Hello!
I know GOG uses 2FA by sending a code to my mailbox by default. Unfortunately there are no other options of 2FA.
Would it be possible to also support TOTP (perhaps the most common 2FA) or U2F?
Thanks for a reply and discussion!
A..Borque

It's been asked for plenty of times previously and I don;t ever recall a response from staff.

Feature requests are usually done over here:

https://www.gog.com/wishlist

Be sure to take a second and search first when you get over there. Dupe requests are frowned upon as they just spread around the votes.

Good luck

And why the heck would you want to have a login key created based the on the UK's Top Of The Pops?

Note to my fellow Brits - TOTP is Time-based One-time Password, NOT Top of the Pops

https://www.youtube.com/watch?v=DnBnxf2lDq8

??

How can that be secure?

The rightful owner of the account is identified by song and dance.

Glad you clarified that, I was wondering how Testing of the penis would work?

In 2019 i expect at least U2F.

Because Email 2FA, SMS 2FA, TOTP 2FA and HOTP 2FA is dead!

Also GOG? Only Email 2FA? Seriously?

My New Year's resolution is to not enter any personal data, CC Infos or purchase anything on sites not supporting U2F or FIDO2 anymore.

Doesn't that read TOP then? Anyways, we know it's not top of the pops as they are all in nick, likely tying that kangaroo sport.

There's a wishlist item up for this: My preference is for TOTP because I don't want to lug around yet another dongle for U2F, but U2F would also be desireable as an option.

Good joke, that one. TOTP is nowhere near "dead" - I'm using it on over a dozen of my most important accounts; there's absolutely nothing wrong with it. Cannot say the same about GOG, stuck at "email only" in 2019. One can only hope they'll get around to it somewhere before 2219 but frankly the odds don't look good...

Nice jokes :p

OTP means one-time password. It's an evolution of the traditional password, which is static and many ppl repeat the same password on multiple services and portals.

OTP uses a seed, which is stored on the OTP client, which may be a software like KeePass or a hardware. It's one-time because the seed is used as input to generate a limited-time password which becomes useless then. Normally it's a 6 digit number, but it may be 8 digits. It also prevents repeating the same password, because it's the server that generates the seed, therefore users can't repeat it.

HOTP uses a counter as the other input to generate the code, I've never seen it being used. TOTP uses current time as input, therefore requiring both server and client to have precise time set. The most popular TOTP client is Google Authenticator, but it's not good because it's proprietary software. There are some FOSS available, KeePass is great.

The advantage of TOTP is that it can be used with a free software, as I said. There's no disadvantage of TOTP over plain password and there's no reason to not use TOTP in place of plain password. The problem is that, when it's being registered, the seed is shown in plain text, even when it's on a QR. At that moment a malware is able to capture it and a hacker use it to get access.

FIDO is the solution for that. It's an open standard designed by an alliance of companies, aimed at solving the authentication vulnerabilities that still remained. AFAIK it doesn't accept a software client and requires buying a device, we have a handful of companies that produce a variety of models. It assures privacy as no user identifiable data is sent to server.

It's based on asymmetric encryption, the private key is generated on the device and never leaves it, and each account uses different private key. Data is encrypted between the device and server, therefore anything intercepting the traffic is unable to read it, even if HTTP is used without SSL or TLS.

Of course it has the disadvantage of having to buy a device, which becomes expensive on some places of the world. But as many companies implement FIDO support, this price is diluted among all accounts we secure and over time.

Some ppl say that FIDO is enough and can be used passwordless. Still, most portals I had seen use it as a 2FA and keep the password.