As should be!
Thanks, GOG.

Professional implementation, there were just a few minor kinks to work out during testing.

And best of all, it's TOTP. you can use whatever authenticator you like. Unlike "some other store" that pushes custom app on you for something this basic.

great, cheers GOG!

Finally!

Can someone explain the added value to me? Is the message encrypted via the app?

If the email account is well protected with a strong password, that should be completely sufficient.

it is the typical modern security theater.

And now they have placed the responsibility for the security of the account and the login to you.

But that doesn't answer my question. What added value does this provide?

I can also receive emails on mobile devices, and otherwise I only see disadvantages. Another app, even more administrative overhead, and even more vulnerability.

Maybe I'm just too old by now... :-|

PS: Less vulnerable to phishing would mean that all communication up to the end device is encrypted.

How about YubiKey support? That's even better.

Thanks, it's a bit better than email 2FA, but yeah. Will passkey be the next option to add in the future?

It's defense in depth. Limiting the potential damage. If someone gains access to your email account, they won't be able to access your GOG account, because there's a true second "factor" needed. (Not just "something you know" (the password, which can be reset with access to your email), but also "something you have", namely the device with the authenticator app/extension. (That can just be an extension in your regular browser, btw - doesn't have to be a smartphone app.))

The phishing protection offered by this is limited, at least for attacks targetted specifically at GOG, but I think that's exactly the point - that's not where most phishing attacks would be targetted - just added fallout. (Still, it's a bit misleading to specifically mention "less susceptible to phishing attacks" as a benefit.)

It's essential for people who re-use passwords, and pretty important for people who don't have total control over their own email.

The cost is the extra hassle, and good security practices around backing up the recovery codes, as losing the device would otherwise be a disaster.

As huan had mentioned, the authentication method used here is time-based one-time password.

Operating under the assumption that the clock on your device running the authentication application is relatively internet-synchronized, one is able to generate 6-digit codes at will (including with internet and cellular network access disabled via 'airplane mode').

I say IMHO it's a little more secured, you have TOTP that offline via app vs having to rely on email if ever have server hiccups, or having to log in to email over, and over. But yeah it's not that grand of a jump if you're actually being careful since already getting 2FA via email already since 2016, so yeah not that groundbreaking, especially if already using email app on the phone. Just think of it this way, don't have to turn on data for your phone for TOTP app.

Both these methods still fall under phishing attack, or malware such as info stealer.

Interesting Protection. Also, log out from all sessions because even if you change the password and add any extra security,
no mechanism logs you out after, e.g. 6-12 hours of inactivity.
Once someone is logged on to your account, he/she can keep on.
https://www.gog.com/logout

https://blog.fefe.de/?ts=98782801

Fefe's latest rant in regard to this issue. You know Fefe, right?

In der Praxis wollen euch alle 2FA aufdrücken, und implementieren es dann hinten schrottigst bis völlig kaputt. Warum ist das so? Weil es nicht um 2FA oder Security geht, sondern es geht darum, das Narrativ zu etablieren, dass der User hier das Sicherheitsproblem ist, nicht die Bank. Wir sprechen jetzt solange über den CO2-Footprint, äh, die Dinge, die der User machen kann, bis bei jedem auftretenden Problem sofort alle denken: Da wird wohl der User was nicht ordentlich gemacht haben.