poll Do You Use Two-Step Verification to Secure Your Domains?

martinrussell · Jul 6, 2017

True story: Last week I was updating / changing a regular round of passwords only to get to a major BANK, and was FORCED to provide exactly 6 alphanumeric characters. This is NEW with them as we've always used a random mix of a dozen or so letters, numbers and symbols but NO. Again, that's exactly 6 (six) letters and or numbers with no option to use any symbols as @Paul Buonopane used above

Paul · Jul 6, 2017

martinrussell said:
True story: Last week I was updating / changing a regular round of passwords only to get to a major BANK, and was FORCED to provide exactly 6 alphanumeric characters. This is NEW with them as we've always used a random mix of a dozen or so letters, numbers and symbols but NO. Again, that's exactly 6 (six) letters and or numbers with no option to use any symbols as @Paul Buonopane used above

Whenever this happens, I berate the company on social media, forward it to a bunch of security professionals that get a lot of publicity, and then switch to a different service provider because complaining on the internet never accomplishes anything.

Paul · Jul 7, 2017

Arca said:
How common are situations where users permanently lose account access due to losing 2FA access (e.g. losing the phone used to receive the codes)? I assume a number of users don't have adequate backup arranged for these situations. What if somebody loses access to primary 2FA and have also lost their backup access method, such as printed out backup codes. Are there situations where users get permanently locked out of their own account with no recourse to regain access?

It's quite rare, unless the user is deliberately obtuse or provided inaccurate information on registration (e.g., false name). Usually, direct interaction with a human is required to recover the account, and there's often a waiting period that ranges from a few hours to a few days. Companies with physical offices near the customer will often require that the account holder visit in person (particularly banks).

Arca said:
If an account is set up with a secure 30 character password made up of letters (mixed case), numbers and symbols, and is only used for one account, would this be relatively secure without 2FA?

No. The second factor solves a different problem. It's often trivial to compromise a password; anything from a keylogger hidden in a phishing email to simply watching as someone types it in could be a valid attack. It's a lot harder to compromise a TOTP (2FA) key because the underlying key is never known to the user. Your phone and the server both share the same key; they have an algorithm that takes the key and time as input, and from that they derive a numeric code. Because one of those inputs is continuously changing (time), the numeric code is continuously changing. However, as long as the server and your phone have the same input when generating the codes (time + secret key), they'll have the same output (numeric code). This is why it's important not to synchronize TOTP credentials with an app such as Authy: the secret key becomes "just another password" that a hacker can intercept in transit or by compromising the account used to synchronize data.

Arca said:
If a registrar account does not use 2FA, but requires on or multiple security question to be answered in order to manage any domain actions (unlock, request authorization code, approve transfer), and these security questions are set up well, how secure is this?

Useless. They're just extra passwords. I always generate random answers to security questions because, for some stupid reason, they're treated with a higher level of authenticity than a password. If you use real answers for your security questions, you should know that the answers are out there. Even the fancy-looking knowledge-based authentication (KBA) you see when opening a major account is useless (that's the one where they ask you questions about your life that you're supposed to remember). The bad guys are better at answering those questions than the real people.

Johan Tony · Jul 7, 2017

Yes i do

Acroplex · Jul 7, 2017

Paul Buonopane said:
For reference, this is what a secure password looks like: ssJ`,e/k*J c2h`f

While we're on that subject, a secure password that can be remembered is, "ThisLongPhraseICanAlwaysRemember"

Paul · Jul 8, 2017

Acroplex said:
While we're on that subject, a secure password that can be remembered is, "ThisLongPhraseICanAlwaysRemember"

Actually, any combination of words that forms a coherent sentence (or otherwise follows some pattern) has low enough entropy. The most powerful password cracking tools out there focus on no more than two words per password, but there are utilities for use in conjunction with cracking programs that combine words based on grammar or common n-grams.

The myth originated with a famous xkcd comic, but the comic deliberately avoided forming a coherent sentence. It's since been shown to be a poor method to teach people because they misinterpret the method; they think it's okay to choose words by hand. Humans generally aren't capable of creating secure passwords unaided.

That being said, xkcd's example is based on a pool of only 128 words, so it's possible to create a secure password from simple words; it's just not reasonable to do it by hand. Since the publishing of that comic, valid word-based password schemes have grown in popularity in highly secure applications, but the words are chosen at random.

Here's the original comic. Again, don't listen to what it's saying unless you understand exactly how entropy works; chances are you'll be misinterpreting it. And yes, Tr0ub4dor&3 is a lousy password. Many popular websites still use insecure algorithms that permit guessing orders of magnitude faster than 1000 guesses/sec, so take 3 days and make it 3 minutes, tops.

Name Trader · Jul 10, 2017

Google Authenticator is so much more reliable than SMS. It's not even close.

siya · Jul 10, 2017

of course yes

Auspicious-Success · Jul 11, 2017

There is a solution if you do not have a phone connection you can always use a virtual phone. If you are logged in to your virtual phone you can receive the text message from there. There are a few companies that offers a solution like that.

Eric Lyon · Jul 13, 2017

Remember to enable two-step verification on your NamePros account for added protection too: https://www.namepros.com/account/two-step

Hope that helps,

420domainer · Jul 13, 2017

I wonder how many members here have the same password for NP that they do for their registrars?

anantj · Jul 14, 2017

I just remember and have always meant to ask this to @Joe Styler : Why does your support need the 2FA code AFTER being provided the phone in pin? This, imo, is a massive security vulnerability. The entire point of 2FA is lost if I have to provide it over the phone or chat to a support agent. I've never seen something like this happen anywhere else except GD and can't understand why you'd compromise the 2FA like this.

Joe Styler · Jul 14, 2017

anantj said:
I just remember and have always meant to ask this to @Joe Styler : Why does your support need the 2FA code AFTER being provided the phone in pin? This, imo, is a massive security vulnerability. The entire point of 2FA is lost if I have to provide it over the phone or chat to a support agent. I've never seen something like this happen anywhere else except GD and can't understand why you'd compromise the 2FA like this.

The codes generated are unique each time. This further secures your account so that if you were to let someone know your PIN they could not use it alone to enter your account. I didnt answer the poll but I use 2FA on my accounts.

anantj · Jul 14, 2017

Joe Styler said:
The codes generated are unique each time. This further secures your account so that if you were to let someone know your PIN they could not use it alone to enter your account. I didnt answer the poll but I use 2FA on my accounts.

yes but someone only needs to enter my GD account once to wreak havoc. Not the 2nd time or the nth time. So giving the 2FA code even once compromises the entire security provided by 2FA. Why do the support folks need my 2FA code, especially over chat or phone. I have no way to verify if someone purportedly calling from GD is really from GD and them asking for my 2FA code is a major risk and a vulnerability

Joe Styler · Jul 14, 2017

anantj said:
yes but someone only needs to enter my GD account once to wreak havoc. Not the 2nd time or the nth time. So giving the 2FA code even once compromises the entire security provided by 2FA. Why do the support folks need my 2FA code, especially over chat or phone. I have no way to verify if someone purportedly calling from GD is really from GD and them asking for my 2FA code is a major risk and a vulnerability

Don't give it to anyone calling you. If you call in and you have 2fa you need to give it to support to enter your account. I wouldn't give anyone your pin or 2fa code if you were unsure if it was us.

anantj · Jul 15, 2017

Joe Styler said:
Don't give it to anyone calling you. If you call in and you have 2fa you need to give it to support to enter your account. I wouldn't give anyone your pin or 2fa code if you were unsure if it was us.

Joe, I think you're missing the entire point. Why do I even need to give it to support at all? That is a highly flawed system that undermines the basic premise of 2FA security. At the end of the day, it should not matter where I called in, GD called me, or if it is a chat conversation. Giving out 2FA codes is wrong and should not be encouraged. I'm always uncomfortable giving it out to GD reps but I have no way around it when I need their assistance with something.

Joe Styler · Jul 17, 2017

anantj said:
Joe, I think you're missing the entire point. Why do I even need to give it to support at all? That is a highly flawed system that undermines the basic premise of 2FA security. At the end of the day, it should not matter where I called in, GD called me, or if it is a chat conversation. Giving out 2FA codes is wrong and should not be encouraged. I'm always uncomfortable giving it out to GD reps but I have no way around it when I need their assistance with something.

I disagree and think your account is much safer with that option. The 2fa code is unique each time so it would do the customer service rep no good to know your 2fa. The other option is for the agent to not have to ask your 2FA code which means anyone who finds out your PIN of last 8 of your credit card would have access to your account, these most likely do not change each time they are used (unless you manually do that).

Bipul · Jul 19, 2017

Yes , We do.

BML · Aug 16, 2017

I use three-step verification and additional hassle it requires is nothing compared to potential damage to your financial and mental health.

poll Do You Use Two-Step Verification to Secure Your Domains?

Do You Use Two-Step Verification to Secure Your Domains? Sort by votes

Yes

No

Unsure

Established Member

Tech, NamePros

Tech, NamePros

New Member

Top Member

Tech, NamePros

formerly @stubTop Member

Established Member

Established Member

Scorpion Agency LLCTop Member

Top Member

Top Member

Aftermarket Product ManagerTop Member

Top Member

Aftermarket Product ManagerTop Member

Top Member

Aftermarket Product ManagerTop Member

Established Member

Top Member

Similar threads

We're social

Pinned

Appreciation

Agreement

Do You Use Two-Step Verification to Secure Your Domains?
Sort by votes