These things are a royal PIA everywhere, and we refuse to submit to them. "Kiss mah grits!" ~ Florence Jean Castleberry

@DawnSlinger; Don't accuse me of being anything. You don't know me. I was genuinely irritated and expressed that here. The definition of a troll is someone who gets their rocks off trying to instigate others and yank their chains. I wasn't doing that. I call a spade a spade, I just say it how I see it. So don't accuse me. I am a paying customer like the rest of you.

I see people bitching about GOG this and GOG that. Petty things. Frankly, if you don't like what I say, then report it to a moderator. But I'm not trying to troll anyone, I just say it like I see it. I'm honest. Thank you (and shuv it).

Imo people should always clear their cookies, not only when they close their browsers, but every time they're not using their accounts for any reason. So many ways to steal login and password info nowadays through cookies that I'm amazed so many browsers are proud that they still store login information locally. Unfortunately this is one of these things where the market just uses what everyone is using. There are better and more secure alternatives to Google's Captcha, but many are still using it. Clearly it doesn't work against some AIs too, but oh well.

I know its completely unrelated, but I will use this as an example:
Material UI. I don't know exactly why or when this 'trend' started in UI/UX design but this kind of design makes everything so freaking bloated and unoptimized for power users to navigate UIs that it makes no sense to use Material UI, ever. With it, everything is so big on screen and so much space is wasted with Material UI design.
But still, everyone (or most designers, at least, it seems) are using Material UI for cellphone apps, site designs and any button really, which, for me, sucks. Why do people continue to use it for designing?

Like I said, its one of these things that 'everybody does, because everybody is doing' but most are not really giving it a second thought.

(Thankfully GOG doesn't use material ui on its site/forum at least.)

About GOG using Captcha: A thought came to me. Maybe there are other reasons of why they're still using Google's captcha that we don't know about. I don't know.

First the disclaimer, I never saw a captcha on GoG.

Captchas are not related to signing in or out.
It might help a bit to activate 2FA, but I wouldn't count on it.

Captchas could come up by usage of a VPN or by coming from an overcrowded source, that is used for testing out username/password combinations on GoG (so for example darknet Exit Nodes or VPNs).

Aka many different machines try to access GoG from a single IP or from an IP that has been flagged as bad by some technical provider of GoG. So it could be some larger internal network people are inside first, too.

If nothing of this is used, it is because the ISP is doing some nasty stuff behind the lines.
And it seems to happen a lot with US ISPs. At last if I thrust that people tell us their real location.

Might be an idea for you US guys do talk to each other which ISP you are using...

Indeed, plus, I suspect it also relates to ongoing activity. Even without further analysis, if the IP region you're using currently is attacking the site you're trying to visit, these attacks alone might just be fast enough to invalidate your successfully solved Captcha before you get to the next step, so it just keeps going round.
Indeed. Most will tell you you're blocked but provide no option to unblock, unlike Captchas do. Others outright lie to you about the page not being found (fake a 404) or overloaded (GOG doesn not do that on the store, but does this with the forum; notably, even if you successfully logged in with 2FA in many cases), or just don't respond at all and leave you to time out without even knowing it's happening. That's the worst and most shameful IMO, because it harms the legitimate users more than the adversaries.
Yes, there is, Cloudflare being the most widely used one, but there are at least two others whose names I don't recall ATM.
2FA seems to disable Captchas, which makes sense because it serves the same purpose, only better. So in order to test this, you would first need to disable 2FA for your account. Logging out (which I always do after use) triggers 2FA every time I try to relog, which is understandable and OK given my setup, I wouldn't expect anything less in fact.
I suspect that CGNAT might trigger this, because it does exactly that: mask potentially thousands of users behind a single IP. And with the IPv4 exhaustion and smaller ISPs springing up everywhere, this might become more common.

Ah ok, I didn't realize that. It would certainly explain why I don't seem to get CAPTCHA on GOG. Has the OP disabled 2FA, and if so, why? Convenience over security?

I do recall seeing it in some instances though, maybe when redeeming a code or something? But I don't recall when I've seen it, if ever, during logging in.

To me it earlier felt that if either your IP address remains the same, OR you have valid login cookies in your browser, 2FA wouldn't be triggered. So if I had logged in successfully, then logged out, cleared the cookies and logged in again, 2FA would not be triggered because my IP address (that GOG sees as my public IP) had remained the same.

On the other hand, if my IP address has changed, but the browser still has valid login cookies, 2FA wouldn't be triggered either.

By yesterday's test, it doesn't seem to be like that anymore. It was actually a bit confusing because first I re-logged in with the same browser where I still had the cookies, IP address had not changed either... yet 2FA was triggered?

But right after that if I logged in with a fresh browser without cookies (still the same IP address), no 2FA?

Dunno, maybe in the second test I had not logged out from my account (even though I had closed the browser) so in GOG's mind I was still logged in from my IP address, and when I logged in from a different browser, GOG accepted it wiithout 2FA because I logged in from the same IP address at which I was still "logged in" in another browser... or something...

I'm going to test it now again, log in with this browser, close the browser, cookies are kept, and I log in with the same browser. So yesterday this triggered 2FA but I was in a different IP address (my workplace), now I am at home, using VPN to my work though so I don't know if that affects how GOG sees me...

EDIT: Tested, and unlike yesterday at my office, 2FA was not triggered this time. The only difference I can think of is the different IP address in these two tests, the same laptop and the same browser. Odd. Or maybe yesterday the cookies were becoming old so GOG figured it wants to renew them or something, hence 2FA...

Yep. I once tried a built-in browser VPN for a couple of minutes (Opera I think) and the result was being blacklisted from Captchas for like 3 months. They simply refused to load or couldn't be passed. Google search was also throwing a "suspicious activity" warning at me as long as the VPN was on.

Tried about 3 browsers, same result. Funnily enough, the only browser Captchas worked in was Edge.