either) are not everything. :)

I was once very surprised when an internet shop sent me an email after I've added an item to cart and didn't complete the order - and I wasn't logged in when doing that. (like - "hey, what happened? come on, maybe you would like to buy it?")
I've created account there several months before to buy something. But I don't clear the cookies/localStorage at all - I like having it and letting sites to use it - personally.
Browser fingerprinting is a powerful tracking technique, and it is known since years. Yet, many people still seem to be unaware of it.

By the way, anyone can check how unique the fingerprint of his browser configuration is: https://panopticlick.eff.org/ (Well, the Panopticlick database which is used to estimate uniqueness currently only has a bit more than 130,000 entries. The more this database will grow, the better the estimation about browser fingerprint uniqueness will become)

By the way, the page with current weekend promo announcement (https://www.gog.com/news/weekend_promo_strategy_corner, note that the URL is HTTPS) links to the order page using HTTP. Not HTTPS everywhere, hmm...
Post edited March 11, 2016 by elgonzo
Posted March 11, 2016
I saw it a long time ago, Google announced :

Google Will Soon Shame All Websites That Are Unencrypted

one of the many sites that have topics /articles on this


motherboard.vice.com/read/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https
Posted March 11, 2016
Thank you for doing this, but i´m not going to use it. Since 4 _January i can´t get access to my steam account for start using their new required app. I´m not going to do any change to my GOG account.
Posted March 11, 2016
I've had to disable this feature, which I appreciate totally, due to my settings of deleting cookies etc when I log off daily. Having to reenter the code every time I log into gog was becoming a hassle.
Posted March 11, 2016
avatar
seikus: Thank you for doing this, but i´m not going to use it. Since 4 _January i can´t get access to my steam account for start using their new required app. I´m not going to do any change to my GOG account.
Steam has a required login app? :P Another reason not to use them I guess.
Posted March 11, 2016
avatar
seikus: Thank you for doing this, but i´m not going to use it. Since 4 _January i can´t get access to my steam account for start using their new required app. I´m not going to do any change to my GOG account.
avatar
tinyE: Steam has a required login app? :P Another reason not to use them I guess.
It´s required to trade instanly.
Posted March 11, 2016
This is a basic security feature. Hopefully it's done now.
Posted March 11, 2016
avatar
skeletonbow: ...snip
Do you use "Privacy Browsing" or "Incognito" mode or similar privacy mode in your browser(s), or use any addons that protect privacy by deleting cookies, or configure cookies to be session-only? If you do not permit a website to set cookies, then it can't remember who you are and you are a stranger next time/every time.
avatar
nightcraw1er.488: That is exactly the point, and why those features have been created. Which is also why email authentication should be done at GOG's end when a request for an account change happens and not based on a cookie on the users machine - which is likely to be heavily compromised by hundreds of advertising and tracking cookies because they never clear the cache.

I want to be anonymous until I log in, and only need it to check if I am me when I actually make a change to the account which could affect the operation of the account, not if I want to check out a reply on a forum post!
Precisely, and because of this everyone who wants that level of privacy in their browser should expect that they're going to have to log in again every time manually since the privacy features the value break the auto-login process. I use the private browsing feature for certain websites but not for general browsing, however I use a plethora of other privacy addons which also cause certain inconveniences and broken functionality on various websites. The broken functionality is the price we all pay for added privacy and security. Whether it is worth it, is up to the individual of course.

The disparity comes when someone uses private browsing mode and then gets upset when it is doing what it is designed to do. :)
Posted March 11, 2016
Awesome, fantastic, can we PLEASE get Canada added to the fair price policy now? Extra security doesn't matter to me if you're going to charge me more than the other stores.
Posted March 11, 2016
avatar
gibbeynator: Awesome, fantastic, can we PLEASE get Canada added to the fair price policy now? Extra security doesn't matter to me if you're going to charge me more than the other stores.
Don't you automatically get store credit back if your price is more than the base US price? (Or is the Canadian price less than the US price, but still more expensive than other stores?)
Posted March 11, 2016
avatar
gibbeynator: Awesome, fantastic, can we PLEASE get Canada added to the fair price policy now? Extra security doesn't matter to me if you're going to charge me more than the other stores.
avatar
tfishell: Don't you automatically get store credit back if your price is more than the base US price? (Or is the Canadian price less than the US price, but still more expensive than other stores?)
I pay the USD price, and whatever that converts out to in CAD is what I pay. Usually that means I pay an extra 30% on what's advertised, compared to Steam which usually only does 10% extra for CAD unless otherwise specified.
Posted March 12, 2016
avatar
SmashManiac: Yes! It's about time to see GOG finally starting to implement some decent security. There's still some obvious work to do though: https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=www.gog.com
avatar
songoqu: Could you check it again ? [A-]
Wow, that was quick! Still a few things left, but it's great that the biggest flaws were resolved. Keep up the good work! :D
Posted March 12, 2016
avatar
Nicole28: I'm too lazy to read through the entire thread, so this has likely been mentioned. But I want to add in my support for 2 factor authentication each time you log in and not only "some" of the time. Because this still leaves you vulnerable to attacks. But, it's a step in the right direction. And it's good that you made it optional, in case some folks don't want it for their personal reasons.
Actually, I don't think I've seen a single person ask for 2FA every time they log in; most of the additions/changes people have been asking for have to do with alternative ways of handling the authorization (such as getting a text message instead of an e-mail), and adding authorization prompts when attempting to, e.g., change the login password or associated e-mail address. I get the feeling that virtually no one would use the feature if it challenged you at every single login attempt, no matter what.
Posted March 12, 2016
avatar
songoqu: We think that covering all cases is much safer then only chosen ones, and don't forget that to do those actions you need to re-enter your password.
avatar
timppu: Covering all cases adds even more security, true, but for many of us it also causes so much extra inconvenience that we are forced to keep the whole new feature disabled, which is a shame in itself as we want to feel secure too. :)

My meaning was not to suggest to remove this current option. I'd hope that at some point you could add more options to that, so that people can tailor it more to their needs. Like three (or more) different levels for the security setting:

1. The current, most secure, implementation, ie. two-step login is triggered in many cases, even if trying to log in from a new browser (or having deleted cookies from your current browser).

2. My suggestion, ie. two-step verification is triggered only if you try to change account options (most important ones being the email address and password), and on top of that sending an information email to the user for possibly unauthorized connections (attempts) from elsewhere (e.g. from a new IP address or country), so that the user can react accordingly if needed, like changing the password. This is what I'd personally like to use.

3. Disabled, ie. what it is now by default.
This is mostly a good idea, but I'd say that, ideally, there should be separate settings:
- the current option for two-step login -- though probably with the addition of notices of some kind sent to the account owner in the case of a suspicious login or login attempt, like you mentioned (the notification part could even have its own separate setting, perhaps): off by default
- the same (or similar) authorization/notification combo whenever there's an attempt to make any important changes to the account (changing password, changing what e-mail address is associated with the account -- possibly even the Support-assisted ones, such as changing one's 'nickname' and, more importantly, closing one's account): on by default...though, as I mentioned in an earlier post, I'd be totally fine with this one just being a non-optional, permanent account feature across the board.
Pages:
1
5
10
15
16
17
18
19
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)