It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
2
3
4
5
6
10
15
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 07, 2016
Sounds good, thanks GOG staff!
Posted March 07, 2016
Awesome. From someone that takes security very seriously, congratulations on strengthening it.
Posted March 07, 2016
At last GOG, you got serious in the safety department and for that I applaud you. It should already have been done years before, or at the very least when the stolen account incidents begun, but better late than never. Cheers! :)
Posted March 07, 2016
high rated
avatar
GOG.com: Two-step login is optional
THANK! YOU!

I'll keep it off for now because I hate having to re-enter that code several times a day to access GOG, just because I choose to automatically delete cookies when I close my browser. I hate that re-entering of email code in e.g. Humble Bundle, not sure if it can be disabled there too somewhere.

I rather use separate passwords so that no evil-doers can get it from some other bullshit site just because I've used the same email + password there. That is my security measure.

At the same time, I have a suggestion: give also an option for that two-step verification code if anyone tries to:

1. change my account's password

2. change my account's email address

THOSE are where I personally want this two-step verification, ok? Not every time I log in with a clean (no cookies) browser, ok ok?

avatar
Leroux: The problem is that this "unusual" behavior seems to be the default for me. It's like that on Humble, I need to enter a code EVERY time I log in because apparantly I'm always using a "new" browser when I start a new browser session. Not sure if this is to do with me regularly cleaning out cache and cookies, or dynamic IP or whatever ... :/
Same here. I've set Firefox to always clear everything (offline data, history, any saved passwords (=none), cookies etc.) when I close the browser. This gives me clear benefits on many sites, and also makes sure no one else happening to use the same browser on the same machine can accidentally log in as me to here or anywhere else. That's the way I want it and that's the way it is.

I hate logging into Humble Bundle pages now, always have to login also to my damn email to get and enter the security code. Good thing I hang around there less and less nowadays.
Post edited March 07, 2016 by timppu
Posted March 07, 2016
*Verify it's disabled*

*Ok, it is*

*Don't want to be borred by useless "security" stuff*

*Don't want to be "tracked" for my "own sake"*

*I'm already aware that I'm responsible for my account, whatever happens*
Posted March 07, 2016
avatar
Nirth: Most likely cookies. I rarely clean cookies from sites I visit usually or trust and I never get that question from those sites. I suggest keeping cookies from sites you trust.
I've routinely set all my (Firefox) browsers to clean/delete cookies, history, saved passwords etc. etc. etc. whenever I close it, ever since a friend of mine wanted to log in to his email using my PC and browser. He closed the browser but forgot to log out from his email. What do you know, I could instantly log into his account when I started the browser later, and see his emails.

Similarly, I presume my wife could log into GOG.com as me, if I forgot to log out and she wanted to check fast something with the same browser. Hence, better to just wipe it all automatically, just to be sure. Even merely logging out from GOG isn't enough because even then my wife could see what user I am, if she happened to end up to GOG.com and push the login button (because then GOG will automatically show the last user who had logged in from this browser). And we can't have that.

YMMV.
Post edited March 07, 2016 by timppu
Posted March 07, 2016
avatar
The-Business: Finally, nobody with access to my traffic can see anymore if I am looking at the game page of a serious city building and management game or Huniepop. *cough*

Edit: Would also prefer TOTP.
And no one can inject malicious javascript or content into that connection. Privacy isn't the only thing gained.
Posted March 07, 2016
Great feature, thanks GoG.
Posted March 07, 2016
high rated
avatar
songoqu: good point, that why we posted "and now we're beginning to roll it out globally". It will be changed step by step, please be patient :)
Sorry to keep repeating this, but since you are staff and apparently related to these new security features:

Would it be possible to get an option for similar two-step verification, but only if anyone (me or an evil hacker) tries to change the email address or the password of the account?

I personally don't want having to enter a verification code every time I log in from a clean browser (no cookies), but I would very much like to have that extra security measure for those two actions. You currently give only an option for "all or nothing", but I'd like to cherry-pick what exactly I want to trigger the two-step verification.

I think currently you send an email _after_ someone has changed the password (kind of an information email like "Happy news! Someone has just changed your account password! Hopefully it was you!"), and that is kinda silly because that's too late and doesn't add to the security at all. The action (changing email or password) should be confirmed from the user's email, before approving the action.

Also, I wouldn't mind if GOG informs me to the email if someone accesses, or tries to access, the account from e.g. a new IP address, or a different country, or whatever. Keeping the user informed of such activities is good as I think I should know the best in which country I currently am, and whether I am trying to access GOG.com from there.

Demanding a security code from email in such case is a definite no-no to me though, as the email I use also demands a two-step verification when abroad. Meaning, I can't even access my damn email from abroad, to get that code.

Sometimes too much security is... too much.
Post edited March 07, 2016 by timppu
Posted March 07, 2016
avatar
GOG.com: ...snip
Hang on here. Can I check, I have my browsers set to clear the cache on close shutdown, will this mean that I have to have a code sent to me email to logon every time I want to use the site? I am all for two stage authentication when it is something which can affect the account, i.e. changing user information, but just logging into the site?
Posted March 07, 2016
In the coming weeks, we'll also be making all communication between you and GOG
YES?
encrypted by default with HTTPS everywhere
Oh...
Posted March 07, 2016
high rated
HTTPS: Very good, should be default not only for GOG but really everywhere.

Two-Factor-Authentication: Very good in principle. But the way it is implemented right now really is *not*!
As has already been mentioned, I remove my cookies, etc. as well and have to do this stupid verification at HumbleBundle *every* time I login there telling me that I am using a different browser which is just not true!

Why not use a *good* Two-Factor-Authentication?
There are already better ways to do this. Look at GitHub for example.

I would gladly be able to use my YubiKey here as well. (But this is of course not required here.)

The current implementation will have to stay disabled at least for me.

Is this reading anyone from GOG or should I write a support mail?
Posted March 07, 2016
avatar
The-Business: Finally, nobody with access to my traffic can see anymore if I am looking at the game page of a serious city building and management game or Huniepop. *cough*

Edit: Would also prefer TOTP.
avatar
sqlrob: And no one can inject malicious javascript or content into that connection. Privacy isn't the only thing gained.
Definitely. Privacy is hugely important just on its own right, but why do people not realize that better privacy = better security?
Posted March 07, 2016
I love this added feature. Thank you for offering this, GOG! :)
Posted March 07, 2016

In the coming weeks, we'll also be making all communication between you and GOG
avatar
Cyraxpt: YES?

encrypted by default with HTTPS everywhere
avatar
Cyraxpt: Oh...
What were you hoping?
Pages:
1
2
3
4
5
6
10
15
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)