Use these tools to prevent domain theft and unwanted changes.
Your domain names are valuable. The more valuable your domains, the more likely they’ll be targeted by thieves.
What can you do to protect these assets? Domain registrars offer varying levels of security. Let’s run through some of these features and a feature I’d like to see.
Two-factor authentication – This is a must. If you don’t turn two-factor authentication on for your account, don’t blame anyone if your domains are stolen. If your registrar doesn’t offer two-factor authentication, move your domains elsewhere — full stop. While you’re at it, make sure two factor is on your email account because that’s what thieves often use to get into your registrar account.
There are different types of two-factor authentication. Ideally, use physical key authentication rather than SMS or an authenticator app.
Registry lock – Registry lock adds another layer of protection against unwanted changes, particularly to your nameservers. This is different from registrar lock that locks your domains from transfer. (Registrar lock is so basic that it’s not even worth including in this list.) Registry Lock is ideal for any website with important content, such as an active website that generates significant revenue. This will keep someone from making an unwanted nameserver change and hijacking visitors.
Domain transfer verification – GoDaddy is the only registrar I’m aware of that offers this, and only to top accounts. The company will call you before any transfer out of your account, and you have to provide a pin to verify the transfer. It adds a step that can be a nuisance, but it also offers peace of mind and should prevent unwanted transfers. This service is one of the main reasons I keep my domains at GoDaddy.
Automated login notice – This is something PorkBun offers. When you revisit PorkBun and are still logged in because of a cookie, it emails the account owner to let them know that someone (hopefully you) accessed the account. I’m not sure if I like this or think it’s annoying, but it makes me think that PorkBun has security at the top of mind, which is good.
SMS notifications of significant changes – Do any registrars offer this? It’s easy to overlook email notifications, so it would be nice if registrars texted you whenever a major change is made. I want to configure these, but at minimum, I’d like to know if a domain is unlocked or transferred out. An option to be notified of contact changes and nameserver changes would also be nice. I’d also like a text if someone logs into my account from any country other than my home country.
Of all of these, two-factor authentication is the bare minimum security you need on your accounts these days. I’d like to see more registrars offer the other options.
Bill Hartzer says
Fabulous allows you to set up a “task”, so that you can have them call you and ask for a certain code word, for example, before they make changes.
If you are going to use 2FA, consider adding a physical key to that process. You can get a Yubikey inexpensively and add that to the 2FA process. Hackers won’t have the physical Yubikey, so they cannot gain access to your account. Google offers Google Advanced Protection, so you may consider adding that if you use a Google Account for access to a Google Account (Google Domains).
I recommend setting up 2FA when you can, but people need to realize that it is NOT foolproof. Hackers routinely turn 2FA off when stealing domains.
There are other things you can do to safeguard your domains:
Register the domain for at least 5 years in advance. If it’s stolen or transferred there will be no question as to whether or not it simply expired. We’ve run into this over and over again when recovering domains. We can easily rule out expiration since it was registered for a few years in advance (easy to see via whois history).
Do NOT rely on “auto renewal”, as we constantly hear from people who lose their domains because auto renewal was turned on and their credit card was “supposed to be” charged. And it was not. (Credit card didn’t go through, etc.).
Never use a “free email” such as gmail, hotmail, outlook, etc. as the contact email on the domain. Those accounts routinely get hacked, compromised, etc..
Make sure that you don’t ever use the same email address of the domain. For example, in the whois record of domainnamewire(.com), don’t use bill@domainnamewire(.com). If it’s a stolen domain, there will be issues recovering the domain.
Finally, consider NOT using whois privacy on domains you really care about. Use a UPS Store address if you have to. But don’t use whois privacy. When it comes down to recovering the domain, when you have to prove ownership, it’s a lot easier if you have not used whois privacy on the domain. Domain thieves will immediately turn on privacy when they gain access to the domain, then they will attempt to transfer the domain out.
Andrew Allemann says
I disagree with the free email advice. Some of these services have better security than the alternatives. See your previous mention of Google Advanced Protection.
Steve says
Thanks Andrew and Bill. Critically important, prescient advice indeed.
Bill Hartzer says
You actually have to pay for google advanced protection. So not exactly free 🙂
Andrew Allemann says
Google advance protection is free. You just need a Fido key but you can get it elsewhere
Miroslav Glavić says
I respectfully disagree with the no free e-mail provider thing.
I have turned every 2FA option.
Phone plugged in, authenticator app, voice/text, backup codes.
Also, I get notification whenever there is a login.
Funny thing, I live in Canada. I was on vacation in Bosnia and Herzegovina years ago. I am at the wifi at my airbnb. I get a notification as I never logged in in BiH. My brain wasn’t working properly at that moment. I was waiting for my morning coffee. I almost blocked myself.