It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
4
5
6
7
8
10
15
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 07, 2016
Good to hear, GOG.

Don't forget the Galaxy bug tracking page. Currently the Galaxy FAQ says "Bug reports: Our http://mantis.gog.com will stay active" (emphasis mine).

At the moment, only the unencrypted connection works - attempting to use https://mantis.gog.com results in a "Unable to connect" message from my browser. No secure connection available at all. Based on your new security initiative, https should at least be an option, if not the default. Given that people are encouraged to upload detailed logs from their systems when posting bug reports, an encrypted connection should be the only option in my opinion.

Regarding Two-factor authentication: I agree with others that selective TFA for actions like changing password/email would be a nice option. The all-or-nothing approach can be tedious for those of us that regularly clear cookies/history in our browsers. Also agree that the option to use something like Authy if already using it for other sites would be nice, but should be optional.
Posted March 07, 2016
Thank you gog.
I hope previous cookies will expire and we will have to use new code system to login again.
This may also control scammer alt accounts to some extent.
Posted March 07, 2016
avatar
amrit9037: Thank you gog.
I hope previous cookies will expire and we will have to use new code system to login again.
This may also control scammer alt accounts to some extent.
How would this prevent scammer alt accounts?
Posted March 07, 2016
high rated
avatar
timppu: At the same time, I have a suggestion: give also an option for that two-step verification code if anyone tries to:

1. change my account's password

2. change my account's email address

THOSE are where I personally want this two-step verification, ok? Not every time I log in with a clean (no cookies) browser, ok ok?
This. I don't want two-step verification everytime I log in from another browswer or a new location (it's pretty annoying on Humble), but when someone tries to change my e-mail or my password, it would be very welcome.
Posted March 07, 2016
high rated
Nice idea. Unfortunately will not be using it as I use multiple browsers in multiple countries on too regular a basis.

Like timppu, I would have preferred:
- TFA for changing email or password
- just notification about access from unrecognised device or country
Both separately optional.

I have said it before, I will say it again: Please tell your user base about new features BEFORE implementing them, so you can get feedback before committing to a specific design.

I guess my only option is to continue worrying about being hacked.
Post edited March 07, 2016 by mrkgnao
Posted March 07, 2016
avatar
GOG.com: It truly is HTTPS everywhere.
avatar
catpower1980: Well, everywhere but not here for sure ^o^

Screenshot attached
I believe that's been fixed :) Note I don't use any HTTPS plugins in Chrome :)
Attachments:
https.jpg (131 Kb)
Posted March 07, 2016
avatar
GOG.com:
As a very security conscious person I'd like to thank you for finally doing both of these things. While security is never 100%, every little security improvement helps to cut down that much more on threat surface so these measures are appreciated.

FYI - https://www.gog.com/support/twostep_login_faq gives a 404 with a gogbear.
Posted March 07, 2016
I hope the "two-step login" keeps optional. They use it over at Humble Bundle and it annoys the hell out of me, when I switch between my notebook and my desktop.
Posted March 07, 2016
nice addition

i assume its kinda like the thing steam been using for a very long time now?
(i have a steam account but just for fun, nothing serious, just for some 20 cents to 2 euros casualgames, thats all. so nothing serious)


once in a while they ask: is xxxxxxxxxxxxxxx still your active mail? please confirm ....

i check yes then i get a confirmation in a mail.
Attachments:
steamguardscreen.png (48 Kb)
Posted March 07, 2016
avatar
catpower1980: Well, everywhere but not here for sure ^o^

Screenshot attached
avatar
JudasIscariot: I believe that's been fixed :) Note I don't use any HTTPS plugins in Chrome :)
I still don't get any https when going to the front main page first, I still have to navigate to the forums first to get https like before. Using Chrome.
Posted March 07, 2016
avatar
fiiij: I hope the "two-step login" keeps optional. They use it over at Humble Bundle and it annoys the hell out of me, when I switch between my notebook and my desktop.
We won't bug you for entering code when switching browsers - we will when accessing from new browser for the first time, or when the cookies were cleared (unfortunately, you could trust our cookies though), or session expires.

Try it. :)
Post edited March 07, 2016 by Johny.
Posted March 07, 2016
avatar
fiiij: I hope the "two-step login" keeps optional. They use it over at Humble Bundle and it annoys the hell out of me, when I switch between my notebook and my desktop.
same here... don't have humble or other ones that use such steps, only steam but thats for simple fun like i explained earlier, no serieus gaming on that account.

I did notic steam keeps pushing about those app or stuff to use a android or smartphone thingie as a better protection or something like that, i hope they wont make that a requirement cause i dont have smartphones, and never will get one.
So email and or client info will be the only best and easy options as a 2way protection or whatever they call it.
Anyway, the only thing we can do as users is to use a very difficult weird password, the rest of secure and safe connections is up to the providers of the services, our responsibilty kinda ends in using strong passwords, and ofcourse do not store them in the browser when asked :D


I assume that in in theyear 10K we be using retina scans to login ? or maybe use nothing, all depends on how we will evolve, we can evolve to aliens and smart looking green intelligent lifeforms, or go back to stonehenge, depends on what will happen to the world and who will be in charge by then: so will we be smart peaceful aliens or stonehenge people again?
Post edited March 07, 2016 by gamesfreak64
Posted March 07, 2016
Good news indeed! Thanks GOG, and well done.
Posted March 07, 2016
avatar
catpower1980: Well, everywhere but not here for sure ^o^

Screenshot attached
avatar
JudasIscariot: I believe that's been fixed :) Note I don't use any HTTPS plugins in Chrome :)
Oh yeah, it works now! I think the Web team can go on vacation for a month now :o)
Posted March 07, 2016
avatar
GOG.com: It's designed to bug you only when we notice something unusual — like logging in from a new browser or location.
avatar
Leroux: The problem is that this "unusual" behavior seems to be the default for me. It's like that on Humble, I need to enter a code EVERY time I log in because apparantly I'm always using a "new" browser when I start a new browser session. Not sure if this is to do with me regularly cleaning out cache and cookies, or dynamic IP or whatever ... :/
I have the same problem with indie gala. Maybe it's because of the automatic updates of firefox now and then. Luckily you can turn the feature off.

However I find it a bit puzzling that you are going such length for extra security but you still won't do anything to keep scammers and impersonators out - and you know that they are here. You should prevent double accounts to make it at least a bit more difficult to pester the GOG community.
Pages:
1
4
5
6
7
8
10
15
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)