When someone attempts to log in to an account at Name.com with an incorrect password, the email address associated with the login ID receives a failed login notification. This can inform the account holder that someone is trying to access an account without permission, which is useful. Taking it a step further, Name.com also allows users see the most recent login attempts (failed and successful). I think all registrars should offer this feature.
As helpful as it may be to know someone failed to log-in to an account, it would be even more helpful to know someone was able to gain access to an account. By that point, domain names in the account are likely vulnerable, but at least the log-in is noted and available to analyze. People who are more vigilant may wish to check this on a regular basis to ensure unauthorized parties do not have account access, but it would be helpful to know when someone else logged into an account in addition to knowing when someone tried but failed to log-in to an account.
An additional helpful feature registrars might consider offering is an automated email notifying the user every time a log-in was attempted, whether successful or not. Sure, this might get annoying if someone logs into their account multiple times per day, but the one time an account is accessed unlawfully, the user would be able to report the security breach and protect the account rapidly. WordFence, a WordPress plugin that is widely used, offers this feature. It would be great to see this implemented at domain registrars.
These security features aside, I strongly recommend adding 2 factor authentication on all domain registrar accounts. Whether you add 2FA via Google Authenticator, text message, Yubikey, or other option offered by registrars, this is the first line of defense for domain investors and domain registrants. It is also advisable to use different login IDs at different registrars, and obviously do not re-use passwords for different accounts.
Kudos to Name.com for allowing customers to see all logins.
I agree – it should be an option you can toggle on or off. PorkBun sends you an email after you’ve logged in. At first I felt like I don’t need that, but now I support it 100% and would like it to be available everywhere.
You should be able to restrict logins to your account by IP, or country or region. That could prevent a lot of hacking attempts.
That’s another great idea. This could be updated in the event of travel or a move.
NameSilo offers to send you emails every time someone logins successfully or unsuccessfully. I don’t find it annoying at all – I think it is a great feature. You can also set up to five additional security questions that must be answered before you make certain updates.
Dynadot shows IP addresses of recent logins in your account, but they really should offer to send emails as well.
Epik has IP whitelist, but I fear I will screw that up and lock myself out 😉
Thanks for sharing that. I did not know some registrars already offered this. Would be great to see more of them with this.