Gog: two-step login for all on October 24, 2016
Gog announced yesterday that it plans to enable two-step login for all users of the gaming service on October 24, 2016.
Gog is a gaming platform that has a different business model than Steam or Origin. Three of the big differences are that Gog does not use DRM on its platform, that it concentrates more on classic games than on the latest blockbuster titles, and that it does not enforce the use of its Gog Galaxy platform.
So, it is your best bet if you want to replay some of your favorite games of the past, games that you missed out on, or want to play games on any device without having to install a gaming client on that device first.
The company decided to enable two-step login for all accounts to increase account security for all Gog users.
On October 24th, we will start enabling Two-step login on all current accounts, with a goal to increase your account’s security. Once enabled, the first time you log in from a new device or network, we will send you an email with a unique code, which must be entered in order to proceed. If you’re using GOG mostly from home or work, you should only be required to use the Two-step code very rarely.
Gog: two-step login
The system relies on email verification, and not on mobile phone messages, voice calls or authentication applications. This means that users won't have to add any information to their account prior to October 24, 2016 as the account email address will be used for that.
Gog notes that users will receive a verification email the first time they try to sign in to their account on October 24th or later. The email contains a unique code that users need to enter to complete the authentication process. This is a manual step, there is no link in the email that users can click on.
While Gog will enable two-step login for all customers, it is offering options to customers to disable the feature.
Users can activate the following link prior to October 24, 2016 to disable the feature so that it won't be enabled on their account. After October 24, 2016, users may turn two-step login off in the Account Settings.
Gog users who don't want to wait this long can enable two-step login for their account right away in the Account Settings as well:
- Visit https://www.gog.com/ and sign in to your account.
- Select Account > Orders & Settings from the top menu bar.
- Select Login and Security from the settings menu.
- Click on the enable button next to two-step login to turn the feature on.
- Gog sends an email to the associated email address with a code. The code is valid for 15 minutes, and needs to be entered manually. There is no link to click to automate this.
- Once entered, two-step login is enabled for the account.
You can repeat the process to turn the feature off again at any point in time.
Now You: Do you use Gog, or another gaming platform on PC?
Fortunately Gog 2FA only requires a email address, I have been using this since last year without any troubles.
On the other hand, the last time I used Steam they were nagging me non stop to provide my cellphone number (email authentication wasn’t enough)…
Martin, can you please delete my last message, looks like I messed up and it appeared two times! :)
I just don’t get this email 2FA system that some companies try to implement. Its okay as another option but why not simply allow the use of a 3rd party authenticator app like Google Aunthenticator, Microsoft Aunthenticator, Authy etc. Even Steam finally realised that native authentication apps were much more convenient so they added one to the Steam app. GOG could’ve done something similar with a GOG Galaxy app or just let users chose their own 2FA app like EA, Ubisoft and many others do.
Not a fan of this because that implies storing a unique identifier for a device and a list of connection points. That’s a lot of information.
I’m usually not a fan of 2FA either because that tends to require something personal, often a phone number.
Still, passwords only are often not secure enough for regular people, especially with password reuse or browsers storing them. Still, I wish it was an industry standard to provide actually functional opt-outs for anything that involves privacy.
On the particular case of GoG though, I think the company has bank account information, so they know their users already. They are also not widespread as third-party all over the web, and its users are not captive.
But I know other companies who:
– Don’t keep bank account information
– Don’t uniquely identify users devices
– Don’t track connection points
– Do provide a paid service
So it is possible. It just isn’t standard practise.
GOG is massive. MASSIVE. And hugely popular thanks to their no-DRM policies. People who won’t buy from Steam (maybe like yourself) buy from GOG.
You’re not ‘usually’ a fan of 2FA? So you’d rather share your credit card and also perhaps your residential information with a company but not your phone number? Here’s the thing, the unique identifies you’re so keen on concealing from these companies are probably already in their database, provided unwittingly by you when you created an account on their website. In this world true and absolute privacy is an illusion, better get used to this notion.
……….
You’re not ‘usually’ a fan of 2FA?
……….
Yes ‘usually’, not ‘always and in all circumstances’. 2FA is a security measure against account theft and there are ways to implement it that are less privacy-invasive than others.
.
……….
” So you’d rather share your credit card and also perhaps your residential information with a company but not your phone number? ”
……….
No, I would not share my credit card information either obviously. Many sites that require 2FA don’t make providing such data mandatory.
.
……….
” In this world true and absolute privacy is an illusion, better get used to this notion. ”
……….
Advanced users are mostly fine.
For everyone else, how about the push for HTTPS, the rise of secure emailing, default-enabled end-to-end encryption in ubiquitous products such as WhatsApp, implementation of differential privacy by companies like Apple (they do not deserve to be considered privacy-protectors, but they are experimenting feasibility and it’s good), Mozilla’s design and development protocols, etc. ?
Normal users who use the web to its fullest without paying attention to detail still have no privacy against Facebook, Google, Microsoft and ad networks, but when they start caring they can grab a small amount of privacy back. It’s getting easier year after year, and that amount increases progressively, both thanks to tools that protect them against the will of tracking companies (browsers, add-ons, etc), and to improving industry standards and practises.
That’s odd. I think I got the email more than two days ago. I disabled 2FA. Don’t need it, password’s fine.
Probably sending out emails over a couple of days.