It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(13 posts)(13 posts)
(13 posts)
Pages:
1
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 07, 2016
high rated
avatar
GOG.com: It truly is HTTPS everywhere.
avatar
catpower1980: Well, everywhere but not here for sure ^o^

Screenshot attached
good point, that why we posted "and now we're beginning to roll it out globally". It will be changed step by step, please be patient :)
Posted March 07, 2016
avatar
Elbart: Great feature.

But please tweak the layout of the plain-text mail, e.g. add a linebreak between the code and "MY CODE DOESN'T WORK".

Thanks.
edit: missed the plaintext part...nothing to see here...
Post edited March 07, 2016 by JudasIscariot
Posted March 07, 2016
avatar
songoqu: good point, that why we posted "and now we're beginning to roll it out globally". It will be changed step by step, please be patient :)
avatar
timppu: Would it be possible to get an option for similar two-step verification, but only if anyone (me or an evil hacker) tries to change the email address or the password of the account?
We think that covering all cases is much safer then only chosen ones, and don't forget that to do those actions you need to re-enter your password.
avatar
timppu: I think currently you send an email _after_ someone has changed the password (kind of an information email like "Happy news! Someone has just changed your account password! Hopefully it was you!"), and that is kinda silly because that's too late and doesn't add to the security at all. The action (changing email or password) should be confirmed from the user's email, before approving the action.

Also, I wouldn't mind if GOG informs me to the email if someone accesses, or tries to access, the account from e.g. a new IP address, or a different country, or whatever. Keeping the user informed of such activities is good as I think I should know the best in which country I currently am, and whether I am trying to access GOG.com from there.
Thanks for these insights Timppu! We'll ofc consider all opinions, the process of improving security is never complete.

avatar
timppu: Demanding a security code from email in such case is a definite no-no to me though, as the email I use also demands a two-step verification when abroad. Meaning, I can't even access my damn email from abroad, to get that code.

Sometimes too much security is... too much.
That's why it is available as opt-in, to not force any of you to use it
Cheers
Posted March 07, 2016
avatar
GOG.com: It truly is HTTPS everywhere.
avatar
catpower1980: Well, everywhere but not here for sure ^o^

Screenshot attached
I believe that's been fixed :) Note I don't use any HTTPS plugins in Chrome :)
Attachments:
https.jpg (131 Kb)
Posted March 07, 2016
avatar
fiiij: I hope the "two-step login" keeps optional. They use it over at Humble Bundle and it annoys the hell out of me, when I switch between my notebook and my desktop.
We won't bug you for entering code when switching browsers - we will when accessing from new browser for the first time, or when the cookies were cleared (unfortunately, you could trust our cookies though), or session expires.

Try it. :)
Post edited March 07, 2016 by Johny.
Posted March 07, 2016
avatar
JudasIscariot: I believe that's been fixed :) Note I don't use any HTTPS plugins in Chrome :)
avatar
haydenaurion: I still don't get any https when going to the front main page first, I still have to navigate to the forums first to get https like before. Using Chrome.
Not sure what you can do, log out, clear cookies and cache, log in and see where that gets you?
Posted March 07, 2016
avatar
JudasIscariot: Not sure what you can do, log out, clear cookies and cache, log in and see where that gets you?
avatar
haydenaurion: I do that every time and it does nothing. Not sure if it's on my end or not.
Chrome version?
Posted March 07, 2016
avatar
JudasIscariot: Chrome version?
avatar
haydenaurion: Yes, on Google Chrome on home desktop.
I meant version as in the version number :)

Mine is, for example, 49.0.2623.75 m

You can find this by going into Settings then About in Chrome :)

edit: in order to solve this now, just write "https://www.gog.com" and you should have https set everywhere :)

Keep in mind that we are rolling out these changes steadily but soon all of our links will be https-ed :)
Post edited March 07, 2016 by JudasIscariot
Posted March 07, 2016
avatar
JudasIscariot: I meant version as in the version number :)

Mine is, for example, 49.0.2623.75 m

You can find this by going into Settings then About in Chrome :)

edit: in order to solve this now, just write "https://www.gog.com" and you should have https set everywhere :)

Keep in mind that we are rolling out these changes steadily but soon all of our links will be https-ed :)
avatar
haydenaurion: Updating Chrome didn't fix it, but that link works. Thanks and thank you guys for finally bringing two-step to gog, makes me feel a bit more comfortable after those accounts got stolen during the release of The Witcher 3 and Galaxy.
At least you updated Chrome though :P
Posted March 08, 2016
avatar
wolfsrain: That brings a lot o fun for me...PPOE with dynamic IP....Will enjoy the spam of my email at leat twice a day....I bet you never thought at those type of accounts....
Dynamic IP shouldn't be a reason of constant two-step code requirement. Did you try it?
Posted March 08, 2016
avatar
Johny.: We won't bug you for entering code when switching browsers - we will when accessing from new browser for the first time, or when the cookies were cleared (unfortunately, you could trust our cookies though), or session expires.

Try it. :)
avatar
huan: After more thorough tests, I wonder how that works:
- new private window in FF (equivalent to clearing cookies) - 2FA is required, as expected
- opening Galaxy on another computer for the first time after activating - 2FA is again required
- opening FF with remembered pre-2FA session on the same computer as Galaxy - neither pin nor password is required
- opening Chrome without remembered session (again on computer with Galaxy) - pin is required

Only thing that could explain (3) that comes to mind is that Galaxy injects the cookie into other browsers it finds installed, and maybe steals their cookie if it is already there. But that doesn't explain why in (4) standalone chrome wants a pin, along with password.

Not complaining, just curious. I have no problem with giving cookie exception to *.gog.com.
Nope, Galaxy does not inject any cookies or other things into anyones browsers AFAIK.
See, if your session is intact (not expired, not cleared, no private window) you're not required to input code from email. For me your examples make sense without any injection. :)
Posted March 11, 2016
avatar
skeletonbow: If you do not permit a website to set cookies, then it can't remember who you are and you are a stranger next time/every time.
avatar
vv221: Rest assured that when they want to send you targeted advertising they have *lots* of other method than dropping a cookie ;)
Yup - this one is very interesting: https://github.com/Valve/fingerprintjs2 - you create a fingerprint out of users data like screen resolution, supported fonts, supported features (webGL for example) etc., they are so unique that you can rely on them and pair user fingerprints with their account. It can basically get the same fingerprint in private mode, or after clearing cookies and identify you.

Sooo... The cookies and localStorage (many users is not aware of this one either) are not everything. :)

I was once very surprised when an internet shop sent me an email after I've added an item to cart and didn't complete the order - and I wasn't logged in when doing that. (like - "hey, what happened? come on, maybe you would like to buy it?")
I've created account there several months before to buy something. But I don't clear the cookies/localStorage at all - I like having it and letting sites to use it - personally.
Post edited March 11, 2016 by Johny.
Posted March 11, 2016
avatar
SmashManiac: Yes! It's about time to see GOG finally starting to implement some decent security. There's still some obvious work to do though: https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=www.gog.com
Could you check it again ? [A-]
Pages:
1
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(13 posts)(13 posts)
(13 posts)