
Namecheap announces support for TOTP-based 2FA - pR0Ps
https://www.namecheap.com/blog/protect-account-totp-2-factor/
======
EvanAnderson
It's about time. This has been a wish list item for years. They had a
proprietary 2FA option but that was a non-starter for me.

~~~
philfrasty
Any idea why companies would choose a proprietary 2FA solution? I see this
with European banks all the time.

~~~
NamecheapCEO
Honestly, we seriously dropped the ball trying something new. It was a mistake
on my part and a bad decision looking back. I posted about it on our blog here
[https://www.namecheap.com/blog/true-totp-2fa-and-u2f-are-
com...](https://www.namecheap.com/blog/true-totp-2fa-and-u2f-are-coming/)

~~~
krrrh
I was one of the people who wrote long support requests to you guys detailing
how much I disliked the system you had in place. I really respect your
forthrightness here.

~~~
NamecheapCEO
Thank you, I need to explicitly call out our/my shortcomings if we want to
improve as a company going forward. We are making big changes to the way we
are doing things and a commitment to full transparency and having open and
honest conversations with our customers are the biggest of those.

~~~
Sambeckerst
Thanks Richard for being honest, this is why I choose namecheap

------
londons_explore
TOTP is far too easily phishable. User studies have shown that in any large
organisation, some small percentage of even the most technical staff will
enter an OTP into a phishing page. You might think 'I'm not that dumb', but
study after study shows you are!

The future is hardware U2F tokens. They can securely check the web-origin of a
request and only give the token to the correct origin.

~~~
manquer
Depends on your threat model, not everyone is going to pay for a hardware U2F
. Not every application needs that high security. TOTP is an option definitely
better than just plain password, which is what most services use today

------
r1ch
I hated having to use a proprietary app for this (even if it was based on the
Authy SDK), so this is a nice improvement.

I'd really like to see U2F support though as well, domains are very valuable
assets and deserve the strongest protection possible.

------
philtar
Their old one was so bad I actually learned how to use route 53 just to
migrate out of it.

Their CEO is just pretending to be forthright here. I have a tweet where he
replied to me from February 2014 that said Google Auth support is coming in a
couple of months.

This all happened because I got locked out of my namecheap account when THEIR
system wouldn't sms me the code and they had problems with the voice calling.

So I emailed support. They called me 5 hours later to ask me a bunch of
questions. Here's the funny part: they called me on the number I had used for
2FA. Isn't the fact that I answered that number proof enough that I had it?

Everything they do is half assed including their Frankenstein panel that's a
mix of their old interface and their new one.

Anyway. Good riddance. Only use namecheap if you can't afford the $1 it costs
to host your dns on route53.

~~~
guitarbill
Agreed, there was a big issue with the communication about 2FA. And then the
proprietary app was rolled out, in what seemed more like a checkbox ticking
exercise. At that point I also migrated and haven't looked back.

Why a checkbox ticking exercise? Even the Oct 2018 post by the CEO [1] says
"[...] our proprietary app, was not well-received by many of you and did not
serve you in the way many of you preferred to use 2FA." Apart from being such
bullshit corpo speak, how was one single second factor device per person
sufficient for critical infrastructure? What was I supposed to do, buy two
phones? If a place is so clueless about 2FA, run. You can almost be sure they
don't use 2FA internally.

(While I'm here, allow me to name and shame Patreon, who used to support TOTP,
but removed that option and now only have SMS [2])

[1] [https://www.namecheap.com/blog/true-totp-2fa-and-u2f-are-
com...](https://www.namecheap.com/blog/true-totp-2fa-and-u2f-are-coming/)

[2] [https://support.patreon.com/hc/en-
us/articles/206538086-How-...](https://support.patreon.com/hc/en-
us/articles/206538086-How-Do-I-Set-Up-Two-Factor-Authentication-)

~~~
NamecheapCEO
No excuses, you're right, we made a bad decision then and losing customers
like you was the consequence of that. I apologize for that and any other
negative experiences you may have had with us due to this.

~~~
guitarbill
I do respect you for stepping up here, and my experience with Namecheap was
very good (barring 2FA). I guess it comes down to trust, which is hard to
gauge.

The other thing that would stop me from returning to or recommending Namecheap
is GDPR compliance, or lack thereof. While I don't expect you to fight ICANN,
it's a blocker. (Obviously, not many registrars offering compliance at the
moment...)

~~~
NamecheapCEO
While we still have some gaps around GDPR we have active workstreams to close
them. We've also rolled out free privacy protection to all of our customers,
not just those in the EU. I can also say that we've always been extremely
careful with sharing any customer data with third parties even before GDPR
came into the conversation. Customer privacy is not something I believe should
ever be compromised on. While we've made some dumb decisions, I can assure you
it was always well intended. Even our previous lack of speed to fixes was due
to us making a conscious decision to go back and rebuild our entire
infrastructure and code base so that we can be more flexible and agile in the
future. It was a hard sacrifice to make and it affected our customers
negatively but I believe it will lead to a better future with what we'll be
able to deliver to our customers in terms of effectively and seamlessly
solving their problems. Hopefully you'll come back some time in the future and
you can judge us by our actions and what we are building and delivering and
not just my words.

