Two-Factor Authentication (Registrar)

Two-factor authentication (2FA) at a [[registrar|registrar]] requires account holders to provide a second verification factor—typically a TOTP code from an authenticator app, an SMS code, or a hardware security key—in addition to their password when logging in or performing sensitive operations. Enabling 2FA is one of the single most effective controls against account takeover attacks, which are the most common vector for unauthorized [[domain-transfer|domain transfers]] and [[domain-hijacking|domain hijacking]]. ICANN's security guidelines strongly recommend 2FA for all registrar accounts, especially those managing high-value domains. Combined with [[access-control-domain|role-based access control]] and strong unique passwords, 2FA significantly raises the barrier for attackers.