registrars Which Registrar Is Most Secure?

[Silentptnr]

With valuable domains being stolen and tons of new, untested registrars popping up, I've started thinking about security.

I have names spread across about 12 registrars. I tend to like GD, but I like others too.

Any feedback about which registrars provide the highest level of security?

 

[maksimfa]

I get email notifications of any loginin attempts to Internet.BS, free privacy on everything.

Enable 2 factor authentication and you should be quite good to go.

 

[1Darko]

I tend to keep my most valuable domains with NameSilo and Epik and I've been happy with both from all perspectives (including security). I tend to use NameSilo more because I like their platform more and the site is faster.
However I would never ever keep valuable domains with GD or other shady registrars (mmmm.... 1&1, bigrock, domain.com & co., etc.).
I do buy domains at GD auctions but I move them immediately to NameSilo by requesting the 60 day lock to be lifted as soon as the domain is in my account...

How do you request to lift the 60 day lock?

 

[Domaniak]

Great discussion. Since we have been mentioned a few times, I thought I'd point out a few things about our security (it is in our tagline after all!)

• We support 2FA via app, not SMS as we have found that to be less reliable and also potentially subject to fees based on carrier and plan

I need staff to access our account, so 2FA via SMS is not very practical (different people logging in from remote locations, multiple mobile phones)

• We offer Domain Defender (https://www.namesilo.com/Support/Domain-Defender) for free which is both a notification system and a system for preventing changes to accounts or domains if someone manages to get entry to your account. For notifications, customers can select from 20 different options for changes such as account access, domain unlocking, requesting EPP code, etc. Our system will send an email and/or SMS message when any of the selected options occurs. To increase csecurity when using Domain Defender, customers can select between 1-5 question/answer pairs that must be answered before any account/domain changes can be made.

Interesting. I'm sure to take a closer look at this option

Do you offer or plan to implement limiting access by IP address (IP whitelisting)?

 

[Domaniak]

How do you request to lift the 60 day lock?

Email request to lift the 60 day lock to [email protected]

 

[Want2learn]

Thanks for the kind words. The following security features are all free:

- 2 Factor Authentication
- IP Allow list
- MaxLock, i.e. account fully locked down for transfers unless agreed unlock protocol followed

We also just finished a native mobile application for iOS with end to end security for on the go account access and are releasing it to beta customers and soon generally.

Last but not least, I still get notified by the registries for any domains that leave. Since relatively few leave, it is easy to spot when a high value domain is moving. We have yet to lose a domain to an unauthorized transfer and like to keep it that way.

I'd love to hear a solution to these concerns of mine.

When there are those super great deals to register new domains do you ever match pricing?
When we register those great deals and then realize hey price was great but that's it, do you have a transfer promotion? Most of us hope to sell our domains. For some domains I'd put on ice and register for longer than a year. Not most though.

 

[ET76]

Which Registrar Is Most Secure?
Base on my experience I love Namesilo and Name.com

 

[namesilo]

Do you offer or plan to implement limiting access by IP address (IP whitelisting)?

We actually had that years ago, but it caused a lot of problems with people who did not have static IPs. People travel, require access from multiple locations, etc., so we did away with the option. This is not to say that we will not add it back in the future, but, to be perfectly honest, we have received only 1 request for this feature in the last 5+ years (since it was removed). We do offer IP whitelisting for our API customers where the problematic issues listed above do not happen nearly as often since most API customers are running from origins with static IPs (typically a hosting provider).

 

[namesilo]

I'd love to hear a solution to these concerns of mine.

When there are those super great deals to register new domains do you ever match pricing?
When we register those great deals and then realize hey price was great but that's it, do you have a transfer promotion? Most of us hope to sell our domains. For some domains I'd put on ice and register for longer than a year. Not most though.

Thanks for the questions. Would probably be best to contact us directly with these questions so we can keep this thread about the original topic of security. We are happy to help answer any questions via support email, chat, phone or even PM here. Thanks again

 

[Want2learn]

With valuable domains being stolen and tons of new, untested registrars popping up, I've started thinking about security.

I have names spread across about 12 registrars. I tend to like GD, but I like others too.

Any feedback about which registrars provide the highest level of security?

What do you think about eWallhost's security?

 

[WebDevMarketing]

I haven't seen anyone address this, but it's important to note that any registrar that doesn't let you change your username/login might be a security risk (whatever can be used to login basically).

Namecheap - doesn't let you change your username. But you have to give your username away to strangers to make transfers and account pushes.
GoDaddy - doesn't let you change your customer number, but you give your customer number away to make transfers and login and it's on every receipt.

So if a bad actor gets those, they can try to engineer their way into your account. Not sure why they haven't changed this yet, I like both of those registrars but this seems like a security oversight. Hopefully they will change that.

And of course, 2 factor auth is a must.

EDIT: I should add that I'm comparing this to my recent experience with Uniregistry, which uses only your email address as a login. Presumably you can change your email address if an issue were to arise.

 

[Slanted]

When there are those super great deals to register new domains do you ever match pricing?.

Usually when you see a promo like $1.99 for 1st-year registrations of .TLD, this isn't a case of the registrar reducing prices on its own. No registrar wants to take a big loss on every domain.

Instead, these promo prices are offered only after the registry offers a discount to the registrar. Once the cost is lower for the registrar, then the price can be lower for the customer. For the registrar, this requires conversations, signed contracts, obligatory advertising, and enrollment in some clunky rebate program.

Many promo deals are declined because the savings aren't good enough, or the pile of advertising chores is a hassle, or the designated ad spots are already filled with other TLDs, or the ad content is ridiculous, or the TLD isn't worth the trouble because nobody wants it, or because the registry didn't begin the conversation in time to get set up at the registrar.

You may think it's natural to match somebody else's promo price. But if a registrar hasn't signed the contract, allocated the ad spots, sent out the required social media posts, etc. then that registrar cannot get the same deal.

 

[anantj]

What security features do you WISH a registrar would offer? I'm open to ideas.

To start off with,

1. 2-FA via Authy/Google Authenticator. SMS itself has provide to be vulnerable plus I typically face issues of not receiving SMSes frequently.
2. Currently, I have added my "home" phone to my account. This is a landline number and cannot receive SMSes. Allow an additional phone (mobile phone) in the profile or in 2-FA settings to enable receiving SMSes without needing to change the home phone to a mobile phone.

 

[anantj]

That's an interesting idea. We'd have to let people toggle this setting ON / OFF (default OFF), since most customers wouldn't want any extra email messages. But I'm sure some customers would want to track logins. Curious how many people want this ... Show of hands? It sounds like a good idea, but I also wonder if people wouldn't get sick of all the emails or – worse – grow so accustomed to them (through frequent logins of their own) that they'd fail to notice a suspicious login even if 1 did occur.

I'd like this. While you're at this, can you also provide opt-ins for any and all changes to the account domains such as NS changes, Whois changes etc? A few registrars do this and I think it's a good feature....

Also, I'm not sure if this is already there but a feature which shows the last few logins IP addresses and the action performed (login, change of domain settings, transfer initiated etc

 

[anantj]

EDIT: I should add that I'm comparing this to my recent experience with Uniregistry, which uses only your email address as a login. Presumably you can change your email address if an issue were to arise.

No you can't. Uni does not allow you to change your login e-mail

 

[WebDevMarketing]

Possible suggestions to registrars:

1) only 1 way to login (username), and the ability to change that username if you want/need to (as mentioned above)
2) A separate "Push" account pin that is only used to accept pushes -- so people can push you domains without needing your login credentials
3) multiple security questions and the ability to "create your own" questions so it's not the same generic ones used by every single website

I feel like that could maybe cut down on a lot of unauthorized stuff

Cheers

 

[SpareDomains]

I've kinda always consolidated to GoDaddy. Reasons for this are basically...

1) Dedicated account rep
2) 2 factor security, need text code to log in to my account
3) Deadbolt Transfer Protection, nothing can move from my account without someone from GoDaddy calling me at a number I don't have listed in Whois and asking me my secret code which can be a number, word, phrase, sing a song etc... whatever ya wan't it to be. So you'd basically have to know which non public phone they will call me on, steal it and beat me until I tell ya what to tell them, good luck with that.
4) Largest registrar and will stay that way so no fear of them closing up shop.
5) Since 99.9% of my sales are to end users speeds things up since 99.9% of those end users have heard of GoDaddy and usually already have an account there. Known name instills trust with end user buyers
6)Consolidate feature, allows me to take all my domains divide by 12 months and sync them so I have the same renewal costs every month of the year
Etc..............

 

[TRY]

Right here, you've got Rob Monster (Epik's CEO) and me (the Director of Operations) listening. Since this thread is about registrar security, let's brainstorm.

What security features do you WISH a registrar would offer? I'm open to ideas.

In fact, if we implement your suggestion, I will personally put $50 in your Epik account.

Automated phone text message when a domain is transferred.

 

[WebDevMarketing]

No you can't. Uni does not allow you to change your login e-mail

And if you ever change your email address ? I assumed you could contact them to change it. People change emails from time to time, no ?

If not, then yea, I still like my username suggestion above for any registrar.

 

[anantj]

1) Dedicated account rep

What benefits does this provide? I've never had an account rep so I don't know about this.

Deadbolt Transfer Protection

This is interesting. Is this for specific account levels? Or is it available to everyone? How do you set this up? I ask because I've heard a LOT of cases of unauthorized domain transfers/stealing.

Consolidate feature, allows me to take all my domains divide by 12 months and sync them so I have the same renewal costs every month of the year

This is a great feature. Although I've never used it at GD due to their high charges, this would be something I'd use at NS and Epik if available

 

[anantj]

And if you ever change your email address ? I assumed you could contact them to change it. People change emails from time to time, no ?

If not, then yea, I still like my username suggestion above for any registrar.

Right. Technically, it is possible to change the login e-mail. IIRC, you need to create a new account with the new e-mail and then merge the old account with the new account. I don't remember if this is possible self-serve or if you need to reach out to their support. Irrespective of that, it's too much of a hassle so I never bothered trying it out.

 

[Want2learn]

Since I would like that $50 Epik credit @Slanted Ill share an idea. What is in the settings page we were able to "tag" particulalrly valuable domains that required yet another step before transferring out/pushing?

As it is now, I log in. Then I have to use my authenticator app. And that does give me a sense of secrity. But what if I tagged my domains that I valued a lot? What if the verification was confirming to say an alternative email that yes I sold the domain. Or perhaps verifying I had received payment. Maybe answering another security question. Maybe it is a dollar amount we want for the domain.

What if when transferring/pushing we had to reauthenticate? What if the tranfer/push initiated a call to verify? Again for me all my domains are not equally as valuable. I may value some of my domains more than you might! However there are still only so many domains I need locked at Fort Knox!

 

[usernamex]

Pretty sure we haven't implemented an ON / OFF switch in the customer's user interface. Later, we might. For now, you can contact support, and they'll do it for you.

Concerning MaxLock - please ignore my question about the ON / OFF in panel, upon reflection, if someone hacked my account and could manipulate my account, that would defeat the purpose of MaxLock!

. . . some customers would want to track logins. Curious how many people want this ... Show of hands? It sounds like a good idea, but I also wonder if people wouldn't get sick of all the emails or – worse – grow so accustomed to them (through frequent logins of their own) that they'd fail to notice a suspicious login even if 1 did occur

The way I manage my accounts, it is helpful, since I typically have some set task to login for, so after I'm finished, I delete the emails I know I generated. So for me, I would notice if I got login notices when it was NOT me. And yes it is opt in/ opt out at the registrars that offer it.

----------------------------------------------
General comments:

Overall I agree that having to do pushes with your email or login username is a weakness, @Dynadot has a useful push system, because they use your forum name which you can change at any time so you could effectively change it for every push. Although I do not utilize their actual forums, IDK if then your posts get username changed repeatedly or it stays as it was at time of posting.

Also Dynadot shows Recent Login IPs with times and dates


Another general comment is that registrars, or ANY web site for that matter, should allow users to create their OWN security questions and answers. Seriously, in today's internet, some of the security questions are way too simple that people could not possibly figure them out, it is a continued annoyance of mine, especially when it should be even higher security like banking /rant

 

[SpareDomains]

What benefits does this provide? I've never had an account rep so I don't know about this.

Guessing account reps might fluctuate with what they wanna do for ya. Mine has offered to renew all my domains when they come up, send me lists of expired domains etc... I'll be honest I haven't really taken him up on anything that he has offered as I have control issues and like to mange everything myself as then I got nobody to blame if things aren't 100%. So I've been more of a "just leave me alone I got this" customer.

This is interesting. Is this for specific account levels? Or is it available to everyone? How do you set this up? I ask because I've heard a LOT of cases of unauthorized domain transfers/stealing.

Not sure what the current requirements are as they gave me an account rep, deadbolt locking many years ago and don't remember how many domains I had when they gave it to me. Currently 500+ with GoDaddy but sure it was lower when they gave it to me as have had it many many years.

This is a great feature. Although I've never used it at GD due to their high charges, this would be something I'd use at NS and Epik if available

Love it, no matter how many domains I have I can just pay per month to move them around so I have the same fixed renewal costs every month of the year. Sure it confuses people stalking my domains when they see the original registration month not being the same month as the expiration month, not that I really drop much at all anyway.

 

[frostify]

Most major registrars are secure such as GoDaddy, Uniregistry, Enom, Name.com, and more. Your account is only as secure as your password so use a strong password and don't reuse passwords that you use on other sites. Last, ALWAYS use a 2-Factor-Authentication on your account. Most major registrars such as the ones I listed have built in 2FA for free. Yes it's annoying, but having your domains worth $hundreds, $thousands, or even more stolen is a lot more annoying. Enable 2FA! I had a very valuable pronounceable LLL.com at GoDaddy and 2FA is the only thing that stopped hackers once they figured out my GoDaddy password. Luckily nothing was stolen and I eventually sold that name for a nice price. Use one of the more well known registrars but always use strong pass and 2FA. Also, I HIGHLY recommend to ANYONE, not just domainers, to keep your Email LOCKED DOWN with a secure pass + 2FA as that is where all password resets and authentication go for most account changes on pretty much any website. You can even take it a step further and use an encrypted service like I do such as ProtonMail.

 

[Slanted]

registrars, or ANY web site for that matter, should allow users to create their OWN security questions and answers.

I proposed that at Epik, since we recently implemented security questions. However, it's AMAZING how many end-user customers struggle with the ordinary login process – entering an email address with password. Filling out the form to pick security questions (from a drop-down) and enter answers has resulted in 50 times as many phone calls from confused customers as I ever would have imagined. If we were to ask them to write their own questions, they'd panic, pull their hair out, and never manage to access their accounts ever again.

Domainers would cope fine, since domainers tend to be computer literate. But it's easy to forget that end users – particularly people 50+ who didn't grow up with computers or the internet – need a lot of hand holding. These are the buyers for your domains, often as not. So it's important to keep their needs in mind when designing registrar features. Advanced features are great for advanced users. But the folks who only log in once every few years tend to struggle unless we keep things very simple and familiar.