GoG, you have to stop using email for your 2FA implementation. Using email _completely_ undermines the point of two factor. Also, this happened:

https://motherboard.vice.com/en_us/article/ywyz3x/hackers-could-read-your-hotmail-msn-outlook-microsoft-customer-support

Note: "real 2FA" does not use SMS either.

So what means are you proposing, exactly?

Google Authenticator. Or maybe use the Blizzard one. :-P

You can't blame GoG for another companies security screw up. They likely use email because it's the most accessible option for the average consumer. I don't know what you're suggesting they use instead... do you expect them to ship usb dongles to all potential customers?

The security of your account is only their concern so far as it is possible to provide additional security in a cost effective way. It's unreasonable to expect them to make up for security flaws from third party hosted mail solutions.

While not agreeing with the premise that email-based tokens are not “real 2FA”, I do think GOG should consider adding other forms of 2FA, such as TOTP.

Or enable support for Authy.

Or for

Aegis,

FreeOTP and just about any other TOTP client.

What the OP is suggesting is likely the use of a time limited one time use password. For most use cases this is a series of numbers on a timer that you are expected to type in when attempting to log into a service, rather than a clunky email or SMS based solution.

For those wondering if this even works outside of cellphones, yes. It does. There exist several desktop variations of these types of authentication managers.

You could even make one yourself!