Most probably they will need to create some kind of front end solution like lgogdownloader and/or nile to open a window browser requesting a login token that redirects to GOG's Galaxy API or website, captures the cookie/login token and redirects it to the program in question (Heroic, Lutris, and so on).

That's a really nice implementation and a good security solution.
Congratulations GOG for the implementation.

Also, to those that are outside of Google's ecosystem and use other Android builds or hacked/changed their celphones to remove Google Play Store DRM (playservices) and the like:
Aegis/
Aegis is a good 2FA app that also supports TOTP algorithms.

Just noticed you ninja'd my recommendation for Aegis also. :P

--
Edit¹:
Silly me! Almost 5 people have recommended Aegis on this thread already.

--
Edit²:
Just tested it with Aegis. Everything work as intended.
Fluid and easy, much faster than email authentication in my opinion.
Thanks for others recommending KeePass also, never heard of it.
Seems very good for Linux and backups against phones being stolen/broken/loss.

For interested parties: totp is a fastastic and simple TOTP (Time-based One-Time Password) program. Other than your preferred C library (such as: musl, glibc), this tool possesses zero additional library dependencies.

Note: It is best to ensure that the system clock on each chosen device is reasonably well-synchronized with an NTP server. Also, Time-based One-Time Password allows for this program (and others) to be simultaneously installed and used on an infinite number of machines, without upper limitations.

Upon enabling [Authenticator app] within account [Login and Security], one is presented with a 16-character Base32-encoded string (example: JVUW42LNMFWGS43U). Afterwards, it truly is as easy as decoding the aforementioned string, and piping the output to totp. The resulting 6-digit code can then be copied and pasted (or, entered manually) into the appropriate field on the GOG web prompt.

Input:
printf JVUW42LNMFWGS43U | base32 -d | totp

Output (at the time of creating this forum post):
739954

I use this very same program on my Linux and Android (manually compiled with Android NDK and run via Termux) devices. Of course, the back-up codes are stored on multiple physical storage mediums.

The inclusion of this feature by GOG is quite commendable, and, in my opinion, this method is far superior to electronic mail-based authentication (which one may be unable to access for whichever reason).

For anyone who is interested, I created a new topic to answer some of the questions regarding this.

https://www.gog.com/forum/general/authenticator_apps_for_2fa

Thank you, everyone at GOG who worked to enable this extremely important security feature! I could criticize that this should have been done a long time ago; but better late than never!

Now, back to work on GOG Galaxy for Linux, yes? ;)

Sorry, but it seems like your best hope is to use https://heroicgameslauncher.com/ . "Heroic is a Free and Open Source Epic, GOG and Amazon Prime Games launcher for Linux, Windows and macOS. ..."

Finally! Thanks!

GoG, 2FA, TOTP... What next, C3PO?

Very curious as to the frequency of the hacked GoG accounts in the past and GoG support refusing to serve claims "I'm hacked" if user not 2FA protected in the future.
I guess it's a lengthy procedure (is physical interaction required?) to prove I own the library I have. And what about attack vectors, could only think of hacker sending gift codes on behalf of my GoG wallet, should be traceable/redeemable but requires some hustle? Making hacking a GoG account not that interesting to attackers unless they want to play with GoG (dignity) themself?

BTW, modern email providers support 2FA at their end. I don't remember the last time GoG sent me a sensitive information over email (like forgotten site password many years ago (was it a new PC device switch?).

Three guesses what I've been using...

Great to have this available, been using the email 2FA for years, but this adds even more security and peace of mind. So far it has been working flawlessly on my end. Thank you GOG!

Nah. I'm good.

Is Aegis the way to go?

Personal take:
On Android phones, yes, for sure.

Even if you're not an AntiGoogle user (like the freaks of us that use FDroid only and Termux :P), Aegis is simple and bloatless, like others have said.

I'd also recommend having a Win/Lin/Mac app together with it, for the sake of being safe.

Nice!

Albeit, I will probably not enable it because I already got locked out of my itch.io account as somehow it had app 2FA enabled (I don't recall enabling it myself, but maybe I did at some point), and had nothing related to it either in Google or MS authenticator. Maybe the entry was gone when I switched phones twice.

Email 2FA will have to do for now, I don't keep changing my email account(s). It would be better if that email account maybe had some kind of 2FA then. At least GMail and Outlook seem to trigger extra security measures and checks if they see you are trying to log into the account from another country, which makes sense I guess.

Except that one case when I was in Thailand and just couldn't get into my Outlook account as it sent the verification code to my other Outlook account which also demanded a verification code to some other account... I later cleared that up by telling them to send that verification code to my GMail account so that I am not left into an eternal Outlook limbo of a repeating verification code cycle.

A few questions:

1. If I use e.g. the Google authenticator, will it have the entries for me when I switch my phone to a new one, as long as I log in with my existing Android GMail account? So all these saved entries will automatically follow me to the new phone?

2. Is it the same with the MS Authenticator? I guess I need to log with my email account to it?

3. When is this app 2FA triggered? Every time I want to log in with a web browser, or in the same cases where email 2FA would trigger (which is quite rare for me as I keep login cookies with my browser, and/or quite often log in from the same IP address).

4. Oh yeah, another one, does this 2FA have "push", ie. you don't necessarily have to open the app and seek the entry and a code and write it down, but the request to accept the login pops up? Saves time in this hectic world where every millisecond counts, at least if you are measuring the network lag in an online shooter.

The reason I am wary of this is losing my app 2FA entries is because maybe that already happened to me with my itch.io account, effectively locking me out of my itch.io account, and also when I changed my phone to a new one, transferring both my WhatsApp contacts and channels, and my work-related MS authenticator entries, to the new phone was quite complicated. Lots of googling how the heck to achieve that , with my work MS authenticator I needed help from our IT department and they have me very detailed instructions how to achieve that step by step, etc.

If with e.g. Google authenticator all the entries follow you to the new device automatically, as long as you log into the new phone with the same Google account you had on your earlier phone, then that's ok for me.

I know someone must have already said it, but I'll add: this feature seems woefully late. Should have been there probably a decade ago. I don't want to think how long GOG will take to eventually implement passkeys. Probably not in our lifetime.