It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)
Pages:
1
5
10
14
15
16
17
18
20
This is my favourite topic
Posted March 07, 2016
An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.




Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.




Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.







HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Posted March 10, 2016
Hi GOG Team,

Many thanks for adding 2FA and HTTPS Everywhere support to your website. Both are a fantastic improvement.

In the future would you also consider updating the encryption used from AES_256_CBC to AES_128_GCM and using ECDHE_RSA as the key exchange mechanism?

The EFF discuss how to do this as well as adding Forward Secrecy on their website. To access that page visit their website and choose the tab labelled: "Our Work" -> HTTPS Everywhere -> How to Deploy HTTPS Correctly.

Thanks again and keep up the excellent work!
Posted March 10, 2016
avatar
JKing: Google Authenticator is simply an implementation (a fairly basic one) of RFC 6238: Time-Based One-Time Password Algorithm, an Internet standard which, amusingly, does not require an Internet connection to function. Google services are not actually involved, and there are many other implementations. I use FreeOTP
avatar
Cheater87: I am aware, I use Authy,
I was replying to nightcraw1er.488, not you. ;)
Posted March 10, 2016
avatar
BadDecissions: Steam practically always thinks I'm logging in from some strange and mysterious device. Same browser and computer every time, it doesn't matter, Valve is just perpetually convinced that I'm a criminal trying to hack into my account. So well done on the https I guess, but add another voice agreeing with timpuu: I'd use two-step verification, but only in a stripped back, less irritating form.
Do you use "Privacy Browsing" or "Incognito" mode or similar privacy mode in your browser(s), or use any addons that protect privacy by deleting cookies, or configure cookies to be session-only? If you do not permit a website to set cookies, then it can't remember who you are and you are a stranger next time/every time.
Posted March 10, 2016
Someones probably mentioned this already but it means if you lose access to your email does it not mean you lose access to your gog account and if the email gets hacked then it risks the gog account too?
Posted March 10, 2016
avatar
GOG.com: An extra layer of protection for you and your account.

Today, we bring you two-step login: an optional extra layer of protection for your GOG.com account. In the coming weeks, we'll also be making all communication between you and GOG encrypted by default with HTTPS everywhere — both methods often requested on our wishlist, but also simply pretty smart to offer.

Two-Step Login
Two-step login is an extra layer of protection for your GOG.com account. Every once in a while, we'll ask you to verify your identity with a 4-character security code sent to your email. Simple stuff.

Two-step login is optional, but we really recommend it. It's designed to bug you only when we notice something unusual — like logging in from a new browser or location. By doing this, we make sure that there's no way to gain unauthorized access to your GOG.com account without both your GOG password and your email account. When used to its full potential with unique passwords for every account, two-step login can be virtually impenetrable.

To enable two-step login, simply head to your Login & Security settings, verify your email address, and enjoy the extra peace of mind. For more information, check out the FAQ.

Additionally, you can now end all of your active GOG.com sessions in one click — this includes every device or browser you ever logged in through. It's a handy feature if you've recently used a public computer, or if you simply want to be sure no device is still logged in to your account.

HTTPS everywhere
GOG Galaxy has already supported HTTPS everywhere for some time, and now we're beginning to roll it out globally. That means HTTPS support for every connection between you and GOG.com — all secured with industry-standard encryption. Every bit (and byte) of data that travels between you, us, and everyone on GOG.com will be encrypted, including the store, forum, chat, downloads and even all of GOG Galaxy. It truly is HTTPS everywhere.
Nice. Thanks for making GOG more secure.
Posted March 10, 2016
avatar
GOG.com: Two-step login is optional.
Thanks.
Posted March 10, 2016
Cool news GOG!
Posted March 10, 2016
avatar
skeletonbow: If you do not permit a website to set cookies, then it can't remember who you are and you are a stranger next time/every time.
Rest assured that when they want to send you targeted advertising they have *lots* of other method than dropping a cookie ;)
Posted March 10, 2016
avatar
vv221: Rest assured that when they want to send you targeted advertising they have *lots* of other method than dropping a cookie ;)
That is correct, but also orthogonal to why one might end up being forced to have to manually log in somewhere all the time. :)
Posted March 10, 2016
avatar
vv221: Rest assured that when they want to send you targeted advertising they have *lots* of other method than dropping a cookie ;)
avatar
skeletonbow: That is correct, but also orthogonal to why one might end up being forced to have to manually log in somewhere all the time. :)
Oh, I thought it was about having to go through the e-mail validation each time despite being on the same machine, in the same place (things that can be known without using cookies).
If it’s just about having to connect to the service by a simple id/pass system, well, it’s quite obvious that you have to keep cookies if you want to avoid this.
Posted March 10, 2016
avatar
vv221: Oh, I thought it was about having to go through the e-mail validation each time despite being on the same machine, in the same place (things that can be known without using cookies).
If it’s just about having to connect to the service by a simple id/pass system, well, it’s quite obvious that you have to keep cookies if you want to avoid this.
Yup, obvious to the more technically inclined anyway, but not necessarily obvious to everyone though. I've had friends/family express frustrations with having to log into certain sites endlessly despite telling the site to remember them, or having settings they configure end up vanish when the restart their browser. Problem is that a lot of people see "Private Window" or similar in their browser and think "yeah, I want more privacy, that's a good thing right? Sure, I'll use a private window!" and they do it and get the benefits that feature provides but without fully understanding all of the technical things that using a private window entails, and they may not understand enough about how login authentication methods, cookies and other web tech works to fully understand all of the pros and cons of using something like Private Browsing mode. Then something does not work as they expect, such as having to re-login every time they load the site or restart their browser and they have no idea why and might get upset about it, possibly channel their frustration by blaming their web browser or the website in question for being buggy, etc.

It's entirely natural for this to happen though as computers and software security/privacy concepts are always going to have a certain amount of complexity and technical nature to them which everyone wont be an expert about, so things not working the way one expects as a human being is a reasonable outcome. Getting from there to understanding why though can be frustrating for some. :)
Posted March 10, 2016
avatar
skeletonbow: (…)
You’re 100% right.
I’ve nothing more to say ;P
Posted March 11, 2016
avatar
skeletonbow: If you do not permit a website to set cookies, then it can't remember who you are and you are a stranger next time/every time.
avatar
vv221: Rest assured that when they want to send you targeted advertising they have *lots* of other method than dropping a cookie ;)
Yup - this one is very interesting: https://github.com/Valve/fingerprintjs2 - you create a fingerprint out of users data like screen resolution, supported fonts, supported features (webGL for example) etc., they are so unique that you can rely on them and pair user fingerprints with their account. It can basically get the same fingerprint in private mode, or after clearing cookies and identify you.

Sooo... The cookies and localStorage (many users is not aware of this one either) are not everything. :)

I was once very surprised when an internet shop sent me an email after I've added an item to cart and didn't complete the order - and I wasn't logged in when doing that. (like - "hey, what happened? come on, maybe you would like to buy it?")
I've created account there several months before to buy something. But I don't clear the cookies/localStorage at all - I like having it and letting sites to use it - personally.
Post edited March 11, 2016 by Johny.
Posted March 11, 2016
avatar
Johny.: I don't clear the cookies/localStorage at all - I like having it and letting sites to use it - personally.
My favourite alternative is the use of a whitelist: by default no website is allowed to put cookies on my system, unless it’s part of the list of websites that I explicitely allowed to do it.

GOG can set cookies, Google can not, and I’m happy ;)
Posted March 11, 2016
avatar
SmashManiac: Yes! It's about time to see GOG finally starting to implement some decent security. There's still some obvious work to do though: https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=www.gog.com
Could you check it again ? [A-]
Pages:
1
5
10
14
15
16
17
18
20
This is my favourite topic
Community
General discussionTwo-Step Login & HTTPS Everywhere(288 posts)(288 posts)
(288 posts)