Two-factor authentication (1 Viewing)

I have been reading a lot about domain thefts lately and even though it is not as prominent with .ca domains I strongly advice anyone with valuable domains to use Two-factor authentication.

In fact even two-factor does not go far enough, in case you lose your phone there is still a small chance something can go wrong.


I use something called Google Authenticator, which is an app that changes the authentication code every minute and will keep your account secure if someone should try to access it.
https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_CA&gl=US


GoDaddy is the most secure registrar I have dealt with, my account has the following...

- PIN Enabled
- Two-Factor Enabled
- Authenticator Enabled


The authenticator is very important because the domains that are getting stolen are being accessed through human error. The perpetrators collect a bunch of information on the domain holder and then they phone support saying they have no access to the account. The support team verifies personal information and grants access to the account. The thief now unlocks the domains and transfers them out.

With authenticator activated the support team will not talk to you until you give them the authenticator code. So the support team cannot be tricked by a sob story saying you lost the password.

Consider activating authenticator if you are with godaddy and ask your current register to get it if they do not have it available.

There is also no-factor authentication, whereby scammers just call your registrar and pretend to be you on holiday, whereby you have forgotten your password, and lost your wallet and phone, but *really* need to access your account.... could you please help?

Yes... I know my address and phone number (from the dark web).. thank you so much.

DomainRecap said:

There is also no-factor authentication, whereby scammers just call your registrar and pretend to be you on holiday, whereby you have forgotten your password, and lost your wallet and phone, but *really* need to access your account.... could you please help?

Yes... I know my address and phone number (from the dark web).. thank you so much.

Click to expand...

That does not work at godaddy if you have authenticator activated.

Support is not allowed to talk to you without the code. It is the first thing they ask for and if you do not have it they are not even allowed to open your file.

If you lose your phone you login on your computer, get an authenticator code and call godaddy back.

So you cannot pretend to be the person because godaddy will not open a support ticket without the code.

MapleDots said:

So you cannot pretend to be the person because godaddy will not open a support ticket without the code.

Click to expand...

You are mixing up how it should work with how it does work - obviously they are not supposed to open up your account or a ticket without the code, but there are a lot of things GD CSRs are not supposed to do, that they do, and there is no hard system lock on that functionality, at least not a few weeks ago.

Lots of people with full security + authenticator (including large companies) have lost access to domains due to social engineering. Have you not read about the myriad issues at GD, including some banks and crypto companies getting jacked, then the GD phishing training exercise where a good proportion of employees failed? They be giving it away like candy.

Where there is a will, there is a way and the weakest link is always customer service. The only way to mitigate that is to check your account daily and regularly confirm there are no email or phone issues.

That is exactly why they do not do it any more, I have noticed they are very strict now.

So I am pretty sure the scenario you are mentioning is not an issue anymore, godaddy has really ramped that security feature up.

Call any agent and with authenticator active they will not talk to you unless you give them the code.
I had my phone in the car and tried talking to support and he basically said he cannot help me with anything until he matches the code to my account.

I think it was a lesson learned for them and they have a strict procedure in place now.

Where possible, I would always prefer an authenticator app over text messages, there have been cases where cell phone numbers have been stolen (ported) or redirected in order to retrieve authentication messages.

When you use these apps, make sure to keep your recovery codes. And if you want to know how secure the whole thing is, ask the registrar what their procedure for the removal of 2FA is.