Double-verification to transfer out of GoDaddy

[000]

Used to be you could manually expedite a transfer away from GoDaddy by approving it on your Transfers page. Would usually complete in minutes. Lately, they're also now requiring verification by email for many domains. I was told that there's an algorithm that determines the risk and flags some names for this extra verification step, and there's no way to opt out.

Really seems unnecessary, especially when I've logged in and approved it already. By submitting the auth code and approving it in my account, I've clearly expressed my intent to transfer, and it seems to me that GoDaddy has taken a step backwards by making it more difficult and time-consuming to move domains away from there.

For those who haven't dealt with this, the steps now are:

- log in, approve transfer. (note: some domains may still be instantly approved I think)
- wait (16 hrs now and counting for my current transfers) for them to get around to sending an email to the whois email asking for approval.
- wait for them to review your email response and approve it.

Again, there's no way to opt out, and even Premier Services phone support can't push the transfer through themselves. You just have to wait it out. Most other major registrars allow for a fast transfer nowadays - even if sometimes you must contact support to do it, they can basically take care of it on the spot.

Can really be a PITA compared to the former instant-transfer (which may still work for some names, though 2/2 in this batch are stuck in pending status). Guess it's just one more reason to keep on transferring out of GoDaddy...

Anyone else think this is a little much? Not saying it's a bad feature to OFFER, but there should be a way to OPT OUT, or at least approve it instantly (even if by email).

 

[forge]

Yes it is more than a little much. Also I've had two unusual experiences with transferring away from GD just within the past week.

One, I unlocked the domain and requested auth code. Fine. Received. Domain was unlocked, and then I submitted the transfer at the gaining registrar. It was refused because the domain was again locked. Unlocked and transfer went through fine the second time around.

Two, unlocked and requested auth code. Submitted transfer at gaining registrar. All well and good, I got the "Check your name" (or some such silliness) email from GD. I went into my cPanel, to transfers and clicked "Accept" to expedite the transfer (as indicated by GoDaddy email). Nothing, although the Whois reflected "Transfer in Progress", it took 3 additional days before the domain was transferred into the new registrar.

Are these just minor burps? I don't think so, because there's no longer any reassurance that a process can be completed seamlessly and on a schedule that, until now, has been very steady going.

Now with additional "algorithms", it might only get worse.

 

[equity78]

@Joe Styler

 

[Joe Styler]

We review all transfers out. I forget the exact number of domains that are flagged but it is really low. They have to meet certain criteria, which I will not discuss publicly, that makes us suspicious that it might be being moved without the owner's knowledge. This was tightened up after GDPR went into effect.

There are several reasons for this. I'm not going to go into detail on all the changes, there are many sites that discuss policy and blog posts that have documented the changes in transfer and ownership verification post GDPR and various registrars' and registries' reactions and updated policies that resulted from the European law.

A big reason we've tightened up on transfers out a bit, (again this an extremely small amount of transfers that are impacted overall) is that the ICANN mandated transfer procedure has changed post GDPR to an interim solution where an FOA is no longer required. Add to that the right to be forgotten. Also some agreements that were in place to easily unwind bad transfers are no longer in place. To oversimplify a bit this means that in some cases it is easier to steal domains and harder to get them back without added cost (read lawyers, court) and added time without your domain (possibly also email and website if tied to your domain).

Our reaction to this development was to tighten up our security to protect our customers. We have been learning more over the past months since GDPR and have subjected less and less domains to the added checks as we refine our tools. We have certainly saved high value domains from theft by implementing this and to my knowledge have not had any incident of successful theft post GDPR implementation via transfer out. Our customer's protection is paramount to us and as a result we intend to continue to balance that with the risk of expediting transfers in all cases. Most transfers continue to be instantly approved and as I stated we are refining things and have made good strides in continuing to reduce the number that need to be manually reviewed.

Ultimately I understand your concern. We do not want to slow a transfer of any kind down. We are doing our best to balance our customers' security with their ability to quickly move domains away. We have continued to refine our tool over the years we had it in place and scale back on the domains that we review. As everyone on this forum knows domains are extremely valuable assets. When choosing a company to do business with it is important to decide your own priorities and pick one that they align with. Almost all transfers away are instant with us. Some may take a few hours extra in an effort to protect the customer and their assets.

 

[000]

Thanks for your response, Joe.

Some may take a few hours extra in an effort to protect the customer and their assets.

I don't mind a few hours, but it's been almost 24 hours and the transferverify team has yet to approve my transfers. It's holding up a deal, and I still don't see why this couldn't be done much faster if I'm giving my explicit approval, multiple times. Why on earth does GoDaddy need to "approve" of my transferring MY domain, when it can be proven that I (the verifiable owner of said name) am indeed the one approving it? My identity is verified with every phone call to support! There should be nothing more to "review"! The domains are UNLOCKED, transfer-eligible, and THE OWNER is requesting a transfer. What more is there to "review"?

 

[000]

Really don't like this. It feels like GoDaddy's setting up this extra step to discourage domains internally deemed 'valuable' from being transferred away from GoDaddy. This extra step will inevitably result in less of these domains being transferred out, and hence more expired auctions (etc) to bring in revenue for GoDaddy.

I have a feeling this "algorithm" probably takes into account "value" based on factors such as auction sales history, GoDaddy appraisal, etc. Why? There's absolutely nothing unique about my domains being transferred that would possibly result in them being flagged for security reasons. The only reason I can think of is that GoDaddy may deem them "valuable" for whatever reason, and to me that's NOT a good reason to be essentially holding names hostage!

Long story short, this is CLEARLY NOT ABOUT SECURITY!

 

[MapleDots]

Long story short, this is CLEARLY NOT ABOUT SECURITY!

That can be argued two ways depending depending on which end of a domain loss you're on.

They probably need to iron out some bugs and you could always suggest a push. If the new owner is in a rush have him create a free godaddy account and push the domain to him. Will be pretty well instant and then the client can take his time transferring out.

 

[Domains - Wanted]

Actually, this has been in place at GoDaddy for a long time. I have had about 20% of my transfers flagged this way for years. I don't see any extra security here as I simply ignore the request for the extra email verification and the transfers still go through within the prescribed 5 days.

 

[000]

In this case, staying at GD was not an option.

Finally got the transfers approved after contacting GD for a 3rd time, so all's good, I just don't like that they're making me jump through time-wasting hoops simply because GD's deemed them "high value domains". It's not a decision based on a suspicious transfer situation, it's simply based on the perceived "value". There has to be a better, faster way.

On the bright side, I guess it's nice to know that GD finds some of my names to be of "high value"...

 

[Joe Styler]

Really don't like this. It feels like GoDaddy's setting up this extra step to discourage domains internally deemed 'valuable' from being transferred away from GoDaddy. This extra step will inevitably result in less of these domains being transferred out, and hence more expired auctions (etc) to bring in revenue for GoDaddy.

I have a feeling this "algorithm" probably takes into account "value" based on factors such as auction sales history, GoDaddy appraisal, etc. Why? There's absolutely nothing unique about my domains being transferred that would possibly result in them being flagged for security reasons. The only reason I can think of is that GoDaddy may deem them "valuable" for whatever reason, and to me that's NOT a good reason to be essentially holding names hostage!

Long story short, this is CLEARLY NOT ABOUT SECURITY!

It is 100% about security. We are reviewing it and making updates to make it smoother for people.

 

[ResoluteDomains]

It is 100% about security. We are reviewing it and making updates to make it smoother for people.

Joe, I recently transferred some domains out and only one got put on hold for a few days. During that time I happened to download my portfolio and noticed that domain had a status of "Transfer From: High Risk Review", was this one of those held back for review perhaps? If it was, why did the others get transferred quickly but only one was deemed a high risk review. All were dot com. Just curious. In any case it eventually transferred.

 

[Joe Styler]

There are different things we look at when a domain is transferring out that make us investigate some more closely to make sure they are not being stolen. I won't go into what we look for because I don't want to give bad actors more information on what can trigger it. The other domains didn't meet the criteria for closer inspection is all I can say.