Hacker News new | past | comments | ask | show | jobs | submit login

OT, but why is that providers like Namecheap implement 2FA but not organizational team support?

If I set up 2FA, only my device can log in. If I become unavailable for some reason, none of my team members can access the account. The only way to do this is for all team members to do the 2FA setup at the same time, which I believe will seed the generator so that they will all produce the same sequence of tokens. But that's just unacceptable. It's like renting an office and only getting a single key.

I find it amazing that in this day and age, most providers still conflate the concepts of "login" and "account". I log into an account; that login is a set of credentials giving me access, but one account obviously must support multiple logins.

Without a clean separation, you turn employees into single points of failure. Shared account credentials is a potential security risk. And it makes it harder to lock out employees who leave the company once given access. And of course, it makes auditing harder because you just have the IP.

Most providers make this mistake: Among DNS providers, I use Gandi, EasyDNS and iWantMyName, all set up like this. Cloud-oriented providers like Digital Ocean and Mailgun, same problem. AWS does the right thing.

We actually have a little-known feature, which allows you to grant domain modification rights to other Namecheap users. https://www.namecheap.com/support/knowledgebase/article.aspx...

You can also add other phone numbers to your 2FA preferences, although I can understand if that's annoying for your colleagues if everyone is getting an SMS on every login.

(Namecheap user here. Just set up 2FA.)

Could you have people adding multiple phone numbers to the 2FA process and then allow someone to set their preferred, whitelisted number for the SMS?

I need to grant access to a second account to purchase services on my behalf. Does your solution of granting domain modification access work in that case or are we going to have to deal with the SMSes?

Also, is there a plan to upgrade the internal tools that don't much the newer public design? It's pretty jarring.

The new account panel / internal tools are in development and will roll out soon.

With the existing 2FA, you can set a primary or disable a number without deleting it. This could work for what you're describing.

Timo from iwantmyname here.

It's certainly something we are aware of and multiple logins are planned.

We are using Authy as two-factor authentication service provider and they allow you to use multiple devices: http://blog.authy.com/multi-device

At least with gandi, you can keep the barcode of the 2FA seed around (or the text seed) and set up new devices with it. We use Gandi and everyone with access uses Google Authenticator with the same 2FA seed.

I use Gandi as well and I've noticed that you can have 4 separate accounts with access to yours, the different domain contacts each can be separate accounts.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact