It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
5
10
11
12
13
14
15
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 08, 2016
avatar
DreamedArtist: This is not a phone two-step? why did you choose email instead of phone text the code? It is a lot more secure and harder to break into.
Because your email should be tied to your phone with 2 step.

avatar
hedwards: Probably because it's basically free to email a code, but you have to pay to send texts.
It's free/included under most plans here. If you're living in poverty you get a free Obamaphone with unlimited calls, texting, and data as well so money isn't even a factor anymore.
Posted March 08, 2016
avatar
nigelbeans: I'm aware of Yahoo's disposable email address system which is OK for unique email addresses. I'd like to ask you, is there another solution which you'd recommend? I'm pretty curious on this one...
There are email forwarding services that allow you to create unique email addresses without them being throw-away ones.



avatar
johnnygoging: You're surprised that the thing they're dumping money into developing, the thing that's under heavy development (side note I am beginning to really hate this word), is getting the new features first?

[...]
Except that I didn't express any sort of surprise.
Posted March 08, 2016
avatar
hedwards: Probably because it's basically free to email a code, but you have to pay to send texts.
avatar
MaximumBunny: It's free/included under most plans here. If you're living in poverty you get a free Obamaphone with unlimited calls, texting, and data as well so money isn't even a factor anymore.
No, that's not really true. Yes, people's plans generally include that, but that doesn't make it free to send them. What's more, they'd have to find a way of offering it in a rather large number of countries.
Posted March 08, 2016
Thank you for adding HTTPS Everywhere.

Would it be difficult to add support for unicode characters in passwords?
Would that possibly be overkill for password strength?
Posted March 08, 2016
Great Features! Thank you, GOG Team ^_^
Posted March 08, 2016
avatar
Ixamyakxim: I still say the perfect solution is to paygate the forum. No posting in the general forum until you've purchased a full priced game on GoG.
avatar
Starmaker: Perfect solution for what problem? People are hacking into, stealing and reselling accounts with paid games. Buying games off promo doesn't magically make the account harder to hack. If you have an irrational hatred of people who wait for discounts to the point you want them banned from the forums, go see a shrink.
avatar
Starmaker:
My problem was with Alts, not paying for discounted games. I was just coming up with an (arbitrary) number for the paygate, beyond letting an Alt account buy a .99 game. I thought the base (in my region) price was a fair one. I still think it is pretty decent and we know GoG has the means to track how much an account spends to "unlock" something (see the last few sales) even if it isn't in a single transaction. So I think still think it's a decent solution.

The problem the paygate DOESN'T address is people who steal CCs, buy GoG codes and then sell them. But I look at GoGs existing solution to that problem as a fair one - revoke the stolen good from the receiving account. If you think buying games on a third party reseller site for half the price isn't shady, then learn the term "Caveat Emptor." I know if you do that in the "real world" you'd be learning the term "Receiving Stolen Goods."

I do think this current action is a good one for helping with the issue you bring up (hacking and reselling accounts). I know I always tried to be proactive with that myself by 1) not joining any more websites than I have to 2) not sharing account names and or passwords - because the second you do that, you essentially open yourself up to being hacked on multiple fronts, where the weakest link is always the weakest website's security. When your Steam Account, Sony Account, Microsoft Account, Retail Store X, Y, and Z account, MMO of the month account and 3 game website accounts share the same persona and password you're going to be in trouble.

I refuse to belief that the vast majority of these are brute force attacks on one account. And when they are, it's probably more a case where the individual is targeted (User Trollz pisses off User Le3tHaxZkillz and next thing, bang - account hijacked).

I'm guessing the rash of hacked accounts here from a year or so ago was due to a more widespread hack, where an intrepid group was able to pull a bunch of username / passwords and then attempt to apply them over a wide group of similar sites (hack an MMO or 3, hack a game company / site etc then try using those to grab steam / origin / gog / ubi etc accounts).
Posted March 08, 2016
avatar
rtcvb32: I would think it's optional when not logged in... maybe.

But with PRISM and so many sources trying to steal any and all non-encrypted communication...

Suddenly I'm reminded of that one Episode on The Next Generation, where the crew are visiting a race far more advanced than them (to fix their hyper drive?) and they commented how all communication was heavily encrypted.

TNG, predicting the need for encryption before the internet was popular!
Steam allows both modes when logged in. I hope to see similar feature on GOG.
Posted March 08, 2016
Thanks for enabling HTTPS properly :)
Post edited March 08, 2016 by shmerl
Posted March 08, 2016
avatar
shmerl: Thanks for enabling HTTPS properly :)
This must be a good day for you especially! I think you were one of the people who brought it to my (and many other users) attention initially! Keep up the good work (and you too GoG!).
Posted March 08, 2016
avatar
shmerl: Thanks for enabling HTTPS properly :)
avatar
Ixamyakxim: This must be a good day for you especially! I think you were one of the people who brought it to my (and many other users) attention initially! Keep up the good work (and you too GoG!).
Yeah, I've been waiting for a while for this, though HTTPSeverywhere rule worked pretty well for GOG. Hopefully there won't be a need for it anymore :)
Post edited March 08, 2016 by shmerl
Posted March 08, 2016
Fantastic. It's about time, too. There's no reason not to enable it in this day and age, if you ask me.
Posted March 08, 2016
This is a great update. Thank you GOG, security is very important in this day and age.
Posted March 08, 2016
avatar
Azhdar: Steam allows both modes when logged in. I hope to see similar feature on GOG.
Really curious, why do you want to stay on http?
Posted March 08, 2016
As pointed out by timppu and mrkgnao among others, it's a half-assed solution and unfortunately not very useful in its current incarnation. I'll wait for improvements...
Posted March 08, 2016
I'm too lazy to read through the entire thread, so this has likely been mentioned. But I want to add in my support for 2 factor authentication each time you log in and not only "some" of the time. Because this still leaves you vulnerable to attacks. But, it's a step in the right direction. And it's good that you made it optional, in case some folks don't want it for their personal reasons.
Pages:
1
5
10
11
12
13
14
15
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)