Is Dynadot going a bit too far?

[Kai W.]

If you look through my posting history, you'll see I was one of Dynadot's earliest supporters back when they had an excellent control panel and UI. But several years ago, I voiced my opposition to Dynadot's excessive collection of user privacy data and subsequently left their service.
Yesterday, after tracking an expiring domain to Dynadot, I discovered my account was locked. Having long forgotten the answer to my secret question, I attempted to unlock it. The response email stated they still required government ID verification. Fine, I tried to compromise and clicked the link.

To my astonishment, the very first step involved using a webcam to capture facial features. Good grief. This approach feels eerily reminiscent of practices by Chinese companies, which is deeply unsettling. Even GoDaddy has never done such a thing.

Many large Chinese internet companies have implemented facial recognition systems at the government's request to enhance account security (tracking account owners). Dynadot's actions have alarmed me, as I discovered they had deregistered a Chinese company in 2021. https://baike.baidu.com/item/动点网络科技/1710364
https://aiqicha.baidu.com/detail/co...dYisWV1oQmd&pd=aen&from=ps&query=天津德纳网络科技有限公司


Many large Chinese internet companies have implemented facial recognition systems at the government's request to enhance account security (tracking account owners). Dynadot's approach alarms me. Although Dynadot operates in China, should we treat dynadot.com and dynadot.com.cn differently? I've noticed that logging in via dynadot.com.cn redirects to dynadot.com/cn/. Does this imply that the U.S.-based dynadot.com and the China-based dynadot.com.cn employ identical user-handling methods?

Does no one else share similar concerns and questions?

@Dynadot @toddhan

 

[easypeasy]

maybe I'm not following something here, but if you forgot the answer to your secret question how else would they be able to verify it's you?

Isn't that the point of the account locking?

 

[Kai W.]

maybe I'm not following something here, but if you forgot the answer to your secret question how else would they be able to verify it's you?

Isn't that the point of the account locking?

So you think modern authentication and authorization methods fall short compared to biometrics?

Their account recovery process relies solely on security questions, which fundamentally fails to form a closed-loop authentication system. Modern methods offer numerous alternatives: PassKey, 2FA, SMS—all sufficiently capable of proving identity ownership.

But facial recognition data is highly private and sensitive. Using this method solely to recover lost keys is unscientific. In a sense, facial recognition data is even more critical than the keys themselves. Moreover, the opportunity to answer security questions is limited to just one attempt.

 

[easypeasy]

So you think modern authentication and authorization methods fall short compared to biometrics?

Their account recovery process relies solely on security questions, which fundamentally fails to form a closed-loop authentication system. Modern methods offer numerous alternatives: PassKey, 2FA, SMS—all sufficiently capable of proving identity ownership.

But facial recognition data is highly private and sensitive. Using this method solely to recover lost keys is unscientific. In a sense, facial recognition data is even more critical than the keys themselves. Moreover, the opportunity to answer security questions is limited to just one attempt.

No what I mean is that your account is already locked, so wouldn't your account have to be unlocked to set up a modern authentication method before-hand? Why would they let you do it after you already locked your account and forgot your security question? Isn't that the entire point of the locking?

They already have the option to set up modern authentication within the security options of the account, but I assume you have to do it before you lock yourself out of your account.

Maybe I'm still not following something here...

 

[Kyle Tully]

Yes, much better they just hand your account over to anyone who asks.

 

[CashproofDomains.com]

This is really an alarming news for all of us who have not accessed their accounts in various platforms due to several reasons. I only use Dynadot for domain appraisal. Thanks for the useful information.

 

[Kai W.]

No what I mean is that your account is already locked, so wouldn't your account have to be unlocked to set up a modern authentication method before-hand? Why would they let you do it after you already locked your account and forgot your security question? Isn't that the entire point of the locking?

I really don't understand what the real purpose is behind Dynadot locking accounts by default after every login. Seriously, you can just say what you think. Is their authentication not secure enough?

They already have the option to set up modern authentication within the security options of the account, but I assume you have to do it before you lock yourself out of your account.

No, you can't set these up without unlocking the account first.


My take is they're excessively collecting user privacy data—most critically, biometric information. Must we hand over our biometrics just to prove our identity?
Okay, even if that's the case, have you seen any other registrar demanding facial recognition data or even government ID? namecheap? godaddy? Of course, Aliyun is like that.

Especially since their privacy policy section 3.2 only mentions government ID—no mention of biometric data collection.
https://www.dynadot.com/terms-of-use?redirect=part2

 

[Jannes]

So you’re referring to their account lock feature?

https://www.dynadot.com/help/question/what-is-account-lock

(I think it’s annoying, but their house their rules)

I guess you could create a new account instead of trying to unlock the old ”abandoned” one? If that isn’t against their terms…

@Caleb Tweed

 

[Bravo Mod Team]

the very first step involved using a webcam to capture facial features

Is it via a third-party service that handles the authentication for them? If so, there's a good chance they won't have access to that data.

That said, the major drop catching companies require this type of authentication just to place a bid.

It seems like that's where the Internet is headed, and one day soon, we'll be telling the youngsters about the good ol' days when you could roam the Internet privately.

 

[carob]

Moreover, the opportunity to answer security questions is limited to just one attempt.

And they don't seem to warn of that - so a simple typo gets your account locked.

I've posted about this before and stopped using them, not just because of the sudden unexpected and inconvenient account locking, but also the really poor attitude they displayed in dealing with the issue. Sounds like things have only got more difficult. Or maybe it is deliberate to harvest usable or even saleable or even misusable data.

 

[carob]

My take is they're excessively collecting user privacy data—most critically, biometric information. Must we hand over our biometrics just to prove our identity?

Under GDPR biometric data, and health data, is in a higher "special" category of data requiring higher protection, and a valid reason for collecting it. Whether this applies may depend on your location or nationality, but such data really should only be collected when there is no alternative. And it should be clear that users give consent and who controls, holds, processes, or shares the data.

 

[Kai W.]

Is it via a third-party service that handles the authentication for them? If so, there's a good chance they won't have access to that data.

Excellent question. I didn't proceed to the next step, and from the front end, I could only see that this script was sending data to their website—I couldn't determine if a third party was involved. Regardless, analyzing and processing this data would be a massive undertaking, and it seems to deviate from their core business.

That said, the major drop catching companies require this type of authentication just to place a bid.

It seems like that's where the Internet is headed, and one day soon, we'll be telling the youngsters about the good ol' days when you could roam the Internet privately.

Currently, I rarely see internet technology companies using it outside of the financial sector and notary services. Before becoming an internet trend, there must be widespread adoption of relevant privacy policies. However, this practice is quite common in China, and the true purpose of this data is self-evident.

And they don't seem to warn of that - so a simple typo gets your account locked.

I've posted about this before and stopped using them, not just because of the sudden unexpected and inconvenient account locking, but also the really poor attitude they displayed in dealing with the issue.

I absolutely agree. I also left because of their privacy policy and customer service experience, since a truly automated system wouldn't want the entire process to get stuck at any point or become non-automated.

Sounds like things have only got more difficult. Or maybe it is deliberate to harvest usable or even saleable or even misusable data.

The truly trustworthy approach is to promptly optimize authentication and authorization processes from the user's perspective. However, you can't wake someone pretending to be asleep—they have the right to choose more underhanded tactics like directly altering privacy terms.

 

[Caleb Tweed]

If you look through my posting history, you'll see I was one of Dynadot's earliest supporters back when they had an excellent control panel and UI. But several years ago, I voiced my opposition to Dynadot's excessive collection of user privacy data and subsequently left their service.
Yesterday, after tracking an expiring domain to Dynadot, I discovered my account was locked. Having long forgotten the answer to my secret question, I attempted to unlock it. The response email stated they still required government ID verification. Fine, I tried to compromise and clicked the link.

To my astonishment, the very first step involved using a webcam to capture facial features. Good grief. This approach feels eerily reminiscent of practices by Chinese companies, which is deeply unsettling. Even GoDaddy has never done such a thing.

Many large Chinese internet companies have implemented facial recognition systems at the government's request to enhance account security (tracking account owners). Dynadot's actions have alarmed me, as I discovered they had deregistered a Chinese company in 2021. https://baike.baidu.com/item/动点网络科技/1710364
https://aiqicha.baidu.com/detail/compinfo?pid=xlTM-TogKuTw2VBdvKmpllfIddYisWV1oQmd&pd=aen&from=ps&query=天津德纳网络科技有限公司


Many large Chinese internet companies have implemented facial recognition systems at the government's request to enhance account security (tracking account owners). Dynadot's approach alarms me. Although Dynadot operates in China, should we treat dynadot.com and dynadot.com.cn differently? I've noticed that logging in via dynadot.com.cn redirects to dynadot.com/cn/. Does this imply that the U.S.-based dynadot.com and the China-based dynadot.com.cn employ identical user-handling methods?

Does no one else share similar concerns and questions?

@Dynadot @toddhan

Hello! Thought I might chime in to clear some things up.

So we have a couple methods of authentication for users to access their account and make sure their portfolios are safe. We do have several 2FA methods available to users like Authenticators, SMS, etc, however you will still need to enter them alongside your PIN you set for the account. If the PIN fails (or you don't remember) then the secret question comes up which you had set for your account. If you fail the PIN and don't know the answer to the secret question, then our team requires legitimate proof that you are in fact the account owner (which usually boils down to a selfie and a government ID that matches), however this is a last resort if all the other methods fail.

Sorry it's a bit of a rigamarole, but we take account security pretty seriously, so we really want to make sure you're the actual owner as there's a ton of risk if we don't do our due diligence.

Also, once the verification process is done we do not store the info provided (and no we do not sell the info to anyone either). It is simply so our team can manually verify the identity of who's trying to get into the account.

 

[cooljub]

a selfie and a government ID that matches

once the verification process is done we do not store the info provided (and no we do not sell the info to anyone either). It is simply so our team can manually verify the identity of who's trying to get into the account.

Hi,
Is there any third party involved with the selfie/id thing?

 

[Caleb Tweed]

Hi,
Is there any third party involved with the selfie/id thing?

No, it's all made and operated in house.

 

[Kai W.]

We do have several 2FA methods available to users like Authenticators, SMS, etc, however you will still need to enter them alongside your PIN you set for the account. If the PIN fails (or you don't remember) then the secret question comes up which you had set for your account. If you fail the PIN and don't know the answer to the secret question, then our team requires legitimate proof that you are in fact the account owner (which usually boils down to a selfie and a government ID that matches), however this is a last resort if all the other methods fail.

But it seems that currently, the PIN code and login process are two unrelated steps? Because even if the password + 2FA is successfully verified, you still need to go through the PIN code process to prove ownership?

Sorry it's a bit of a rigamarole, but we take account security pretty seriously, so we really want to make sure you're the actual owner as there's a ton of risk if we don't do our due diligence.

If possessing the password and 2FA still fails to prove account ownership, then shouldn't this be explicitly stated as a disclaimer in the privacy policy?

Service providers do bear the responsibility to protect user rights by verifying account ownership. However, they are under no obligation to enforce the use of facial recognition combined with government-issued ID to ensure the identity of the user matches the document. I understand the intent is to prevent fraudsters from misusing the owner's genuine credentials. Yet, from a legal standpoint, any resulting losses are unrelated to the service provider—especially considering the premise that fraudsters must first gain access to the owner's account, password, and 2FA device.

 

[Caleb Tweed]

But it seems that currently, the PIN code and login process are two unrelated steps? Because even if the password + 2FA is successfully verified, you still need to go through the PIN code process to prove ownership?


If possessing the password and 2FA still fails to prove account ownership, then shouldn't this be explicitly stated as a disclaimer in the privacy policy?

Service providers do bear the responsibility to protect user rights by verifying account ownership. However, they are under no obligation to enforce the use of facial recognition combined with government-issued ID to ensure the identity of the user matches the document. I understand the intent is to prevent fraudsters from misusing the owner's genuine credentials. Yet, from a legal standpoint, any resulting losses are unrelated to the service provider—especially considering the premise that fraudsters must first gain access to the owner's account, password, and 2FA device.

I understand what you're saying, but many accounts do not use 2FA. If your password was compromised somehow then a person would have free rein of your account if we didn't have the "unlock" feature of the account with the PIN and Secret question (and providing of ID in place).

 

[Kai W.]

I understand what you're saying, but many accounts do not use 2FA. If your password was compromised somehow then a person would have free rein of your account if we didn't have the "unlock" feature of the account with the PIN and Secret question (and providing of ID in place).

This sounds like a reasonable explanation, and it does come across as more professional and acceptable than the feedback from Dynadot's live chat support. However, it overlooks the possibility that owners might forget these details. If we require owners to keep track of everything, it might actually make theft easier.
BTW, will you optimize the PIN recovery process? Or will verification methods vary based on nationality?

 

[alcy]

hell ya it goes too far

there is security and there is paranoia security

u know dyna is the latter when they ask u for birthday unlock on basically accessing every option in site

and are the only registrar on earth to do it

 

[forge]

they ask u for birthday unlock on basically accessing every option in site

and are the only registrar on earth to do it

That is a good point, and it's really annoying to have to "unlock account" in order to perform relatively mundane tasks.