Yes, I also think GOG definitely needs (at least optional, enabled by default) two-step verification for e.g. changing the email address or password. It is actually quite surprising they don't have that, after all pretty much any website with accounts have had that since god knows when.

Still, no from me for two-step verification for simply trying to log in to GOG.com with my web browser cookies cleared (which is something e.g. steampowered.com demands (booo!), but humblebundle.com doesn't (yay!)).

Yes, that's really a bother since I always clear my cookies when I close my browser.

Depends on what the 2nd step is actually. Take a look at the Battle.net authenticator. Unless the attacker can get his hands on the user's token or phone, he won't be able to make use of the password, no matter how compromised the PC is.
That is of course assuming that you can't grab the current session to use through a different machine.

Voted, but I`d want it as an option, not a "use it or sod off" type of thing.

I don`t have a mobile & I refuse to have anything to do with Google.
Perhaps an email version, but of course, those that are being hacked are probably also using the same password for that too ;)

Good point, albeit I don't even know how to close a GOG account (one has to contact the support for that anyway, right?.

THIS.

I hope you never get assignment on security stuffs, because your job will fail spectacularly.

While true, there's a point where a company can say "We've done our due diligence, there's plenty of security measures on our side to protect you. It's up to you now to keep your account safe". Not only from a direct account security standpoint, but from reading their handling of account returns could use improvement and on top of that they need to consider things like scamming becoming more prevalent as their userbase grows and things that can help prevent that (like having forum chat actually show (public) information of the person you're chatting with rather than just a name for instance).

GOG is nowhere near that at the moment.

Good example. I had to use authenticator because it was requirement to use Real Money Auction House. Years later my old phone got lost somewhere (I might find it if I will seriously try) and so is my access to battle.net (I might try to recover it, but I need to scan passport and stuff like that)... As I lost interest in current ActiBlizzard products I simply said "screw it" and moved on. So it is good example of how additional security backfires at actually caring users.
A lot of new users. New big game. Guess how many of those new users were browsing web for various cheats and trainers, and were so impatient to try out bootleg copy which was released before official one? A lot of them were probably quite ashamed to acknowledge why they were hacked (as they got malware with all those trainers, bootleg stuff and such), but it was so easy just to blame GOG (and russians, just because).
I know how security works. And I know that if someone will follow some link like www.GetMalwareHere.com, he WILL get his accounts hacked. So what? Because some people click these links or do other strange stuff, others need to go through multiple steps verification? There were many people who were hacked even with Blizzard authenticators. Why? Because they were so dumb that their PCs became paradise for all kinds of malware (Blizzard themselves had to write about it). But of course they were bashing Blizzard and tried seeding panic.

Fine, make it, but optional, and turned off by default. There are already so many "helpful" things which are automatically turned on on other sites and in various software, keeping track of all of them becomes quite stressful.

It's not. It's similar to losing your house keys and saying that locks prevent actually caring homeowners from entering their house.
A two step authentication that requires electronic and physical access will not be defeated by a user having malware on their computer, since it requires physical access to said user as well. If the user is not careful with their access (be it password, physical access, dongle, house key or key card), it is not the extra security measures that backfire, it's the user's fault.

P.S. If you have kept your authenticator's serial number and restore code, you can re-install it with those numbers. Or by using the iCloud Keychain, if you had an apple device.
P.P.S. Also, if you had enabled the SMS protect, you can also remove the authenticator without going through the account verification.

Amended that for you. You losing access to your phone with your authentication info still attached to it really isn't a flaw of the security, it's a flaw of the user.

I had SMS protect on. I might try that in case I will feel like playing some Blizzard games.
It happens that people eventually get new phones, and old ones start collecting dust, get lost somewhere in house as it is no longer needed and such. You just place your sim card in new phone and that's it. As i wrote, I can find it if I will really seek, but then I am afraid that accumulator has degraded for the time it wasn't used, so... way too much hassle. And all that was not because I used authenticator from fear of being hacked, but because it was requirement for RMAH (thanks to many careless people).

Maybe you need it. I wouldn't mind it as long as it was optional. But I certainly don't need it or want it - I'm not going to give you my phone number and I'm not going to install random phone apps and I'm not going to use any third-party authenticator.

Would you want an e-mail to a secondary address to confirm whether you're certain that you want to change your primary e-mail or password on GOG?

Less secure than an offline authenticator (app or device) or SMS, but still slightly more secure than simply changing and sending an e-mail (to the previous address, in case the a-mail address was changed).