It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
5
10
12
13
14
15
16
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 08, 2016
Well its good that HTTPS is everywhere ... Now you only need to make it secure, as key excange is not in your current configuration (lacks forward secrecy which can be added fair easly using DHE/ECDHE key excange) and also use unsecure ciphers (RC4) and even secure ones are not used in max security mode (GCM for AES); not to mention other small settings that even in current state can improve security (Key-Pinning)
Posted March 08, 2016
Nice improvements. I hope more of that sort is too come and I hope the development of GOG Galaxy will speed up a bit this year.
Posted March 08, 2016
Gog! You should add https to links from news (or auto forwarding to https).

My office network for some reasone blocks gog over http and not https and I have long history of adding prefix manually :)
Posted March 08, 2016
avatar
HypersomniacLive: Really curious, why do you want to stay on http?
Slower.

For normal browsing without any sensitive data, http will do just fine. At least for me.
Posted March 08, 2016
avatar
godunow: Gog! You should add https to links from news (or auto forwarding to https).

My office network for some reasone blocks gog over http and not https and I have long history of adding prefix manually :)
If you find links that are still http, report them in the "What did just break?" thread. Sounds like you might want to consider using a web browser extension to force HTTPS on sites that support it perhaps. The EFF's "HTTPS-Everywhere" extension works quite well.

https://www.eff.org/https-everywhere
https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/
https://chrome.google.com/webstore/detail/https-everywhere/gcbommkclmclpchllfjekcdonpmejbdp?hl=en
Posted March 08, 2016
high rated
Sorry i missed this reply earlier (no reply flag?):

avatar
timppu: Would it be possible to get an option for similar two-step verification, but only if anyone (me or an evil hacker) tries to change the email address or the password of the account?
avatar
songoqu: We think that covering all cases is much safer then only chosen ones, and don't forget that to do those actions you need to re-enter your password.
Covering all cases adds even more security, true, but for many of us it also causes so much extra inconvenience that we are forced to keep the whole new feature disabled, which is a shame in itself as we want to feel secure too. :)

My meaning was not to suggest to remove this current option. I'd hope that at some point you could add more options to that, so that people can tailor it more to their needs. Like three (or more) different levels for the security setting:

1. The current, most secure, implementation, ie. two-step login is triggered in many cases, even if trying to log in from a new browser (or having deleted cookies from your current browser).

2. My suggestion, ie. two-step verification is triggered only if you try to change account options (most important ones being the email address and password), and on top of that sending an information email to the user for possibly unauthorized connections (attempts) from elsewhere (e.g. from a new IP address or country), so that the user can react accordingly if needed, like changing the password. This is what I'd personally like to use.

3. Disabled, ie. what it is now by default.
Post edited March 08, 2016 by timppu
Posted March 08, 2016
I should probably just use the same code I have on my luggage, yes?
Posted March 08, 2016
nice! thanks! enabled
Posted March 08, 2016
Thank you for the extra security features and thank you for using email instead of phone 2ndry authentication! I don't want to have to use my phone for everything I'm doing on my computer, one physical device is enough!
Posted March 08, 2016
Thank you! One of the reasons i have started to use GoG was because of privacy concerns with using other distribution sites, so it's nice to see that GoG are taking privacy seriously.
Posted March 08, 2016
avatar
DreamedArtist: This is not a phone two-step? why did you choose email instead of phone text the code? It is a lot more secure and harder to break into.
avatar
MaximumBunny: Because your email should be tied to your phone with 2 step.

avatar
hedwards: Probably because it's basically free to email a code, but you have to pay to send texts.
avatar
MaximumBunny: It's free/included under most plans here. If you're living in poverty you get a free Obamaphone with unlimited calls, texting, and data as well so money isn't even a factor anymore.
Why should it be tied with my phone? Please explain? Some people don't want to tie there real email with a phone for reasons and not having a text message sent is a wrong choice, Humble bundle does it and it works wonders off the bat.

doing it by email is not secure at all if the email gets shafted as well.
Posted March 08, 2016
avatar
DreamedArtist: Why should it be tied with my phone? Please explain? Some people don't want to tie there real email with a phone for reasons and not having a text message sent is a wrong choice
The idea is that if people planned on tying GOG/Steam to their phones, that they'd have already done so with their emails. Tying an email to (GOG for example) assumes you trust GOG with the security of it. Saying you're worried about being compromised because you're selective about which accounts you want to secure with which methods is silly. And if you're using a throwaway email then you're even sillier worrying about what security options GOG offers. :P
Posted March 08, 2016
avatar
DreamedArtist: Why should it be tied with my phone? Please explain? Some people don't want to tie there real email with a phone for reasons and not having a text message sent is a wrong choice
avatar
MaximumBunny: The idea is that if people planned on tying GOG/Steam to their phones, that they'd have already done so with their emails. Tying an email to (GOG for example) assumes you trust GOG with the security of it. Saying you're worried about being compromised because you're selective about which accounts you want to secure with which methods is silly. And if you're using a throwaway email then you're even sillier worrying about what security options GOG offers. :P
Put it this way a text is faster better and less of a hassle to get through. I think gog should give an option for both and let the user have options like Steam does and Origin. Option is always good at the end I think.
Posted March 08, 2016
No response yet as to how this will affect those of us using the brilliant GoG downloader (yes I know it is no longer supported but while it works I will continue to use it as I prefer it to be done manually).
Posted March 08, 2016
avatar
DreamedArtist: Put it this way a text is faster better and less of a hassle to get through. I think gog should give an option for both and let the user have options like Steam does and Origin. Option is always good at the end I think.
Oh, I might have misread your first post. I agree that the phone authentication is nice too, possibly even better.

I don't know why but I think I was reading it as something like "I don't think 2 step is as secure for emails as it is for GOG/Steam" and I was trying to say that it's just as secure. It's just 1 more step of inconvenience if you don't have quick access to your emails. I hear ya. :D
Pages:
1
5
10
12
13
14
15
16
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)