Dynadot refusing to unlock account, what are my options? ...

[tripflex]

Going to try and keep this short and sweet. I started a hosting company back in 2009, was just me and eventually grew in size. I ended up having to start hiring people and one of them that was with us for a short while I had setup an account with Dynadot to start catching auction domains.

Long story short, he left the company a month or so later, and now about 2 years later I go into the account to try and transfer one of the domains, and am unable to unlock the account.

Dynadot required birthday to unlock and if you don't have that you need the security question. I don't have the guys birthday and every attempt to contact him has failed.

Few things to note:

• All domains under account were purchase with MY business credit card with MY name on it
• The email on the account has been setup to forward to my email
• The address on the account is my company address
• The phone number on the account is company phone number

Contacted Dynadot multiple times and they basically refuse to unlock the account unless I get them a photo ID showing his name or provide the security question answer. I've asked them to just review the invoices and they will see it's my name on the credit card, asked to verify via sending a letter to address, or even call to verify, but they refuse to do any of that to verify the account.

So now i'm left with what options I have available to handle this. My first thought was just to get a lawyer involved, but that could end up costing a good chunk of change and I want to try and keep the cost down as much as possible.

The only other option I could think of was to let the domains expire and try and catch them in the Dyandot auction, or if the price ends up going crazy out of control in the auction, just renew the domain.

Does anybody have any suggestions or thoughts regarding this? I've exhausted every option I can think of to prove to them it's my account but have not gotten anywhere.

If I do let the domains go into auction and expire, say I end up not catching one of them because someone snipes the bidding and gets it .... technically I could still renew it, right? As long as it's within redemption period?

Thanks guys!!

 

[Name Trader]

@forge - What happened for them to lock you out of your account? I'm interested because they have been my preferred registrar for years. I have many domains there. I think their service is impeccable,

 

[Hypersot]

I'd like @Dynadot to comment on this as in,
is it that easy to get locked out of our account permanently?

I have my main emails and site with them and, if I'm locked out -for whatever the reason- it'd totally destroy me

 

[Name Trader]

@Hyperslot - You do know you should never have your domains and hosting with the same company? That would cause you untold grief if you lost both your domains and your hosting. Most disputes seem to be with the hosting accounts (generally not about dynadot). So if you get in trouble with your hosting and they lock your account you lose both the your domains and hosting. Whereas if they are at separate companies and you get in trouble with your hosting, you can just sign up with a new host and carry on. Believe me. Wise words.

 

[Hypersot]

@Hyperslot - You do know you should never have your domains and hosting with the same company? That would cause you untold grief if you lost both your domains and your hosting. Most disputes seem to be with the hosting accounts (generally not about dynadot). So if you get in trouble with your hosting and they lock your account you lose both the your domains and hosting. Whereas if they are at separate companies and you get in trouble with your hosting, you can just sign up with a new host and carry on. Believe me. Wise words.

You are absolutely right. I just didn't express myself correctly.
I have the domain with dynadot and hosting/emails with hostgator. I meant that emails are based on that domain.

It's just that, even if I lose/can't get access to said domain it will be a huge hit in case something happens and I'll need to access it.

Still, if they don't answer on this thread, I'll contact them and try to clear this up. I really don't want a company that has such restrictions on critical assets.

 

[DU]

Still, if they don't answer on this thread, I'll contact them and try to clear this up. I really don't want a company that has such restrictions on critical assets.

I'll say the same thing I always say.

Domainers -
First to complain when their domains get stolen
First to complain when their domains are protected from being stolen

They've never been an issue for me.

 

[forge]

@forge - What happened for them to lock you out of your account? I'm interested because they have been my preferred registrar for years. I have many domains there. I think their service is impeccable,

I've been told by their support that ALL user accounts are locked down by default. So if by chance you enter an incorrect date of birth upon unlocking, after 2 or 3 attempts you are denied access. In order to 'reset' your stated DOB, you are then required to answer a "secret question". I don't recall even setting a "secret question" answer for my account in the first place. Mind you, I never had any password issues for accessing at least the "first level" of my account.

If one time you answer this question incorrectly, your account will be locked down permanently until you "send" Dynadot a photo of a government-issued ID.

Say what you will, but as far as I'm concerned this is nonsense. It's not even worth my time discussing further, but feel free to argue among yourselves.

 

[DU]

I've been told by their support that ALL user accounts are locked down by default. So if by chance you enter an incorrect date of birth upon unlocking, after 2 or 3 attempts you are denied access. In order to 'reset' your stated DOB, you are then required to answer a "secret question". I don't recall even setting a "secret question" answer for my account in the first place. Mind you, I never had any password issues for accessing at least the "first level" of my account.

If one time you answer this question incorrectly, your account will be locked down permanently until you "send" Dynadot a photo of a government-issued ID.

Say what you will, but as far as I'm concerned this is nonsense. It's not even worth my time discussing further, but feel free to argue among yourselves.

For Those Who Might Want to Argue
The account lock is always the birth date. You could use a real one, a consistent fake one (how many NP members have Jan 1 birthdays!), or write it down.

It's like a password. It's important to have a record or use one you won't forget.

Secret Question
The secret question is YOUR OWN QUESTION and with YOUR OWN ANSWER.

Examples you can use:

Question: "It's a Color rhymes with foo and and a flower that rhymes with lows"
Answer: PurplooLilyoes

Question: "It's a fish but also a mammal"
Answer: "dolphin"

Question: "Two Plus Two is what?"
Answer: "dolphin"

Question: "What is a good word reversed"
Answer: "nihplod"

Question: "I'm not even going to ask a question because you know the answer (not purploolilyoes)?"
Answer: "dolphin"


One time entry seems harsh though. I think 2 goes or 3 would be ok. Or 1 per email soft reset.

 

[Dynadot]

@Hypersot Thanks for tagging us & for being a Dynadot customer! It's not easy to get locked out of your account. Most customers have no problem locking or unlocking their account. The ones that do are typically either people who didn't set up their own account or people who put jibberish in for their secret question and answer.

Also, our system doesn't lock you out of your account. People who don't remember their secret question/answer are still able to access their account and manage their domain names. The account lock we're talking about here is an extra layer of security designed to keep your domains safe, so one thing you can't do if you can't unlock your account (or someone else trying to access your account can't unlock it) is transfer your domains away.

Hope that helps! Feel free to email us [email protected] if you have any more questions.

 

[Hypersot]

@Hypersot Thanks for tagging us & for being a Dynadot customer! It's not easy to get locked out of your account. Most customers have no problem locking or unlocking their account. The ones that do are typically either people who didn't set up their own account or people who put jibberish in for their secret question and answer.

Also, our system doesn't lock you out of your account. People who don't remember their secret question/answer are still able to access their account and manage their domain names. The account lock we're talking about here is an extra layer of security designed to keep your domains safe, so one thing you can't do if you can't unlock your account (or someone else trying to access your account can't unlock it) is transfer your domains away.

Hope that helps! Feel free to email us [email protected] if you have any more questions.

Excellent answer

thank you

 

[Name Trader]

I've been told by their support that ALL user accounts are locked down by default. So if by chance you enter an incorrect date of birth upon unlocking, after 2 or 3 attempts you are denied access. In order to 'reset' your stated DOB, you are then required to answer a "secret question". I don't recall even setting a "secret question" answer for my account in the first place. Mind you, I never had any password issues for accessing at least the "first level" of my account.

If one time you answer this question incorrectly, your account will be locked down permanently until you "send" Dynadot a photo of a government-issued ID.

Say what you will, but as far as I'm concerned this is nonsense. It's not even worth my time discussing further, but feel free to argue among yourselves.

I think the quote from @DU is appropriate,

Domainers -
First to complain when their domains get stolen
First to complain when their domains are protected from being stolen

It looks like youve jumped on your high horse and refused to send them identification because, by your own actions, you have triggered their security systems. At that rate, I don't think you'll be able to transfer your domains out, either.

 

[carob]

Most customers have no problem locking or unlocking their account.

Hi Dynadot thank you for your general reply. Now could you kindly answer the unanswered question that has been put to you here and elsewhere:

In many parts of the world there is no requirement to have a photo id of any kind and many people do not have one. So how do you unlock those accounts?

 

[carob]

One time entry seems harsh though. I think 2 goes or 3 would be ok. Or 1 per email soft reset.

Just to summarise what we already know:

There is no warning that there is just one try, or that failure results in permanent lockout. On lockout user is asked to email in a government photo ID and wait 48 hours, and Dynadot offer no alternative procedure. Users are not told this on account creation.

 

[forge]

Providing your driver's license could put you at risk of identity theft

http://www.consumerreports.org/cro/news/2013/12/drivers-license-identity-theft/index.htm

“It’s a terrible, terrible practice," said Marc Rotenberg, executive director of the Electronic Privacy Information Center. "To begin with, it’s easily a contributor to identity theft, and it’s unnecessary.”

http://www.pcworld.com/article/136120/article.html

Information to Keep Private
Almost Never Provide Your...
Driver's license Though your state's Department of Motor Vehicles site may require you to enter this information, no other site should

 

[carob]

@Hypersott's not easy to get locked out of your account. Most customers have no problem locking or unlocking their account.

Hi @Dynadot you still haven't answered the question put to you here before and asked again before the weekend - can you please answer this now - there are important issues here:

In many parts of the world there is no requirement to have a photo id of any kind and many people do not have one. So how do you unlock those accounts?

 

[carob]

The account lock we're talking about here is an extra layer of security designed to keep your domains safe, so one thing you can't do if you can't unlock your account (or someone else trying to access your account can't unlock it) is transfer your domains away.

That is not true. And Dynadot knows it, and by saying and doing this they put their ICANN accreditation at risk by breaking ICANN domain transfer rules - as well as annoying and inconveniencing account holders and domain registrants.

It is technically accurate to say the account lock prevents you unlocking domains or generating authcodes from within the account, or changing account holder details. But you can still change registrant names and details if you want in the locked account, in fact Dynadot accounts are set up to hold multiple registrant profiles so one account may serve many registrants.

In a nutshell, ICANN sees the registrant as the owner and gives them a clear right to transfer the domain, regardless of whose account it is in - they can just directly tell Dynadot to transfer it to them, and then Dynadot has to unlock the domain and provide the authcode directly to them.
https://www.icann.org/resources/pages/transfer-policy-2015-09-24-en

 

[DU]

That is not true. And Dynadot knows it, and by saying and doing this they put their ICANN accreditation at risk by breaking ICANN domain transfer rules - as well as annoying and inconveniencing account holders and domain registrants.

It is technically accurate to say the account lock prevents you unlocking domains or generating authcodes from within the account, or changing account holder details. But you can still change registrant names and details if you want in the locked account, in fact Dynadot accounts are set up to hold multiple registrant profiles so one account may serve many registrants.

In a nutshell, ICANN sees the registrant as the owner and gives them a clear right to transfer the domain, regardless of whose account it is in - they can just directly tell Dynadot to transfer it to them, and then Dynadot has to unlock the domain and provide the authcode directly to them.
https://www.icann.org/resources/pages/transfer-policy-2015-09-24-en

Using your logic:
If someone happens to get access to your account and changes the registrant to their email address then they own the domain and have clear right to transfer the domain no questions asked. Furthermore, if someone gets access to JUST your email account then they should be able to transfer the domain wherever they want because in your world an email is the sole key needed to garner ownership. Simply login and request an auth and transfer away. Thieves don't even need to have account access and ICANN will revoke you accreditation if you don't allow them to do that!

In your world. Theft is easy. Why even bother with passwords or accounts.. just handle everything via email.

A better interpretation of what @Dynadot said was that someone that couldn't pass a basic authentication challenge will not be allowed to transfer the domain. No where did they say they would refuse to transfer the name if you provided information validating your account. If you set up your account with valid information (i.e. not made up persona ) you should be able to manage this. This is no different than any registrar.. Can you imagine the following being ok?
"Hey GoDaddy/Name/Enom etc...,

I've like totally forgotten my login and password but I know my domain is there.. can you just give me access? Please? I can totally prove who I am by sending you my name written on a sheet of paper in ink...but this email is from the registrant email that I never hacked, it's so really mine, so it should be cool. Actually, don't bother giving me access because I just want to transfer the name anyway so give me the auth code and unlock it, mmkay?"

Your link states much of what must be done but it also has as a valid reason for denial:

3.7.2 Reasonable dispute over the identity of the Registered Name Holder or Administrative Contact.

I believe that the fact you don't know your account details would be considered reasonable dispute by many who care about domain theft.

As far as country without a photo id.Your link has alternative that might work. Note that many of these are photo id and some (such as (A) will often require one to get the statement - or two alternatives can be usedin the US ). I don't know what Dynadot's position on these are but I've not setup a question and answer that I've forgotten.

(a) Notarized statement
(b) Valid Drivers license
(c) Passport
(d) Article of Incorporation
(e) Military ID
(f) State/Government issued ID
(g) Birth Certificate

If you talk to them maybe something can be worked out.

If you live in a field in Shropshire without internet or housing high on acid? Then you're probably sol.

 

[carob]

If someone happens to get access to your account and changes the registrant to their email address then they own the domain and have clear right to transfer the domain no questions asked.

Yes that is true as defined by ICANN and would have recovered the OP's domain for him, solving the problem that started this thread. It has worked for others. Dynadot have no choice - the alternative is a complaint to ICANN and loss of ICANN accreditation.

The key texts from ICANN you need to quote to Dynadot to recover your domain are:

https://www.icann.org/resources/pages/transfer-policy-2016-06-01-en

5.2 Registrars must provide the Registered Name Holder with the unique "AuthInfo" code and remove the "ClientTransferProhibited" within five (5) calendar days of the Registered Name Holder's initial request if the Registrar does not provide facilities for the Registered Name Holder to generate and manage their own unique "AuthInfo" code and to remove the "ClientTransferProhibited" status

1.1 Transfer Authorities

The Administrative Contact and the Registered Name Holder, as listed in the Losing Registrar's or applicable Registry's (where available) publicly accessible Whois service are the only parties that have the authority to approve or deny a transfer request to the Gaining Registrar. In the event of a dispute, the Registered Name Holder's authority supersedes that of the Administrative Contact.

The domain owner is the registrant, not the account holder. Registrant asserting their rights directly with registrar results in transfer with no involvement of account holder.

 

[DU]

5.2 Registrars must provide the Registered Name Holder with the unique "AuthInfo" code and remove the "ClientTransferProhibited" within five (5) calendar days of the Registered Name Holder's initial request if the Registrar does not provide facilities for the Registered Name Holder to generate and manage their own unique "AuthInfo" code and to remove the "ClientTransferProhibited" status

Technically they aren't violating the above. See red.

Also read not allowed for refusal:

"3.9.3 Domain name in Registrar Lock Status, unless the Registered Name Holder is provided with the reasonable opportunity and ability to unlock the domain name prior to the Transfer Request."

I would suggest that allowing access to the lock/auth code by validating you are the person who put the domain into their custody is within the bounds of reasonable. Asking you to log in and know your birth month/day or answer to a question you created is not unreasonable. All registrars ask you for some validation at the account level - via a PIN or similar. I would expect a custodian of my data to care about the custody of it.

So @carob - we will have to disagree.

I would firmly suggest that no-one use any registrar that would allow someone to transfer a domain away without requiring any form of authentication beyond an email. It's as simple as that for me.

 

[carob]

Technically they aren't violating the above. See red.

Also read not allowed for refusal:

"3.9.3 Domain name in Registrar Lock Status, unless the Registered Name Holder is provided with the reasonable opportunity and ability to unlock the domain name prior to the Transfer Request."

I would suggest that allowing access to the lock/auth code by validating you are the person who put the domain into their custody is within the bounds of reasonable. Asking you to log in and know your birth month/day or answer to a question you created is not unreasonable. All registrars ask you for some validation at the account level - via a PIN or similar. I would expect a custodian of my data to care about the custody of it.

So @carob - we will have to disagree.

I would firmly suggest that no-one use any registrar that would allow someone to transfer a domain away without requiring any form of authentication beyond an email. It's as simple as that for me.

I'm not sure you read my post fully. This method of a registrant getting a domain out of Dynadot without access to the account is not hypothetical - it already works in real life - they have no choice.

I'm guessing your comment is about your own domain names where you are both registrant and account holder. But Dynadot's own system allows for multiple registrants in one account, so registrant and account holder can be different parties, which was the OP's problem. If a developer passed away leaving a client's domain in their account it would be natural for the client to need to recover the domain without access to the account. There simply is no opportunity for them to unlock the domain from within the account.

 

[DU]

duplicate

 

[DU]

I'm not sure you read my post fully. This method of a registrant getting a domain out of Dynadot without access to the account is not hypothetical - it already works in real life - they have no choice.

I'm guessing your comment is about your own domain names where you are both registrant and account holder. But Dynadot's own system allows for multiple registrants in one account, so registrant and account holder can be different parties, which was the OP's problem. If a developer passed away leaving a client's domain in their account it would be natural for the client to need to recover the domain without access to the account. There simply is no opportunity for them to unlock the domain from within the account.

That is indeed a different scenario but it's no different than it would be with any registrar and doesn't change much, if anything.

In my opinion - someone holding the name for someone else on an ad-hoc basis is always going to be a problem and the correct approach is to prevent the problem not criticize the difficulty getting out of it once it arises. You are right.. the registrant is the official owner; however, the registrar needs to ensure the name isn't transferred fraudulently.

In the case of the OP. He had a technical resource set it up who left ....

He CALLED Dynadot and explained... they reset his account ... so there is due diligence and not no flexibility.

If they had proper documentation (they had enough) or decent procedures it wouldn't have happened in the first place and they admitted as much. He also acknowledged he didn't want to pay legal fees.
He still got his control back....
The OPs scenario was an example of corporate control failure.

Take the example of a web company registering and holding the name of one of its clients as you have above. There are two ways this could be handled -

1. Client holds the name and makes necessary updates to nameservers etc to facilitate usage. Client retains full control.
   
   
2. Stewardship of the name is handed to the web company via enforceable contract. That legal document would be enough to enable Dynadot or any registrar to turnover the name. It could be court ordered.

Either way - the issue is a very very small percentage of cases and being blunt - I would suggest that all instances of issues are due to some level of negligence on the part of the registrant/account holder.

So we can continue to disagree because I don't believe that Dynadot has a full no recourse lock-out policy and that's what people are suggesting. There's a vast difference between being annoying/painful when you need something easy... versus operating in violation of accreditation. That is something else entirely.

 

[DNGear]

Just a small idea.

Open another account in dynadot with your full details and send an offer(10 usd) to your domains.
You accept that offer from your old account.
(IP Address should be different).

 

[DU]

Just a small idea.

Open another account in dynadot with your full details and send an offer(10 usd) to your domains.
You accept that offer from your old account.
(IP Address should be different).

I think you need the unlock to be able to list the domain if I recall

 

[DNGear]

I think you need the unlock to be able to list the domain if I recall

Yes its true.
It works, if it was listed already for sale.

 

[GoKaizen]

Never had an issue with Dyandot but I can see how the frustrating the situation is for the OP.