As always, we advise turning on 2-factor authentication on your account.
If I set up 2FA, only my device can log in. If I become unavailable for some reason, none of my team members can access the account. The only way to do this is for all team members to do the 2FA setup at the same time, which I believe will seed the generator so that they will all produce the same sequence of tokens. But that's just unacceptable. It's like renting an office and only getting a single key.
I find it amazing that in this day and age, most providers still conflate the concepts of "login" and "account". I log into an account; that login is a set of credentials giving me access, but one account obviously must support multiple logins.
Without a clean separation, you turn employees into single points of failure. Shared account credentials is a potential security risk. And it makes it harder to lock out employees who leave the company once given access. And of course, it makes auditing harder because you just have the IP.
Most providers make this mistake: Among DNS providers, I use Gandi, EasyDNS and iWantMyName, all set up like this. Cloud-oriented providers like Digital Ocean and Mailgun, same problem. AWS does the right thing.
You can also add other phone numbers to your 2FA preferences, although I can understand if that's annoying for your colleagues if everyone is getting an SMS on every login.
Could you have people adding multiple phone numbers to the 2FA process and then allow someone to set their preferred, whitelisted number for the SMS?
I need to grant access to a second account to purchase services on my behalf. Does your solution of granting domain modification access work in that case or are we going to have to deal with the SMSes?
Also, is there a plan to upgrade the internal tools that don't much the newer public design? It's pretty jarring.
With the existing 2FA, you can set a primary or disable a number without deleting it. This could work for what you're describing.
It's certainly something we are aware of and multiple logins are planned.
We are using Authy as two-factor authentication service provider and they allow you to use multiple devices: http://blog.authy.com/multi-device
1. Log in
2. Click "Menu" (in the top right portion of the page)
3. Expand the "My Account" submenu (if it didn't already automatically expand when the menu appeared)
4. Click "Manage Profile" (5th from the bottom of the "My Account" submenu)
5. On the next page that appears, look for "Two Factor Authentication" on the left side under "Personal Settings"
I have been using 2FA on NameCheap since you added the feature, but it's one of the more annoying implementations -- compare to Google's 2FA setup, for example. There I have to jump through the hoop of getting an SMS once a month (and verify my password a bit more frequently).
For NameCheap, it's every single time I log in, which translates to every single time I need to do or check something in my account.
This is probably only a minor annoyance for most of your customers; for me it sometimes means I can't sign in. I live in an area with fairly poor mobile coverage, so internet access & ability to receive an SMS do not always coincide. I'm also not tied to my mobile, so I may need to go find it where it's charging downstairs (or plug it in if it's dead) before I can continue.
I'd really appreciate either the option of a code generator (Google Authenticator, Authy, etc.), or a longer "remember-me" time -- it's rather more likely that my phone would be stolen than my laptop... so letting the laptop I've just double-authenticated be a "thing I have" is perfectly valid.
We've been waiting for ages for another 2FA option from Namecheap, either Authy or Google Auth. Now I'm just registering my domains elsewhere and when my Namecheap domains come up for renewal I'm jus transferring out.
I’m curious what evidence you have that ties these login attempts to the CyberVor (1.2bn) hacked credentials database specifically?
Given that (to my knowledge) none of the data from this database has yet been leaked publicly, couldn’t the credentials being used for these attacks be coming just as easily from any number of sources, or previously-disclosed databases (Adobe, LinkedIn, Forbes, etc.)?
Just trying to distinguish “what we know” from “what we suspect”, here. Thanks!
TOTP is a standard, it's great, there are open source implementations, and it's easy to integrate. Google even has that pam module. Use it.
1) Blocking phishing: where are you typing that code into? the real site? Are you sure......zeus-in-the-mobile coming at you
2) and once you are into the actual site and you want to do something of value, man-in-the-browser becomes an issue
>>>> this sums it up http://blogs.computerworld.com/data-security/24250/financial...
oh yes, and the 34 banks that have been spear-phished and SMS compromised know about it too.......
That's rubbish. 2FA means 'something you know and something that you have'.
What you know is your account credentials, what you have is your phone.
This means at any point between the sender and your phone anyone who has access can know what your "two factor" code is.
If you use true TOTP, i.e. Google Authenticator, then the code is generated via a secret key that lives on your phone, and nothing ever leaves your phone besides printing to screen and showing it to you when you need to log in.
Therefore, SMS "two factor" is not only costly and annoying, but ineffective.
Can I get my upvote back?
and they don't have your account credentials, that's the other half of the two factor approach
As to why it may be on-topic here: the activity reported by NameCheap in the OP lines up pretty well with the reports of a large collection of compromised accounts in the hands of a criminal group.
I know you wouldn't want to provoke panicked overreactions, or risk customers thinking that this indicates a flaw in NameCheap's security, but direct contact is essential for this kind of ongoing attack.
> continue to update our customers through our blog and social media
I'm not sure what percentage of your customers this will actually reach, but surely not a majority (certainly not me, anyway).
At last count, I have several hundred logins with various online services. I do not want a note every time one of them is subject to a dictionary attack, no matter the scale.