question 2-step-verification and how it works

[AniMeshorer]

In my first topic on this forum I already asked if 2FA is still recommended for EU-based domain owners, as our private info (name, address, email address, phone nr) is redacted for privacy in WHOIS search results. That's already quite a good layer of privacy, but maybe it is wise to still add an extra layer of security by setting up two-step verification.

I have read about Authy and Google Authenticator to set up 2FA. I have three questions about this:

1) what are the main differences between Authy and Google Authenticator? Is one recommended over the other?

2) I sometimes let someone else use my mobile phone. If the one-off code sent to sign into my domain account would be sent to an app on my mobile, can that person then sign into my domain account and steal my domains? Or would that person also need to know my username/email address AND password?
In other words: would the one-off sign-in code be sent only after having entered the correct username and password of your domain account?

3) my domain account is registered with an email address I only access on my desktop computer.
I also have a Gmail account on my smartphone, but don't want my domains or my domain account to be connected to that Gmail account on my smartphone. If I'd ever need the password recovery option, I would not want the link to reset the password to be sent to that Gmail address on my smartphone.
By use a Google product (Google Authenticator) for 2FA, isn't there the risk that my domain account and/or domains get connected to the Gmail account on my mobile, and that password reset links would be emailed to that Gmail on my smartphone?

 

[BritFlippa]

I use Authenticator.

They only send the code after you have logged in.
You then open the app, check the 6 digit code,and type it in to a second box on your desktop
which was generated after your login.

Have to say if I thought 'someone' was going to steal my domains then I wouldn't lend them my phone!

Can't answer the rest, other than to say I've never had a problem using 2FA.

 

[Adrigan]

I sometimes let someone else use my mobile phone.

If you can afford it, have 2 phones, with one of them being of no value as nothing important or security related is on it, no personal data, etc, and which you can let other people use, without any concerns.

Giving other people access to your main phone, however strongly you trust them, leaves you open to potential abuse & theft, even if it's not from who you lent your phone to.

Perhaps look to see if your registrar (or any other registrar) offers 2FA, as that would probably be better than 3rd party offerings.

 

[AniMeshorer]

I use Authenticator.

They only send the code after you have logged in.
You then open the app, check the 6 digit code,and type it in to a second box on your desktop
which was generated after your login.

Have to say if I thought 'someone' was going to steal my domains then I wouldn't lend them my phone!

Can't answer the rest, other than to say I've never had a problem using 2FA.

I fully agree, but the only people sometimes using my phone are people I trust 100%. However, I am sometimes overconcerned even if it involves people I trust to full extent. Also, I'd be a bit worried carrying my phone with me to crowded places such as sports games or concerts if the 6 digit code needed to log into my domain account would be sufficient (even if nobody in that place knows my password).

But you've answered that question clearly: they only send the code after you have logged in. Thanks for that answer!

 

[AniMeshorer]

If you can afford it, have 2 phones, with one of them being of no value as nothing important or security related is on it, no personal data, etc, and which you can let other people use, without any concerns.

Giving other people access to your main phone, however strongly you trust them, leaves you open to potential abuse & theft, even if it's not from who you lent your phone to.

Perhaps look to see if your registrar (or any other registrar) offers 2FA, as that would probably be better than 3rd party offerings.

What do you mean with "better than 3rd party offerings"?

Now it does seem like Google Authenticator is trustworthy.
That leaves me with one question though: my domains and my domain account are registered with an email address I check only on my desktop computer. However, on my smartphone I have a Gmail account. I however would NOT want that Gmail account on my mobile having any link to my domains and domain account. I do not want that pressing the "recover/reset password" option would send a password reset link to the Gmail account on my smartphone.

Before installing and using Google Authenticator, I would need to be sure that it would not create a link between that Gmail account on my smartphone and the domains/domain account.
I'm a bit concerned about that, as Google often links different products of theirs ; for example by having a Gmail account on your smartphone you're automatically signed in to YouTube if you access the YouTube app on that same smartphone.

So I'd need to be sure that pressing the "reset password" or "recover password" option (when signing into my domain account at my registrar) would not send a password recovery link to the Gmail account on my smartphone that would also contain Google Authenticator app.

 

[Adrigan]

What do you mean with "better than 3rd party offerings"?

Some (all?) registrars have 2FA for logging into your account, but I have only seen this used with email.
I have no idea how good 3rd party 2FA services are and as I don't use any product/service from the evil G, I can't comment as to whether it is strong or not. I don't know anything about Authenticator.

A registrar's 2FA could be better, but I don't know.

 

[BritFlippa]

Also, I'd be a bit worried carrying my phone with me to crowded places such as sports games or concerts if the 6 digit code needed to log into my domain account would be sufficient (even if nobody in that place knows my password).

It wouldn't be. You have to log in with your username & password, then use the 6 digit code that is showing at that instant. It's a one-time code which deletes after 30 seconds and generates a new one, so even if someone saw that code number it would be no use the next time you log in. HTH.

Some (all?) registrars have 2FA for logging into your account, but I have only seen this used with email.

Afternic offer two-step via Text.

 

[AniMeshorer]

Afternic offer two-step via Text.

Hmmm, I never heard of Afternic registrar. I'll have to check if they're any good.

I was thinking of giving Porkbun a try, not sure which 2FA systems they use.

I wouldn't mind Google Authenticator if it would not make a connection with the Gmail account on my smartphone. I use a different email address for my domain account and domain names, and I don't want the Gmail address on my mobile phone to be connected to my domains or domain account. Otherwise anyone who would somehow get my phone could use the "password reset" or "password recovery" option and the link to create a new password would be sent to the Gmail account on my smartphone. The same smartphone where Google Authenticator would be on.

Do you know about Authy? Apparently that's another 2FA tool. Not sure if that's reliable?

 

[BritFlippa]

Hmmm, I never heard of Afternic registrar. I'll have to check if they're any good.

Lol. For a second I thought you were having a pop at the newbie.

Afternic is a GD marketplace for selling, not a registrar.
I missed that part in the question, probably because I'm many hours ahead of most of you.

Do you know about Authy?

No,sorry.

 

[AniMeshorer]

Lol. For a second I thought you were having a pop at the newbie.

Afternic is a GD marketplace for selling, not a registrar.
I missed that part in the question, probably because I'm many hours ahead of most of you.


No,sorry.

I am a bit of a newbie, so sorry if some questions seem a bit odd.

My main concern with Google Authenticator: I use a Gmail address for my domain account. But on my smartphone I have a second Gmail address in the Gmail app.

Since a lot of Google products are connected automatically (for example if I open the YouTube app on my phone, I am signed in automatically with the same email address/Google account I use for email on my phone), I was wondering if using Google Authenticator on my smartphone wouldn't automatically connect with the Google account/Gmail address on my smartphone. And thus, if using Google Authenticator on my smartphone wouldn't connect my domain account to the Gmail address on my smartphone.



Actually I saw that Porkbun has different styles of 2FA where you need, on top of username and password, to put a specific USB-stick (token) in your computer to sign into your account. This would be great in my opinion, I wouldn't need to worry about using a Google product. However, I tried to open a Porkbun account and it didn't work, and I couldn't reach their support at all (which was odd because they usually get a lot of praise for their support ; I however couldn't reach them by chat or phone, and an email remained unanswered so far).

Not sure what other registrars use such tokens/USB sticks for 2FA.

 

[AniMeshorer]

It seems that Yubikey and the Yubico Authenticator are really reliable. This combines several protocols such as U2F and TOTP. You have to insert a USB-key (Yubikey) into your computer, and only then it creates a once-off code to complete the sign-in process. I guess it doesn't get more safe than this.

I don't know which reliable registrars accept Yubico Authenticator? But on the Yubico website they claim that it works with any registrar that accepts Google Authenticator. Is that true?

 

[Charles Sweeney]

In my first topic on this forum I already asked if 2FA is still recommended for EU-based domain owners, as our private info (name, address, email address, phone nr) is redacted for privacy in WHOIS search results. That's already quite a good layer of privacy, but maybe it is wise to still add an extra layer of security by setting up two-step verification.

I have read about Authy and Google Authenticator to set up 2FA. I have three questions about this:

1) what are the main differences between Authy and Google Authenticator? Is one recommended over the other?

2) I sometimes let someone else use my mobile phone. If the one-off code sent to sign into my domain account would be sent to an app on my mobile, can that person then sign into my domain account and steal my domains? Or would that person also need to know my username/email address AND password?
In other words: would the one-off sign-in code be sent only after having entered the correct username and password of your domain account?

3) my domain account is registered with an email address I only access on my desktop computer.
I also have a Gmail account on my smartphone, but don't want my domains or my domain account to be connected to that Gmail account on my smartphone. If I'd ever need the password recovery option, I would not want the link to reset the password to be sent to that Gmail address on my smartphone.
By use a Google product (Google Authenticator) for 2FA, isn't there the risk that my domain account and/or domains get connected to the Gmail account on my mobile, and that password reset links would be emailed to that Gmail on my smartphone?

What are you talking about? logging in to your registrar? Never had a problem with a good password. I like to have my contact info published for a domain. 1. It shows I own the name. 2. I sometimes get interested buyers contact through the WHOIS info.

 

[AniMeshorer]

What are you talking about? logging in to your registrar? Never had a problem with a good password. I like to have my contact info published for a domain. 1. It shows I own the name. 2. I sometimes get interested buyers contact through the WHOIS info.

While I agree that a strong password already is a huge protection, using 2FA is a hassle-free additional layer of security. Like having two locks on your front door instead of one. Entering that second key only takes 30 seconds of your time, while it does add security.
Even though I also agree that usually good login credentials are already very secure usually. But I guess 2FA cannot do harm, so why not use it