poll Do You Use Two-Step Verification to Secure Your Domains?

James Iles said:

the poll is anonymous

Click to expand...

Even mods can't see which members voted in an anonymous poll.

Brandingtheweb.com said:

If your not using 2 factor authorization,
I don't recommend letting everyone know

Click to expand...

Very true! Although the poll is anonymous

It's worth noting that email is the least secure 2FA method, followed by SMS. The most secure method for the average user is formerly called TOTP; most people know it as Google Authenticator, which is a popular app that can be used for TOTP. TOTP typically uses 6-digit numeric codes that change every 30 seconds. You use an app on your phone (e.g., Google Authenticator) to generate them.

If you use an app to synchronize your 2FA keys, you don't really have 2FA because it's possible to recover the keys from a central location with a password. Most people don't understand this; they see lack of synchronization as an inconvenience instead of a security feature.

SMS isn't a secure option because it's relatively trivial to hijack someone else's phone number. For the average hacker, it's inconvenient, so it's not a huge issue unless you're a profitable target. For hackers with more resources, the hijacking process can be simple and transparent, but they usually don't waste their time with petty thievery. Of course, if you have a lot of valuable domains, both of these scenarios should concern you.

Email 2FA is bollocks. Don't use it. If you're offered email as a backup 2FA method, decline, if possible. When hackers go after individual targets, the first thing they do is compromise email accounts. If you're like most people, your domain registrar account and your email account have the same password (shame on you!), so not only is this not 2FA, it's basically just requiring a hacker to enter the same password twice. I bet that'll thwart all the bad guys! (Please read that previous sentence sarcastically.)

Always choose backups codes as your backup 2FA method, when possible. Not email, not SMS. Good ol' handwritten backup codes. Stick them under your mattress; most hackers aren't about to check there.

While I'm lecturing, I might as well make a plug for password managers. Don't reuse passwords. If you can remember your password, it's a lousy password. You can store them with pen and paper if you want, but keep in mind that you still need something capable of generating secure passwords.

For reference, this is what a secure password looks like: ssJ`,e/k*J c2h`f

If your not using 2 factor authorization,
I don't recommend letting everyone know

My favorite conversation, every time:

Network Solutions Rep: "My I ask why you are transferring all these domains from Network Solutions?"
Me: "Where do i start? You have a terrible platform, terrible pricing, terrible security..."
Rep: "Sir, we are one of the oldest registrars in the country with top of the line security measures"
Me: "Great, how can I setup 2 Factor Authentication?"
Rep: "You should have those authorization codes shortly"

I use it at all registrars I have names at. Can never be too safe.

Of course. Sure it's a pain sometimes when on the road or using different gear, because it takes a whole THREE MORE SECONDS to get in, but ain't it worth the effort…?

My registrar uses 5 security questions in order to change any whois status or transfer.
Joe T

How do you handle the issue when travelling overseas and not being able to use the same phone number?

Arca said:

How common are situations where users permanently lose account access due to losing 2FA access (e.g. losing the phone used to receive the codes)? I assume a number of users don't have adequate backup arranged for these situations. What if somebody loses access to primary 2FA and have also lost their backup access method, such as printed out backup codes. Are there situations where users get permanently locked out of their own account with no recourse to regain access?

Click to expand...

It's quite rare, unless the user is deliberately obtuse or provided inaccurate information on registration (e.g., false name). Usually, direct interaction with a human is required to recover the account, and there's often a waiting period that ranges from a few hours to a few days. Companies with physical offices near the customer will often require that the account holder visit in person (particularly banks).

Arca said:

If an account is set up with a secure 30 character password made up of letters (mixed case), numbers and symbols, and is only used for one account, would this be relatively secure without 2FA?

Click to expand...

No. The second factor solves a different problem. It's often trivial to compromise a password; anything from a keylogger hidden in a phishing email to simply watching as someone types it in could be a valid attack. It's a lot harder to compromise a TOTP (2FA) key because the underlying key is never known to the user. Your phone and the server both share the same key; they have an algorithm that takes the key and time as input, and from that they derive a numeric code. Because one of those inputs is continuously changing (time), the numeric code is continuously changing. However, as long as the server and your phone have the same input when generating the codes (time + secret key), they'll have the same output (numeric code). This is why it's important not to synchronize TOTP credentials with an app such as Authy: the secret key becomes "just another password" that a hacker can intercept in transit or by compromising the account used to synchronize data.

Arca said:

If a registrar account does not use 2FA, but requires on or multiple security question to be answered in order to manage any domain actions (unlock, request authorization code, approve transfer), and these security questions are set up well, how secure is this?

Click to expand...

Useless. They're just extra passwords. I always generate random answers to security questions because, for some stupid reason, they're treated with a higher level of authenticity than a password. If you use real answers for your security questions, you should know that the answers are out there. Even the fancy-looking knowledge-based authentication (KBA) you see when opening a major account is useless (that's the one where they ask you questions about your life that you're supposed to remember). The bad guys are better at answering those questions than the real people.

I actually use 3-factor security. With Authy, I have set up a pin to even use the app. So the registrar password, authy pin and then the 2-FA code means I have three layers of security.

martinrussell said:

True story: Last week I was updating / changing a regular round of passwords only to get to a major BANK, and was FORCED to provide exactly 6 alphanumeric characters. This is NEW with them as we've always used a random mix of a dozen or so letters, numbers and symbols but NO. Again, that's exactly 6 (six) letters and or numbers with no option to use any symbols as @Paul Buonopane used above

Click to expand...

Whenever this happens, I berate the company on social media, forward it to a bunch of security professionals that get a lot of publicity, and then switch to a different service provider because complaining on the internet never accomplishes anything.

I am using it from past month, the only problem I face is, I have to be in mobile coverage area in order to get verification pin.

Should be another option..depending on site!
The ones where it is a option..Yes

Some will 'whitelist' your ip as well.

Absolutely, I also use deadbolt security=someone has to call me and request my secret or nothing moves from my account.

2 factor would be nice to force on all customers to eliminate thefts from email, problem is not everywhere in the world has reliable signals to receive text messages

James Iles said:

Domain name security is something that should be taken extremely seriously. With regular reports of valuable short domain names being stolen, it seems that liquid domain names in particular are a target for opportunist thieves.

Click to expand...

My biggest problem is that I don't receive the 2FA codes from most registrars who use SMS to send the OTP codes. Usually, the problem is with LogicBoxes based registrars... Wherever authy/google authenticator is supported, I use them.

anantj said:

I actually use 3-factor security. With Authy, I have set up a pin to even use the app. So the registrar password, authy pin and then the 2-FA code means I have three layers of security.

Click to expand...

They might have fixed it but I think I read that Authy is vulnerable to phone porting hacks, just like SMS. Google Auth is still the safest.

anantj said:

whoa.. Isn't that painful? Which registrar is this?

Click to expand...

Fabulous.com

You get used to it after a while.

True story: Last week I was updating / changing a regular round of passwords only to get to a major BANK, and was FORCED to provide exactly 6 alphanumeric characters. This is NEW with them as we've always used a random mix of a dozen or so letters, numbers and symbols but NO. Again, that's exactly 6 (six) letters and or numbers with no option to use any symbols as @Paul Buonopane used above

Remember to enable two-step verification on your NamePros account for added protection too: https://www.namepros.com/account/two-step

Hope that helps,

fatter said:

My registrar uses 5 security questions in order to change any whois status or transfer.
Joe T

Click to expand...

whoa.. Isn't that painful? Which registrar is this?

2 Factor at registrar and on the registrant email account. Probably dont have anything worth stealing but you never know lol

I use two-step verification about half a year. Turned it on after frequent messages from NP members about domains stealing.