Domainers Against MFA NOW (DAMN)

[CDM]

Domainers Against Multi-Factor Authentication (MFA) Now = DAMN

Like, DAMN son, I find being forced to use MFA to login to a site multiple times per day to be ...

• A waste of valuable, productive time
• Wholly unnecessary
• Generally insufferable

I'm calling on all domainers everywhere to unite behind me in raising our collective voice to notify DropCatch that this microaggression will not stand, man.

DropCatch as of this week has now instituted mandatory MFA, and according to a support rep will not allow it to be disabled on an individual level.

However if enough domainers speak out about this travesty and apply pressure we may be able to arrest this madness before it becomes normalized as has been happening lately across registrars, marketplaces and other domain related platforms alike.

If you add up the time lost for having to use MFA and 2FA every day, multiple times per day, across multiple sites, it is costing perhaps millions of dollars in lost work to the domainer community. Even if on average it takes a minimum extra 30 seconds to login (it's likely more) that is already over 3 hours of lost work in a year. Nearly a half day! If you do it twice/day over a year that's 6 hours, ... 5x per day = 15 hours lost!! Imagine losing near 2-days of work per year for something like this. It's mind boggling.

Yes, there is a case for using MFA at the registrar level to protect against theft of our valuable domain properties, but now this practice is bleeding over to other sites and platforms where it should be up to the individual (always) to swim at their own risk, and balance their choice with other factors such as time expenditure.

Can I get a Whoa Bundy!?

 

[Arch]

I don't know if this is a serious post.

 

[CDM]

I don't know if this is a serious post.

Believe it

You may all thank me, so far I was able to negotiate DropCatch support to get the cookie for the session time extended from 6 hours to 24 hours, so now you do not have to login multiple times per day, only once per day. I have therefore likely just saved everyone a minimum of 1.5 to 3 hours per year of work, depending how many times per day you log into the site. Who would like to buy me a coffee?

 

[CDM]

Still, I would like us to do more, and feel that the best solution is to enable individual account control from within the user dashboard to enable/disable MFA at will.

 

[CDM]

I don't know if this is a serious post.

In fact this post is so serious, I trust we can count on leading domain industry online publication DomainGang to cover it and provide some additional visibility ( @Acroplex )

 

[Acroplex]

I feel your pain, @CDM - and yet I have to say that although 2FA isn't infallible (it's prone to SIM switch attacks, or other, more complex man-in-the-middle attacks) but for the most part it's a better choice than plain Jane user/pass authentication.

That being said, I am not familiar with the 2FA implementation at DropCatch. I'm assuming it's via email. Then again, my bank's SMS authentication sucks also. I prefer the use of time-based authentication, e.g. Google Authenticator as used by many web sites and app services, e.g. Dan.com.

 

[CDM]

I feel your pain, @CDM - and yet I have to say that although 2FA isn't infallible (it's prone to SIM switch attacks, or other, more complex man-in-the-middle attacks) but for the most part it's a better choice than plain Jane user/pass authentication.

That being said, I am not familiar with the 2FA implementation at DropCatch. I'm assuming it's via email. Then again, my bank's SMS authentication sucks also. I prefer the use of time-based authentication, e.g. Google Authenticator as used by many web sites and app services, e.g. Dan.com.

Thanks for the reply. In the case of DropCatch I don't see what the risk is ... Someone's going to hack into my account to place backorders on my behalf? Or someone will use my account to bid on an auction, and then win the name and it goes into my NameBright account which they would also then need to hack?

When I said "wholly unnecessary" it was not me being hyperbolic, it is just a simple statement of the reality in my view. DC stores credit card info but I'm sure that already conforms to the security standards of the countless other e-commerce sites out there.

"I feel your pain"

Indeed it is painful, and for no apparent reason

 

[Lox]

. DC stores credit card info but I'm sure that already conforms to the security standards of the countless other e-commerce sites out there.

Company/org that process and store payment info has to comply with PCI-DSS {mfa}

Regards

 

[Lox]

.

 

[CDM]

Company/org that process and store payment info has to comply with PCI-DSS {mfa}

Regards

If this is the standard, surely 99% of sites are not in compliance including the largest. Do you MFA into Amazon or Ebay? I don't. And is it a problem?

In any case, if you know which companies make up the council, and if you have an accurate worldview, it's not too hard to figure out where all this is headed. Security is the euphemism for all that supposedly ails us.

https://thefr.com/news/how-mastercard-is-building-a-global-digital-id-network

 

[CDM]

Email MFA now instituted by Afternic, with equally short session time. I warned you all this would escalate quickly.

 

[i_love_domains]

I'm nog against 2FA.
But only if it works!

The 2fa system of DropCatch is horrible, I dont even know why there is a "Remember Me" checkbox since it simply doesnt do anything.

 

[CDM]

There's an upcoming revision to the new PCI DSS V4 standard. If you are concerned you can press the PCI SSC to open a public comment period so people like you and I who will be impacted by the new changes and have to absorb the cost in time and productivity, can express our feedback.

I've left a comment here:

https://twitter.com/x/status/1742546425978683560