poll Do You Use Two-Step Verification to Secure Your Domains?

I use it at all registrars I have names at. Can never be too safe.

If your not using 2 factor authorization,
I don't recommend letting everyone know

Brandingtheweb.com said:

If your not using 2 factor authorization,
I don't recommend letting everyone know

Click to expand...

Very true! Although the poll is anonymous

I am using it from past month, the only problem I face is, I have to be in mobile coverage area in order to get verification pin.

James Iles said:

the poll is anonymous

Click to expand...

Even mods can't see which members voted in an anonymous poll.

Of course. Sure it's a pain sometimes when on the road or using different gear, because it takes a whole THREE MORE SECONDS to get in, but ain't it worth the effort…?

My registrar uses 5 security questions in order to change any whois status or transfer.
Joe T

Should be another option..depending on site!
The ones where it is a option..Yes

Some will 'whitelist' your ip as well.

How do you handle the issue when travelling overseas and not being able to use the same phone number?

Absolutely, I also use deadbolt security=someone has to call me and request my secret or nothing moves from my account.

2 factor would be nice to force on all customers to eliminate thefts from email, problem is not everywhere in the world has reliable signals to receive text messages

My favorite conversation, every time:

Network Solutions Rep: "My I ask why you are transferring all these domains from Network Solutions?"
Me: "Where do i start? You have a terrible platform, terrible pricing, terrible security..."
Rep: "Sir, we are one of the oldest registrars in the country with top of the line security measures"
Me: "Great, how can I setup 2 Factor Authentication?"
Rep: "You should have those authorization codes shortly"

fatter said:

My registrar uses 5 security questions in order to change any whois status or transfer.
Joe T

Click to expand...

whoa.. Isn't that painful? Which registrar is this?

James Iles said:

Domain name security is something that should be taken extremely seriously. With regular reports of valuable short domain names being stolen, it seems that liquid domain names in particular are a target for opportunist thieves.

Click to expand...

My biggest problem is that I don't receive the 2FA codes from most registrars who use SMS to send the OTP codes. Usually, the problem is with LogicBoxes based registrars... Wherever authy/google authenticator is supported, I use them.

I actually use 3-factor security. With Authy, I have set up a pin to even use the app. So the registrar password, authy pin and then the 2-FA code means I have three layers of security.

anantj said:

I actually use 3-factor security. With Authy, I have set up a pin to even use the app. So the registrar password, authy pin and then the 2-FA code means I have three layers of security.

Click to expand...

They might have fixed it but I think I read that Authy is vulnerable to phone porting hacks, just like SMS. Google Auth is still the safest.

2 Factor at registrar and on the registrant email account. Probably dont have anything worth stealing but you never know lol

I use two-step verification about half a year. Turned it on after frequent messages from NP members about domains stealing.

CraftNames said:

They might have fixed it but I think I read that Authy is vulnerable to phone porting hacks, just like SMS. Google Auth is still the safest.

Click to expand...

Thank you for this info. I've disabled multi-device. Reading up more on this. My understanding is that this can be prevented using a master password... Will need to look into this in greater detail

anantj said:

whoa.. Isn't that painful? Which registrar is this?

Click to expand...

Fabulous.com

You get used to it after a while.

I am using from past week,& i want secure my account.
How can i please help

It's worth noting that email is the least secure 2FA method, followed by SMS. The most secure method for the average user is formerly called TOTP; most people know it as Google Authenticator, which is a popular app that can be used for TOTP. TOTP typically uses 6-digit numeric codes that change every 30 seconds. You use an app on your phone (e.g., Google Authenticator) to generate them.

If you use an app to synchronize your 2FA keys, you don't really have 2FA because it's possible to recover the keys from a central location with a password. Most people don't understand this; they see lack of synchronization as an inconvenience instead of a security feature.

SMS isn't a secure option because it's relatively trivial to hijack someone else's phone number. For the average hacker, it's inconvenient, so it's not a huge issue unless you're a profitable target. For hackers with more resources, the hijacking process can be simple and transparent, but they usually don't waste their time with petty thievery. Of course, if you have a lot of valuable domains, both of these scenarios should concern you.

Email 2FA is bollocks. Don't use it. If you're offered email as a backup 2FA method, decline, if possible. When hackers go after individual targets, the first thing they do is compromise email accounts. If you're like most people, your domain registrar account and your email account have the same password (shame on you!), so not only is this not 2FA, it's basically just requiring a hacker to enter the same password twice. I bet that'll thwart all the bad guys! (Please read that previous sentence sarcastically.)

Always choose backups codes as your backup 2FA method, when possible. Not email, not SMS. Good ol' handwritten backup codes. Stick them under your mattress; most hackers aren't about to check there.

While I'm lecturing, I might as well make a plug for password managers. Don't reuse passwords. If you can remember your password, it's a lousy password. You can store them with pen and paper if you want, but keep in mind that you still need something capable of generating secure passwords.

For reference, this is what a secure password looks like: ssJ`,e/k*J c2h`f

@Paul Buonopane - Would really appreciate if you could share your thoughts on these questions/situations:

How common are situations where users permanently lose account access due to losing 2FA access (e.g. losing the phone used to receive the codes)? I assume a number of users don't have adequate backup arranged for these situations. What if somebody loses access to primary 2FA and have also lost their backup access method, such as printed out backup codes. Are there situations where users get permanently locked out of their own account with no recourse to regain access?

If an account is set up with a secure 30 character password made up of letters (mixed case), numbers and symbols, and is only used for one account, would this be relatively secure without 2FA?

If a registrar account does not use 2FA, but requires on or multiple security question to be answered in order to manage any domain actions (unlock, request authorization code, approve transfer), and these security questions are set up well, how secure is this?