It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionYou can now use authenticator apps to keep your GOG account secure!(100 posts)(100 posts)
(100 posts)
Pages:
1
2
3
4
5
6
7
This is my favourite topic
Posted May 19, 2025
Hello everyone!

To provide you with better security for your accounts, we’ve introduced a new 2FA (Time-based One-Time Password) login method for your accounts. You can use it with popular authentication apps of your choice, like Google Authenticator, Microsoft Authenticator, or others.

Authentication apps offer enhanced security because they are less susceptible to phishing attacks compared to email-based methods.

Here’s how to enable it:

- Go to your “Orders & settings” page.

- Navigate to the “Login and security” section.

- In the “Two-Factor Authenticator” area, you’ll now see the new “Authenticator app” option.

- First, disable the “Email” authentication method.

- Then, enable the “Authenticator app” by following the on-screen instructions.

That’s it – you’re all set!

You can also visit THIS support article for more information about the Two-Step Login Methods.

May your glorious libraries remain safe forever. Hope you enjoy!
Posted May 19, 2025
Finally. Thank you.
Posted May 19, 2025
Much thanks.
Posted May 19, 2025
avatar
kultpcgames: What added value does this provide?
Refering specifically to TOTP vs email, TOTP makes it harder for someone to take control of you account because even if they get access to you email they still need access to you authenticator app. Since everything else is depends on you email, having a separate verification mechanism is a plus in terms of security and might make the difference between your account being compromised or not. Also TOTP codes usually last only 30 seconds while email OTPs are generally valid for a whole lot longer, giving attackers more time to do their thing.
avatar
kultpcgames: Another app, even more administrative overhead, and even more vulnerability.
There might be some of that, depending on what apps/services you use and how much you use them.

Personally, I have been using FreeOtp+ (https://play.google.com/store/apps/details?id=org.liberty.android.freeotpplus) for a very long time without any kind of issue. There are also good options for pretty much every OS you care to name and some password managers like KeePass also support it. Just make sure you pick something that's either open source or made by a company you trust.
Post edited May 19, 2025 by AGlezB
Posted May 19, 2025
avatar
gogtrial34987: It's essential for people who re-use passwords, and pretty important for people who don't have total control over their own email.
That's a good argument for those who still use one password for everything. I understand that, but I doubt that these people will activate the new 2FA.

Personally, I consider strong passwords, individually configured for each service/user account, to be a sufficient solution. It's actually advantageous to run a manageable mail server, as this allows you to set up individual email addresses for all services. These should be redirected, of course, because so many mailboxes would be too much work.

avatar
Palestine: As huan had mentioned, the authentication method used here is time-based one-time password.

Operating under the assumption that the clock on your device running the authentication application is relatively internet-synchronized, one is able to generate 6-digit codes at will (including with internet and cellular network access disabled via 'airplane mode').
That might be an argument for some. In my practice, I log in, receive the 2FA email, and use the code immediately. That should also expire.

But yes, it's true. If someone else triggers 2FA and the code doesn't expire (doesn't it with GOG?), the window for attacks would be larger.
avatar
Shadowds: But yeah it's not that grand of a jump if you're actually being careful since already getting 2FA via email already since 2016, so yeah not that groundbreaking, especially if already using email app on the phone.
So I am not alone in this opinion :)

avatar
666_Vomit_666: Fefe's latest rant in regard to this issue. You know Fefe, right?
Yes, of course. :)
Post edited May 19, 2025 by kultpcgames
Posted May 19, 2025
high rated
avatar
AGlezB: Personally, I have been using FreeOtp+ (https://play.google.com/store/apps/details?id=org.liberty.android.freeotpplus) for a very long time without any kind of issue. There are also good options for pretty much every OS you care to name and some password managers like KeePass also support it. Just make sure you pick something that's either open source or made by a company you trust.
There are no companies I trust. Trust doesn't come for free. I only trust people, and only those who have earned it. So, in a case like this, the only option for me is open source. But thanks for the link, I'll take a look, just to see where the journey takes me into the future. :)
Posted May 19, 2025
high rated
avatar
GOG.com: (...) Google (...) Microsoft (...)

(...) enhanced security (...)
Sounds like a paradox to me.
And I also don't have a mobile phone.
Post edited May 19, 2025 by viperfdl
Posted May 19, 2025
Finally, thank you, GOG!
Posted May 19, 2025
I think it's good when web service providers want to increase security. However, I personally don't see any such improvement here. That's not a negative criticism; maybe I'm just blind to the benefits. :)
Posted May 19, 2025
high rated
Hmmmmm.....I guess an extra layer of security couldn't hurt......or could it? I am of the mind that this is potentially more troublesome than regular email/password...or email/password//2fA.

Why do I want to rely on a third-party app for my security? What if I lose access to the app? What if I lose those backup codes needed in just such a case?

More hassle and potential BS that I want no part of. As people have mentioned...this is basically throwing away any responsibility of the website admins, and putting the burden of security squarely on our shoulders instead.
Post edited May 19, 2025 by RizzoCuoco
Posted May 19, 2025
avatar
GOG.com: (...) Google (...) Microsoft (...)

(...) enhanced security (...)
avatar
viperfdl: Sounds like a paradox to me.
And I also don't have a mobile phone.
Open source authenticator apps exist, also as extensions for your desktop browser. The Google and Microsoft offerings are (sadly) simply already installed for the vast majority of users, so it might lower the barrier to entry for those users if they know they won't have to install something new.
avatar
kultpcgames: I think it's good when web service providers want to increase security. However, I personally don't see any such improvement here. That's not a negative criticism; maybe I'm just blind to the benefits. :)
For you, as indeed for me, the benefit would be mostly theoretical, with a tiny bit of benefit from the defense in depth posture for the case where GOG itself loses control over its user database, or someone were to take over your email domain via your registrar. (Though I suspect your GOG account would be the least of your worries in such a case.)
Post edited May 19, 2025 by gogtrial34987
Posted May 19, 2025
avatar
gogtrial34987: Open source authenticator apps exist, also as extensions for your desktop browser.
Didn't know that. Have to look into it. Thanks for the hint. :)
Posted May 19, 2025
avatar
gogtrial34987: For you, as indeed for me, the benefit would be mostly theoretical, with a tiny bit of benefit from the defense in depth posture for the case where GOG itself loses control over its user database, or someone were to take over your email domain via your registrar. (Though I suspect your GOG account would be the least of your worries in such a case.)
That's right.

If the provider loses control, everything is lost anyway.

And as far as the account is concerned, there's always legal recourse. Within the EU, it's not quite as problematic. In the worst case, you lose access to future updates, provided you've backed up everything (which you should).

I think everyone in IT knows that absolute security is an illusion and, just like perfection, is unattainable. However, the fact remains that 2FA is more secure than standard login.
Posted May 19, 2025
Thanks for finally modernizing this.

Edit: Switched. Glad for the choice of QR code or key. Didn't feel like setting up a new phone auth vs local computer auth.
Post edited May 19, 2025 by dnovraD
Posted May 19, 2025
Finally! Made the switch immediately. This will be a lot cheaper for GOG to operate, compared to sending out millions of emails every day...
Posted May 19, 2025
avatar
GOG.com: Hello everyone!

To provide you with better security for your accounts, we’ve introduced a new 2FA (Time-based One-Time Password) login method for your accounts. You can use it with popular authentication apps of your choice, like Google Authenticator, Microsoft Authenticator, or others.

Authentication apps offer enhanced security because they are less susceptible to phishing attacks compared to email-based methods.

Here’s how to enable it:

- Go to your “Orders & settings” page.

- Navigate to the “Login and security” section.

- In the “Two-Factor Authenticator” area, you’ll now see the new “Authenticator app” option.

- First, disable the “Email” authentication method.

- Then, enable the “Authenticator app” by following the on-screen instructions.

That’s it – you’re all set!

You can also visit THIS support article for more information about the Two-Step Login Methods.

May your glorious libraries remain safe forever. Hope you enjoy!
THANK YOU!!!! You guys are the best <3
Pages:
1
2
3
4
5
6
7
This is my favourite topic
Community
General discussionYou can now use authenticator apps to keep your GOG account secure!(100 posts)(100 posts)
(100 posts)