Two factor authentication (2FA) has been available at most domain registrars for quite some time. Domain registrants can enable 2FA on their registrar accounts, and they are usually given different 2FA options like SMS, Authenticator App, or Security keyfob.
While 2FA is an option for domain registrants, it is not a requirement at most registrars. In the case of CSC, a well-known corporate domain name registrar, 2FA has been a requirement for customers since 2017:
I think this is smart. Instead of giving customers the option to turn on 2FA, CSC requires it for all accounts. I would imagine this reduces the number of stolen domain names and altered domain name records at the registrar.
I don’t see a reason for why other domain registrars don’t require that customers utilize 2 factor authentication for accounts. It is relatively easy for customers to initiate and maintain, and the only downside is if a 2FA device is lost or misplaced. This would add additional customer service and tech support costs the registrar would have to bear. Perhaps this is the reason for why other consumer-facing registrars don’t require 2FA on all accounts.
Do you think registrars should require 2FA for all acoounts?
Do restaurants have to provide toilets?
Do the employees have to wash their hands?
Can they reuse the plates?
If no…then consumers don’t have to do business with them.
Go do business with other businesses that provide good customer services and good features.
1. It should be available and optional, but not mandatory.
2. Mandatory is bad.
3. Options should include:
a. Simple SMS. Some do not provide that option, such as PorkBun. Furthermore, people should be able to add more than one phone number, not just one. GoDaddy has that, for instance.
b. Email based. PorkBun, for example, recently added that, despite not having an SMS option. Namecheap also has that.
4. It’s important to understand (and accommodate) that not everyone wants to have to use anything more complicated or new than SMS or email. If there is 2fa, not only should it not be mandatory, but it should not mandatorily require the possession and use of a “smart phone” or similar “newfangled” device or technology.
It’s also important to understand that there can be plenty of people who are sophisticated and tech savvy who hold this preference, and not assume they are just backwards Neanderthals. In fact, not only can a sophisticated person have a (damn) good reason for not wanting to use those other options, but they might even be current or former IT professionals, yet still do not wish to have to use a “smart phone,” “token,” QR code, etc.
5. This whole idea of “mandatory” is merely a symptom of our times, a sickness. Many people are well able to use super strong passwords and practice good strong security habits. 2fa can sometimes cause genuine problems for people, i.e. customer and clients, let alone registrars.
6. 2fa not only increases risks for technical problems, but also for the possibly of worse problems which are “rotten in Denmark.” Not everyone can necessarily count on being treated the way people like you, Elliot, and other famous industry luminaries are treated, which leads people like you to assume everything will be done properly and right. It may be hard for you to learn this, but that is the way things are in the real world. Some well known players in the industry do not always treat everyone so well even if they treat people like you or other famous “domainers” and other so well. (Real world reality check.)
I could probably say more, but that should do for now.
Yes
freedom fighters here. nice. yes, freedom to choose 2FA should be mandatory.
Exactly. Well said and well put, Melanie, I like your style. And that is what true and good and sound “regulation” would be.
Other than the cost to the registrars, what would be the downside of requiring users use 2FA in the same way that setting a password is required?
As the saying goes, oh no you didn’t. Well of course, you did.
Well you said “the only downside is if a 2FA device is lost or misplaced. This would add additional customer service and tech support costs the registrar would have to bear.”
Some people do get to live an extremely “charmed” life as it is called. I don’t know what kind of charmed life you’ve been allowed to live, but clearly very charmed indeed.
For starters:
1. The loss of personal choice and discretion alone to begin with is an abomination, anti-social, anti-client, anti-customer.
But to continue on “charmed life”:
Obviously you must not have experienced horror stories firsthand when it comes to added layers of such “technology.” All the worse if it is required and unavoidable vs. optional.
There can also be huge THIRD PARTY and COUNTER PARTY risk involved.
Just to name a few examples, sometimes the SMS text doesn’t even get sent; sometimes the email doesn’t get sent; sometimes the third party “app” doesn’t work. And so forth.
So #’s 2 and 3 can be:
2. The registrars own system might not be working properly.
3. THIRD PARTY/COUNTER PARTY risk.
It is also often extremely time consuming and inconvenient.
Especially when you are someone who logs in frequently. In fact, for those who practice good strong security habits, they are actually being punished and penalized for that instead of rewarded, because anyone who does use good security habits is going to also be clearing cookies, cache and active logins. So they can’t just stay logged in for long periods of time and will have to do the 2fa all over again every single time.
So #4 is:
4. Wasted time and effort. Even worse if an SMS or email or whatever doesn’t even get sent or doesn’t work. And believe me, it really adds up even when it does work. I know, because I certainly do use 2fa for a number of services, it’s just that I totally object to it being mandatory and permanent.
And word to the wise: it’s bad for business and your bottom line, i.e. registrars. I could name a few registrars for which I absolutely hate that they make 2fa mandatory. It’s a HUGE inconvenient waste of time. And as a consequence, I barely ever use certain ones at all that I would otherwise use a lot more.
THIS MAY COME AS A SURPRISE, but believe it or not, plenty of people are able to employ good security habits. I’ve been “domaining” and doing plenty else online for over 20 years now. I use strong passwords, clear cookies, cache, etc., and have never once had anything “hacked” all these years and decades now. And I’ve done a LOT with domains and a multitude of online accounts and services. And that’s *before* I even included starting only relatively recently in life to add the use of VPN instead of my real IP, private browser windows, and a least privilege user account on my computer no less. Get the picture?
Mandatory my you know what. “It’s all for your safety and benefit.” Right. Where have we heard that before. It’s always in the name of “safety and security” and some other virtue, yes? Does anyone even need to address that theme in our society? Well, unfortunately some of us know that in fact we do with some in our lovely industry, but perhaps another time and topic…
Make no mistake, making it mandatory is nothing but a sign of the times and nothing less than a sickness, a mental sickness and misguided power and control trip.
AND ALL OF THE ABOVE is merely about when everything is being done sincerely with good intentions, without any type of wrongdoing going on, LET ALONE when there could be something far worse going on than merely a technical problem, for example.
Elliot, I know from ridiculous amounts of life experience that it is probably very hard for you to “grok” the reality, but try to believe, the reality is that some of the time there could be some of the problems and horror stories that are more than just “bugs” or technical “glitches” and problems. I could name names after over 20 years, even show concrete evidence and proof, but won’t do that here now.
But if you might have the ability to possibly “register” it, you have to realize that not everyone can count on always being treated the way people like you and all the other “luminaries” are going to normally be treated and have been. But what happens is that people like you “folks” normally get treated like gems, so then that causes you to think everyone else does too, and everything must be normal, nice and fine. But that’s not how it is.
Well I could say more, but that was long enough for now.
PS: and not just over 20 years, but I’ve been doing things online since the 1980’s even, especially the 90’s, and no “hacking.” Just good password and other security habits.
PPS:
These types of issues even still happen with GoDaddy, Elliot, but I’ll bet both of these are true:
1. They do not happen with you and your GoDaddy account.
2. They make a lot more money and actual profit from a customer like me than they do with you. Not because I keep a lot of domains there anymore, I don’t, but because I do buys there sometimes.
One such issue is even still occuring after a long long time.