It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
3
4
5
6
7
10
15
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 07, 2016
Great feature.

But please tweak the layout of the plain-text mail, e.g. add a linebreak between the code and "MY CODE DOESN'T WORK".

Thanks.
Posted March 07, 2016
Great! Thank you very much!

It will be nice to see active sessions near "LOGOUT ALL" button.
Just for the sake of seeing that pushing this button did something (because i can't see anything in Galaxy).
Posted March 07, 2016
Excellent! Thanks GOG!
Posted March 07, 2016
high rated
avatar
zak256: Why not use a *good* Two-Factor-Authentication?
There are already better ways to do this. Look at GitHub for example.
A verification code to the mobile phone? As long as that is optional too, as I don't really want to share my phone number all over the world either, even to GOG.com.

I still say that I want a verification code to my email, but only if someone attempts to change either the email address or the password. That is my main concern, not that some hacker was temporarily able to download my purchased games or write trash messages to the site as me.

If someone tries to access, or especially successfully accesses, my account from abroad, I want to know about that too, so please send an info mail about such activities. Then I know if I should react somehow, like changing the password myself, and use the new "clear all GOG connections" option that GOG now offers.
Post edited March 07, 2016 by timppu
Posted March 07, 2016
avatar
tfishell: What were you hoping?
Hopeless dreams...
Posted March 07, 2016
avatar
zak256: Why not use a *good* Two-Factor-Authentication?
There are already better ways to do this. Look at GitHub for example.
avatar
timppu: Verification code to mobile phone? As long as that is optional too, as I don't really want to share my phone number all over the world either, even to GOG.com.
Agreed, I wouldn't want to use the SMS method either, but this is not the only way mentioned there:

- Configuring two-factor authentication via a TOTP mobile app
- Configuring two-factor authentication via text message
- Configuring two-factor authentication via FIDO U2F

There can also be a TOTP desktop app which does the same. I think the one from Google is called GoogleAuthenticator.
Posted March 07, 2016
avatar
Elbart: Great feature.

But please tweak the layout of the plain-text mail, e.g. add a linebreak between the code and "MY CODE DOESN'T WORK".

Thanks.
edit: missed the plaintext part...nothing to see here...
Post edited March 07, 2016 by JudasIscariot
Posted March 07, 2016
avatar
zak256: Agreed, I wouldn't want to use the SMS method either, but this is not the only way mentioned there:

- Configuring two-factor authentication via a TOTP mobile app
- Configuring two-factor authentication via text message
- Configuring two-factor authentication via FIDO U2F

There can also be a TOTP desktop app which does the same. I think the one from Google is called GoogleAuthenticator.
Ok then, I'll have to check how those work. I only quickly saw the "mobile phone code" option on that linked page.
Posted March 07, 2016
Great. Thanks GoG!
Posted March 07, 2016
EDIT: Quoted post was edited, this is now redundant.
Post edited March 07, 2016 by Maighstir
Posted March 07, 2016
TFA is something I have been looking forward to at GOG for a long time. Glad to see it implemented and working. Hopefully in the future we can move away from email authentication and towards device authentication such as Authy.
Posted March 07, 2016
avatar
zak256: Agreed, I wouldn't want to use the SMS method either, but this is not the only way mentioned there:

- Configuring two-factor authentication via a TOTP mobile app
- Configuring two-factor authentication via text message
- Configuring two-factor authentication via FIDO U2F

There can also be a TOTP desktop app which does the same. I think the one from Google is called GoogleAuthenticator.
avatar
timppu: Ok then, I'll have to check how those work. I only quickly saw the "mobile phone code" option on that linked page.
In short:
TOTP=Timed One Time Password: Every 10 seconds (or so) a new 6-digit-number is generated according to the current timestamp and a secret code X. At activation, the secret code X is generated by GOG and needs to be entered into the app. Afterwards the app constantly tells you the current code which only the provider of the secret key can verify.
(There are special hardware tokens available with a small display which basically do the same. Maybe these are known by some people.)

U2F=Universal 2nd Factor is a more sophisticated standard. A browser support is required for that and unfortunately only Google Chrome has it right now. But I guess this will be the way to go in 1-2 years.

I would go for TOTP, especially because you only need this app once and can enter as many secret keys for several accounts as you like.
Posted March 07, 2016
avatar
songoqu: good point, that why we posted "and now we're beginning to roll it out globally". It will be changed step by step, please be patient :)
avatar
timppu: Would it be possible to get an option for similar two-step verification, but only if anyone (me or an evil hacker) tries to change the email address or the password of the account?
We think that covering all cases is much safer then only chosen ones, and don't forget that to do those actions you need to re-enter your password.
avatar
timppu: I think currently you send an email _after_ someone has changed the password (kind of an information email like "Happy news! Someone has just changed your account password! Hopefully it was you!"), and that is kinda silly because that's too late and doesn't add to the security at all. The action (changing email or password) should be confirmed from the user's email, before approving the action.

Also, I wouldn't mind if GOG informs me to the email if someone accesses, or tries to access, the account from e.g. a new IP address, or a different country, or whatever. Keeping the user informed of such activities is good as I think I should know the best in which country I currently am, and whether I am trying to access GOG.com from there.
Thanks for these insights Timppu! We'll ofc consider all opinions, the process of improving security is never complete.

avatar
timppu: Demanding a security code from email in such case is a definite no-no to me though, as the email I use also demands a two-step verification when abroad. Meaning, I can't even access my damn email from abroad, to get that code.

Sometimes too much security is... too much.
That's why it is available as opt-in, to not force any of you to use it
Cheers
Posted March 07, 2016
Thank you GOG!
Posted March 07, 2016
Solid implementation and thanks for not demanding mobile numbers (my long time "fear" when it came to this).

avatar
songoqu: That's why it is available as opt-in, to not force any of you to use it
Cheers
Much appreciated too! Both the optional nature AND the consumer friendly "opt-IN" as opposed to the "they're too stupid to opt-out" method ;)
Pages:
1
3
4
5
6
7
10
15
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)