So I assume these apps are phone apps?

If yes, I am sick of having more and more reliance on phones. I get it that this is optional.

As someone who had to do a presentation at university on the subject of MFA (Multi-Factor Authentication) for an IT security course, let me provide some (university-approved) info.

To qualify as "multi-factor" (this includes 2FA, of course), an authentication method must check multiple types of factors. The types are categorized as:

- What you know: e.g. passwords, answers to security questions (like the name of your first pet), etc.
- What you have: e.g. a phone (with an authenticator app installed, or with a phone number for SMS, etc.)
- What you are: e.g. biometric info such as your iris, face, fingerprint, voice, etc.
- Where you are: a fairly "new" type of factor, typically only used in high-security situations, where e.g. a high-value user is expected to travel abroad and therefore can only login in that country (not anywhere else) while they're supposed to be there (not sooner and not later)

It doesn't matter how many of the same type of factor you use, it's still technically just single-factor. It's also important to know that SMS codes are considered highly insecure due to SMS being unencrypted. If the attacker knows your phone number, they can trivially retrieve the SMS code without actually owning the number or having access to the phone. This is why services that do implement SMS codes always obscure part of the number (though you still shouldn't be using SMS codes in the first place).

Email codes actually belong in the "what you know" category, because to access your emails you must know your email address and password. And in this case, since people already must know your email address to login to GOG, they only need to know your GOG account password and your email account password.

Thus, we only now have true 2FA.

And it makes sense to see things that way, because lots of people keep all their passwords in one place (e.g. a text or Excel file somewhere, a memo, a passwords manager, etc.), meaning that if someone can get your GOG password, there's a good chance they also have your email password.

That said, I'm very grateful to GOG for finally implementing true 2FA, and more importantly, for using established standards instead of developing your own sauce like Valve and Blizzard do with Steam and Battle.net

Thank you very much.

Finally! Thank you!
I have been waiting for this for so long!
Gonna set this up right away!

At least it is a step in the right direction.... It won't be long now until we have verified ID internet access and the normal people can come online again doin what they always did

You can use desktop apps as well.

I can also wholeheartedly recommend KeePassXC for PC (Windows, Linux, Mac) and Aegis Authenticatior for Android!
If you want to keep both in KeePassXC, I recommend KeePassDX for Android.
I used to use WinAuth for Windows to keep the TOTP keys separated, although it's no longer in development and the project has been archived. And I don't know if the revived version is trustworthy.

Can you recommend a good one? I have used and knew only about Authy in the past which was discontinued and also threre was a data breach... Most other big names didn't have desktop app last time I checked

This was way, way overdue. Email codes simply are not secure enough. OTP is a far better solution and should be considered the bare minimum level of security for any login you would want to protect.

For those with privacy concerns, you are NOT tied to using any specific third party. Many open-source authenticators are available.

Using a phone app is NOT required. Any password manager should allow you to set up OTP. Anyone using a password manager should be using this. And if you aren't using a password manager, you really should.

Yes, you can lose access to your account if you lose your phone. That's why you make a note of the recovery codes and keep them somewhere safe.

And ALL of this is optional if you do not want to protect yourself. There's no reason anyone should be unhappy with the option of using better security if we choose.

Quick question: Does this affect when you log into your account using a client program like Heroic, Lutris, or Mini Galaxy? Will these clients need to be updated for this or will it not be an issue?

I use already mentioned KeePassXC. It's fully open-source and cross-platform.

For anyone who does not want to trust some "security" app from Microsoft or Google, I can recommend Aegis. It's fully Open Source and available on F-Droid. I use it every day for private stuff and for work.

Yes and no. The standard is called time-based one-time password (TOTP) and will work with anything that has a clock. You could even do the math on paper if you are fast enough, at least in theory. There are a number of free (as in freedom) implementations for phones but also on desktop or even small standalone devices that look like a keychain accessory with a number display.

I agree with you: too many companies, services and products are actively encouraging you or outright forcing you to install and use their apps. Some apps are actually horrible, bloated and forcing updates on you. It is horrible. When that happens, I look for alternatives. You can even find them on board games! No, I will not user an app for that!

What is described here is a different matter, however.
The TOTP is defined as a (sort of?) standard, and you can choose whatever implementation you want, wherever you want. You can write your own or even do the math on your head or use pen and pencil (in theory).
Just like you can choose the program to play your music files or watch your photos, you can choose whatever program provides this feature to you. Or go on and live a happy life without it!

There are apps for phones, for computers, plug-ins for browsers... you will find multiple possibilities and recommendations mention on this thread.

[url=https://sr.ht/~martijnbraam/numberstation/]Numberstation[/url] too, and countless more to count found on F-droid and other FOSS repositories on Android.

No more than old e-mail authentication. You just provide a code during log-in.

And a very good question indeed.
I am guessing here, but those programs do not store your password. They are granted a token (a cookie, probably) and that token remains valid for several days. Once it expires, a new one is requested by asking you to re-authenticate.

When you are asked to authenticate, then it is likely that you will need to provide the time-based code. I would expect that to happen every 3 or 4 months, perhaps?

But then again, it depends on how it is implemented. GOG may be a bit loose and only ask for reassurance when you change your IP, for example, and things work as previously most of the time. I believe this is the case currently.