Keep it clean
If you believe that a wish duplicates another one or is not meant for the category, use Options button above to report a duplicate or spam.
Add your wish
If there is an item you wish to have on GOG.com and it’s not yet on the wishlist, please add your wish
Add Google Authentication option
It is really unfortune that GOG has not added TOTP 2FA, please add it, thank you.
As mentioned by many others, both SMS and E-mail authentication are less secure, and in the case of e-mail has serious usability issues with e-mails being delayed.
Implementation of RFC 6238 compliant TOTP which we can then use with applications such as Google Authenticator would be significantly more secure.
It is important to stress that if you add this form of 2FA, that it does not require "backup" methods such as SMS or E-mail, as your security is only as strong as the weakest link.
Yes, this means users who lose access to their 2FA app will also lose access to their account, this should be made abundantly clear to the user when they opt to enable this level of security.
E-Mails sometimes take 10 minutes to be delivered, a TOTP code from an authenticator works instantly and is more secure.
Email and SMS 2FA is a joke.
please implement TOTP as 2FA for login check - thank You!
we have 2024, and there is still no decent 2fa on gog :)
+1 Please implement a authenticator option, thank you
Please support passkeys with FIDO2/WebAuth protocols such as Yubikey.
Please give us TOTP
yep this is the only app that dont use a authenticator because ea app use, ubisoft connet use, epic use and of course steam use also. and i use authy authenticator since is better than google.
Also in support of GOG adding standardized TOTP (RFC 6238) 2FA.
Had to resend verification code 3 times before it arrived
Wow since 2016 we are stuck here .... what the hell.
Who authenticates by email and sms anymore?
Please implement G-Aut. we desperately need that.
After all we invest a lot of money in our accounts. They should be better protected.
I consider email based 2FA to be a joke. While I take steps to protect my email address, once you have my real email address, any security options linked to that email is compromised.
Know how businesses all have safe guards and standards that users have to meet, or they cant use the service. The only reason I still have a GOG account, is because of the money invested in it.
Real 2FA (FIDO / TOTP) is becoming something I have started to say MUST be used on my accounts. It's open standard, and shouldn't be difficult to work into current systems.
TOTP is very important, this feature is much needed!
+1, dont have any sense in this days dont have a real TOTP solution for ours account (not email). FIDO should be a good addition too, but IMHO, at least, support for external TOTP
Just thought I'd check if this had been added yet and found this thread. In this day and age email 2FA isn't really that secure especially as it's directly linked to login credentials.
Using a TOTP solution that can be used with Google Authenticator, Aegis Authenticator, Microsoft Authenticator, Authy etc. (There is a reason why there is such widespread support for this approach) should be considered mandatory. If I can get a free plugin to implement this for a wordpress site it shouldn't be beyond the scope of the company to implement something similar and would be a considerable security upgrade.
With recent attack on accounts for Steam Devs, the Security for GoG should be increased try and be ahead of the game, FIDO / TOTP or new passkeys.
+1 for authenticator
+1 for using a TOTP authenticator.
I would really love to see FIDO2 and TOTP be implemented. Either would improve login convenience and account security compared to the existing options.
An offline 2FA system is far more secure than email based. If your email account gets hacked, the attacker can take over all the rest of your accounts because they can do account recovery and have the 2FA to back it up. Having your 2FA separate from your email means the attacker would also have to have access to your 2FA client or somehow know the unique 2FA code you were given when you set up 2FA on your account.
Any site that doesn't support self-management of TOTP makes me use it far less. Email isn't convenient and can be especially painful when emails get delayed. Please provide the hash so we can use our own auth apps.
Would also appreciate the implementation of OATHs TOTP.
The ignorance of these comments is hilarious. Google Authentication doesn't mean you have to use Google to authenticate. What OP means is the algorithm used by Google Authentication, which is standard and used by third-party apps as well. That way you can use the authenticator you want and not be stuck with email authentication. It's better security in every way, and it's absurd to think this will somehow result in Google spying on you. It's an open-source algorithm developed by Google, but peer-reviewed. You can research how it works.
TOTP please
+1 to implement 2FA using authenticator apps
insane boomer smell in here. "google auth option" doesnt mean you can only use google's app. theres authy, theres aegis, theres like 5 more free apps that supports biometric login and code export to several devices.
+1 for app auth methood, cd project should step out of the dark slavic ages already
I don't care what way shape or form it's done. even if it's "just a little this way" or "but it's only a little here like this!"
NO. absolute NO. zero % google is the only amount I am okay with. keep that FAR away from my login, my account, my games, my LIFE.
I don't want anything google near me at all. I am so uncomfortable that I might just quit gaming if google tries to get into or near my games or accounts. JUST solid NO.
What is the holdup here?
please stop those thousands of mails per day :P
save mails/power/traffic/nerves ;)
(+1) I don't like the 2FA with e-mail!
Yes! 2FA with email is horrible. WE want TOTP!
+1 for using a TOTIP authenticator.
And for the computer illiterates in the comments: These programs generate a code every 30 seconds and display it to you. This is the code you have to enter to log into your account. There is NO transmission of any sort between the authenticator and anything. The server knows the formula to calculate the core by itself, they are once synchronized via QR code and then both calculate on their own. And when logging in, they just check whether you have the same result.
So NO tracking with google or whatnot, no transmission of anything during login, just a way to get a code that is MUCH more secure than an email which is essentially a postcard anyone on the route can read.
This comment section shows digital illiteracy of people. They are saying no thinking Google will track it or something, lol. For those idiots, Google Authenticator is a TOTP based Authentication method where you can use any app you want, no need to use Google Authenticator if you don't like it. Use Authenticators like Aegis which are completely offline and no body can track it. Just get some knowledge before refusing to accept better changes asked by other people.
Keep GOG free of google! If so let users choose other authenticators free of the big corporations.
And please, do not ever consider to use ReCaptcha and stay clear of stuff that supports adding knowledge to machine learning
Is this for Google login? Or Google Authenticator? If it's Google login I don't care either way - won't use it.
If it's Google Authenticator, then yes please! The benefit of adding Google Authenticator as 2FA instead of what we have now (email), is that attackers would need to gain access to BOTH your email and the one-time-code from the Authenticator. Right now the one-time-code is sent to your email, so attackers only need to compromise your email.
Indeed, I prefer to use a TOTP authenticator over email (i.e. Google Authenticator, Duo Mobile, Authy, Bitwarden, etc.)
Why would I want to send all my GoG activity to Google? No more Google tracking, please. Google's spying scripts are already everywhere in GoG. De-Googlefy GoG now, please!
Fuck google and anyone who helps them further take over, dominate and ruin everything. Hard NO.
Except Google Auth is pretty much a spyware, tracking stuff you do when it's loaded
+1. There seems to be misunderstandings here about how authenticators work. Most authenticators (Google, Authy, etc.) use the same standardised algorithm called TOTP. So implement TOTP authentication and user can use any authenticator software they want.
You are much more likely to be "hacked" through your google authentication. I'd rather have them remove all kinds of authentication from third parties from the website.
yes please
Use Authy
While I don't LOVE google, i HATE facebook, and if we have facebook auth we should at least have the option to use google instead.
I thoroughly and wholly disagree. Less Google = better.
Jeśli tylko byłaby taka opcja - używałabym. Do wszystkiego, do czego tylko mogę, loguję się przez Google.
Steam and Blizzard use their own authenticator. Uplay, Origin, and EGS are already using Google Authentication. Using an authenticator significantly increases the security of the account, in addition, the implementation does not require large financial costs. Another plus of using Google Authenticator (in my opinion) - you do not need another application on your smartphone.
I agree that would be very nice
52 comments about this wish