Overall, I like bidding on pending delete auctions at DropCatch.com. I can pay for a domain name instantly after the auction concludes, and within moments, the domain name is provisioned to my NameBright account. The platform is generally user-friendly, and I like bidding there. There is one issue though.
Every time I login to my DropCatch account, it prompts me for a 2FA code. This would be okay if it was once in a while or even once per day. However, this isn’t the case. If I backorder a domain name, step away from my computer for a little while, I am almost always prompted for a 2FA login after returning to place subsequent bids. With my auction routine, I could be prompted for 2FA logins several times in a morning. I don’t mind 2FA, but I would prefer to be prompted once a day, at most.
I find this persistent 2FA login requirement to be a nuisance.
Several months ago, I reached out directly to DropCatch management to ask about this as a user. I heard back from the company shortly thereafter. They appreciated the feedback, I was told, and I appreciate that they replied to my email to show they were looking into it.
Nothing had changed that I could see until today. No, 2FA is still required, and the cookie length appears to be the same. The change is an extra step to access 2FA. Instead of logging in to my account and being directed to enter the 2FA code, I was asked to select whether I want to receive 2FA via email or text. I chose my preferred option and hoped that would be that. When I went back to DropCatch a little while after, I had the same prompts.
In my opinion, if there’s a 2FA option at DropCatch, users should be able to select their preferred 2FA option as a default in their settings rather than adding an extra step to login. In addition, I would prefer to use a 3rd party 2FA authentication app like Google Authenticator. That’s besides the point.
I am a big believer in handling issues in private. I have never used my blog as a bludgeon and won’t change that. However, I must not be the only user who gets frustrated by this, and perhaps others who are annoyed by this will chime in and share. Maybe it’s just me!
Does this issue annoy you, too?
— Elliot Silver (@DInvesting) January 5, 2024
I have the same issue with GoDaddy auctions and Afternic. I have to relog back in and go through 2FA constantly, and since GoDaddy is so buggy sometimes I get logged out after just a few minutes.
At least with GoDaddy – in my case – the 2FA is protecting my domain names. With DC, it’s just my bidding account.
I’m very glad to see you voicing this concern Elliot. You’re definitely not alone, this is something I’ve also communicated privately to DropCatch about for some time now, to no effect as you’ve mentioned.
I believe DropCatch is simply one of the first to be in compliance with a new standard that has been set by the Payment Card Industry Security Standards Council (PCI DSS version 4) for all websites and online businesses that process credit card payments are supposed to be in compliance with by March 31, 2025. That is the reason, I’m fairly certain, for why MFA was recently added, however I don’t know why they cannot address the cookie length, as it is extremely annoying and counterproductive.
As far as I understand it, the updated PCI DSS v4 requires that anyone who can access cardholder data, which presumably means the user/customer since you can access your own card info, must use MFA every single time they login. It specifically states that it no longer applies just to those with administrative access as it did in the past. We’re likely to see this rolled out across every major ecommerce website over the next year, so get ready to have to deal with this across multiple websites on a daily basis that didn’t require it before.
I tweeted at the PCI SSC the other day to ask why there is no public comment period, as if this applies to every user of an ecommerce set across the web it’s going to have a massive impact and net drag on productivity.
https://twitter.com/PCISSC/status/1742546425978683560
If I am wrong, someone please correct me.
You can use google authenticator now. Go into your NB account and look under security settings for 2fa.
I couldn’t log in to DC at all yesterday (the 2fa email never came after numerous attempts). Fortunately I could still get into NB. I emailed support and their reply was that text is available now. When I looked, totp (google/authy) was there too.
I assume something with the rollout of the new options blocked me from getting into DC.
But yeah, they have the shortest 2fa window of any site I use regularly, including banks.
Maybe sessions issue. OR who knows they might have implemented it to thwart those shill bidders who login via proxy etc.
But yes I agree that it is definitely a headache.
This may have been fixed. I logged in with 2FA this morning, and when I visited again this afternoon, I was still logged in. Anyone else?