It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
5
9
10
11
12
13
15
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 07, 2016
I haven't tried, is changing the email address on an account still zero-confirmation? Two-step is useless if it is!
Posted March 07, 2016
low rated
great, now can we finally get paygate for forum access???
Posted March 07, 2016
Also you still allow connections from some older, insecure versions of TLS. Nice start, though.


Edit: Yep, email change is still zero-conf. Once this gets fixed GOG's security will actually be industry standard and on par with good practices of the 21st century.
Post edited March 07, 2016 by TheJoe
Posted March 07, 2016
Wonderful news. :-) I think it would be sensible to fix your headers right away, too. (See securityheaders.io)
Post edited March 07, 2016 by matterwave
Posted March 07, 2016
avatar
HypersomniacLive: Thanks for doing something to strengthen the security of the site.

As others have already said, the way Two Step Login is being implemented, it will remain unused by me. I clear my browser(s) of everything at the end of each session, and I don't see me changing this routine.
I also use unique email addresses and passwords for each and every site I've got an account with, so if my GOG account ever gets hacked, there will be no doubt that it was a breach of GOG's own security.

The HTTPS everywhere is very welcome, even if this late. I couldn't wait for you to finally implement it, so I've been using the HTTPS Everywhere add-on for ages now, forcing all your pages to open over a secure connection. Will see how well it works without the add-on.
avatar
GOG.com: [...]

HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, [...]
avatar
HypersomniacLive: Nice to see, for one more time, where your priorities lie, cheers.
You're surprised that the thing they're dumping money into developing, the thing that's under heavy development (side note I am beginning to really hate this word), is getting the new features first?

Versus the thing that's old, stable, likely built using methods that have since fallen out of favour in that workplace and on technology which may or may not break when combined with newer third-party glue/back-end technology, and riddled with unlikely curve-ball code that once made sense and solved problems of a temporal nature but which now are recipe for ye olde unexplainable bug.

ps: fuck yeah gog guard! *pelvic thrusting*
Post edited March 07, 2016 by johnnygoging
Posted March 07, 2016
This is not a phone two-step? why did you choose email instead of phone text the code? It is a lot more secure and harder to break into.
Posted March 07, 2016
Good deal. Though I'll also throw another vote on the pile for having 2FA applied to any attempted changes to the log-in password and the associated e-mail address. I would even go so far as to say that needing to confirm those changes should be mandatory.

Also, a heads-up: Somebody borked the hyperlink under item #5 in the English version of the Two-Step Login FAQ. Might wanna fix it. ;)
Posted March 07, 2016
All I know is that I feel a lot safer knowing that I no longer have to worry about someone breaking into my account and getting pimpmonkey's credit card number.
Posted March 07, 2016
avatar
tinyE: All I know is that I feel a lot safer knowing that I no longer have to worry about someone breaking into my account and getting pimpmonkey's credit card number.
i would be much more worried of the fbi breaking into your house because of that nuke blueprints that i saw in your room!
Posted March 07, 2016
your identity will be verified through your email address whenever you log in from a new device, browser and/or location
Question... My internet provider loves resetting my IP every few days, does this mean every few days I'd have to re-verify? Or is that verification saved on a cookie on my local machine?

Depends on how strict/loose 'location' means.
Posted March 08, 2016
Not perfect, but better than nothing. As with any security system it can be cracked by a determined enough person, but it makes a good deterrent.
Posted March 08, 2016
Two-step login is optional
Is "HTTPS everywhere" optional too?
Posted March 08, 2016
avatar
tinyE: All I know is that I feel a lot safer knowing that I no longer have to worry about someone breaking into my account and getting pimpmonkey's credit card number.
avatar
apehater: i would be much more worried of the fbi breaking into your house because of that nuke blueprints that i saw in your room!
I got those from a box of Cracker-Jacks.
Posted March 08, 2016
avatar
senbon: This is excellent news. Cheers!

EDIT.
It might also be a good idea to add an optional number pad so the user can use mouse clicks to enter the security code. Could help reduce the effect of keyloggers.
ctrl + c > ctrl + v
Posted March 08, 2016
GOG, you never cease to amaze me.
Pages:
1
5
9
10
11
12
13
15
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)