Domain name theft is a big issue for domain investors. I strongly recommend that investors and other domain registrants enable 2 factor authentication (2FA) on their domain registrar accounts to help secure them. Most domain registrars offer at least one form of 2FA, and several offer multiple forms of 2FA, including text message, authentication app, key fob, Yubikey, among others.
GoDaddy allows its customers to choose a variety of security options to secure their accounts. Not only can a domain investor have Google Authenticator or use a YubiKey at GoDaddy for 2FA, but investors can also utilize DTVS (Domain Transfer Validation Service), which is a phone call from GoDaddy to confirm and approve a domain name transfer or account change.
While these security features are helpful, I think a security enhancement is necessary at Afternic, a domain name sales platform that is owned and operated by GoDaddy. Investors would like to know when we can expect to have the option to add 2FA at Afternic:
When can we expect @afternic to implement 2FA?
It would suck for a security scandal to be the driving force behind change.
— |🎙️| Josh.co |🌐| (@JoshDotCo) August 2, 2020
When an investor lists a domain name for sale at Afternic and it is registered at a registrar that is part of GoDaddy’s Fast Transfer network, it will automatically transfer to the buyer when sold. This is a great program that makes it pretty seamless to sell domain names.
Because Afternic does not offer 2FA for customers, I think there is the potential for security issues.
I would imagine there are Afternic customers who don’t have the best security practices. Perhaps their Afternic password is reused on multiple sites or is not really secure (like Afternic123 or Password123). If someone gains access to the account, either because the password was compromised on another website or the password is easy to guess, a domain name price can be changed without notifying the registrant. Instead of having a name listed for $80,000, someone could change the price to $2,000 without detection. They could then buy the name at a partner registrar, pay, and have the domain name transferred automatically. The domain registrant would only find out the domain name was sold for much less than it had been listed when they receive the Afternic Transaction Assurance sale email.
While the likelihood of someone exploiting this opportunity is relatively low given the fact that I have not heard anyone complain about this happening, that doesn’t mean it will not happen in the future. It would be a shame if this is exploited and 2FA is implemented in a reactionary manner. Why should someone have to go through the trouble of disputing a sale that happened as a result of this when 2FA can help reduce much of the risk here?
This is not a new request, as Michael Summner wrote an article outlining the issue in September of 2018. GoDaddy still sends authorization emails that can be confusing.
I think GoDaddy needs to offer 2FA at Afternic. It doesn’t make sense not to do this. From my perspective, it’s almost like having a home with a strong deadbolt lock on a steel front door, but the side door is just a hollow slab door with a push lock that can be accessed fairly easily.