Two-Factor Authentication for Domain Accounts

## Why 2FA Is the Single Most Important Domain Security Step The majority of domain hijackings begin with a compromised registrar account. An attacker with your username and password can change your DNS records, initiate a domain transfer, or lock you out of your own account in minutes. Two-factor authentication (2FA) adds a second credential — something you physically possess — that an attacker cannot obtain just by stealing your password. Enabling 2FA on your Domain Registrar account is, by a wide margin, the highest-value security action available to domain owners. It takes less than five minutes and blocks the primary attack vector entirely. ## How 2FA Works Authentication systems traditionally rely on something you *know* — a password. 2FA adds a second factor: something you *have* (a phone, a hardware key) or something you *are* (biometrics). An attacker who steals your password still cannot log in without the second factor. For registrar accounts, the most common second factors are: - **TOTP authenticator app** — A time-based one-time password generated by an app like Google Authenticator, Authy, or 1Password. Generates a new 6-digit code every 30 seconds. - **Hardware security key (FIDO2/WebAuthn)** — A physical USB, NFC, or Bluetooth key (YubiKey, etc.) that you tap or plug in. - **SMS / voice code** — A code sent to your phone number via text or call. - **Email code** — A code sent to your account email address. These methods are not equally secure. ## Choosing the Right 2FA Method ### TOTP Authenticator App (Recommended) A TOTP app is the best balance of security and convenience for most domain owners. The codes are generated locally on your device and are time-sensitive, making them useless if intercepted even a few minutes later. They are not vulnerable to SMS interception or SIM-swapping. Use an authenticator app that supports encrypted backup and cross-device sync (Authy, 1Password, or a similar credential manager) so you can recover access if you lose your phone. ### Hardware Security Key (Best for High-Value Domains) A hardware key like a YubiKey is the gold standard. It is immune to phishing because the key is cryptographically bound to the registrar's domain — a phishing site cannot extract a valid response from it. If you manage domains that generate significant revenue or are business-critical, invest in a hardware key. Buy two (a primary and a backup) and store the backup securely offline. ### SMS 2FA (Acceptable, Not Ideal) SMS 2FA is far better than no 2FA, but it is vulnerable to SIM-swapping — an attack where a criminal calls your mobile carrier, impersonates you, and convinces them to transfer your phone number to a new SIM they control. Once they have your number, they can receive your SMS 2FA codes. If your registrar only offers SMS 2FA, use it while advocating for better options. Contact registrar support and ask about TOTP or WebAuthn support on your account. ### Email Code (Weakest) If your account email is compromised, email-based 2FA provides no additional protection. It is better than a password alone, but only marginally. Avoid if better options are available. ## Setting Up TOTP at Major Registrars The exact steps vary, but the general flow is identical across registrars: 1. Log in to your registrar account. 2. Navigate to Account Settings or Security Settings. 3. Find "Two-Factor Authentication" or "Two-Step Verification" and click Enable. 4. Select "Authenticator App" (TOTP). 5. Open your authenticator app and scan the QR code displayed. 6. Enter the 6-digit code from the app to confirm. 7. **Save the backup codes** provided. Store them offline (printed or in a secure location separate from your digital devices). These are the only way to access your account if you lose your authenticator. ## Backup Codes: Do Not Skip This Step Every registrar that offers TOTP will give you a set of one-time backup codes during setup. These are emergency codes that allow you to log in without your authenticator. Treat them like a master password: - Print them out and store in a physically secure location. - Alternatively, store them in an encrypted offline vault. - Never store them in the same place as your authenticator device. - If you use a backup code, regenerate your 2FA setup immediately afterward. ## Protecting Your Account Email Address Your registrar account email is the fallback recovery path. If an attacker controls your email, they can reset your registrar password and 2FA setup. Apply the same rigor to your account email as to the registrar account itself: - Use a dedicated, unpublished email address for domain registration. - Enable strong 2FA on that email account. - Do not share it publicly or use it as a contact address anywhere. This is sometimes called **defence in depth** — your registrar account security is only as strong as its weakest recovery path. ## What to Do If You Lose Your Authenticator If you lose your phone and do not have backup codes: 1. Contact your registrar's support immediately. 2. Be prepared to provide identity verification (government ID, billing records, answers to security questions). 3. Ask the support agent to disable 2FA and help you re-enroll with a new device. 4. After recovery, regenerate backup codes and store them properly. This recovery process can take days at some registrars — another reason to store backup codes from the start. ## Reviewing Account Access Regularly 2FA protects your login. But it does not protect against authorized users who have gone rogue. Periodically audit: - Who has access to the registrar account. - What permissions each user has. - Whether any API keys or OAuth connections have access to domain settings. Remove access for former employees and contractors promptly. Limit access to the minimum required. Combine 2FA with account locking (see Domain Security Checklist) for the strongest available protection.