If you're a customer of GOG (formerly Good Old Games), you might have noticed an e-mail in your inbox. That e-mail was informing you that, from October 24th, Two-step Login will be enabled on all existing GOG customer accounts. The goal is to increase security by prohibiting the use of stolen login credentials. The two-step system involves sending a 4-digit code to your registered e-mail address whenever you login from a browser, device, or location, for the first time. This is required, alongside your login and password, to gain access to your account.
If you use the same login credentials - username, password- for many sites; this means that if someone gains your login credentials from one poorly defended site, they can use them to try and access other accounts you might hold. In theory, the two-step verification method prevents this, as long as the data thief doesn't also have access to your e-mail account. The best advice from the security experts is to never use the same password for more than one site.
The move by GOG is not surprising; when the 'Wallet' feature was announced in August, manually enabling two-step verification was a requirement to use the service. You can read the full statement as it appeared in the e-mail from GOG here, this also includes links on how you can opt out of the system. It's not recommended, but you can currently opt out with one click. After October 24th, you'll have to do this manually from your account settings. They have also posted an FAQ on the topic, including tips on increasing online security, here. The statement from GOG on why they feel this is necessary runs as follows:
Most of us have dozens of accounts across various online services, and we often use the same login and password combination on many of them. Very rarely, some external services can get hacked, and their login and password combinations “leak out”. Unauthorized parties can then try to use these logins and passwords to access accounts on secure services, like GOG.com. Because of this, account security is now more important than ever, and using multi-factor authentication is a perfect way to prevent access by someone who obtains your login and password (provided that you’re using a unique password on your email account!).If you receive a two-step verification code and you haven't logged in, someone may be trying to access your account. To find out if your data has appeared in any known data breaches, GOG recommends using haveibeenpwned.com to search for your details. Though other, similar, free services exist.
Account security is more and more important to us as consumers, as we slowly build a library of sites that could potentially, and unintentionally, leak our personal information. Are you satisfied that companies like GOG are taking these steps, or is there more that could be done? Let us know in the comments below!