Protect your Domain Name with Two Factor Authentication

published by Eric Mill on

Jump below for links to domain providers who offer two factor authentication.

Naoki Hiroshima's "How I lost my $50,000 Twitter username" is a fascinating, terrifying description of how Hiroshima had his Twitter handle, @n (now @n_is_stolen) stolen by an attacker. The mundane, articulate emails from the attacker are particularly chilling to me.

The attacker also uses a method that, though very simple, I haven't heard of before. The attacker compromised Hiroshima's GoDaddy account and got control of his domain name, and then used this to take control of Hiroshima's email address that used it. The attacker didn't need to compromise Hiroshima's email service provider (Google Apps) -- just his email address' domain provider (GoDaddy).

Hiroshima describes in great detail the spiral of terrible corporate security, social engineerng, and customer service that allowed the attack to succeed from that point onwards. His account reveals many different problems -- including some services using credit card numbers to verify identity -- and it's put a number of companies' security policies into the spotlight.

Gmail Addresses Aren't the Answer

Unfortunately, Hiroshima then comes to a mistaken conclusion. In a section titled "Avoid Custom Domains for Your Login Email Address", Hiroshima cautions against registering for services with emails using your own domain:

I changed the email address I use at several web services to an @gmail.com address. Using my Google Apps email address with a custom domain feels nice but it has a chance of being stolen if the domain server is compromised. If I were using an @gmail.com email address for my Facebook login, the attacker would not have been able to access my Facebook account.

The only reason that a @gmail.com address would have been more secure for Hiroshima is that he would have Google's two factor authentication (2FA) enabled. 2FA requires an attacker to not only know your password, but also have access to something you own (typically your phone). Hiroshima does acknowledge 2FA's importance:

Using two-factor authentication is a must. It’s probably what prevented the attacker from logging into my PayPal account. Though this situation illustrates that even two-factor authentication doesn’t help for everything.

But of course, 2FA can help you protect your domain -- but only if your domain provider offers it, and you use it. That's the real lesson here.

Using your own domain for email is a hugely important way to take control of your identity online. This is a good reminder that when you do that, you need to choose a domain provider whose security you trust.

In fact, it it looks like GoDaddy actually does provide 2FA (not that I would ever recommend using GoDaddy). Even if Hiroshima didn't turn it on, I don't blame him! My domain provider, iwantmyname, also provides 2FA, but I hadn't thought of enabling it until reading Hiroshima's account. I witnessed a number of friends make the same decision.

While I'm sorry that this event happened to him, I'm extremely glad he wrote it up like this. Our domain providers have the responsibility to provide at least the same level of security we get from our social networks, and we're responsible for taking advantage of that security when it exists.

Providers who offer 2FA

Update: I'd like the below list to remain timely and useful, but Twofactorauth.org is probably going to be a more comprehensive, up-to-date resource - they take contributions via GitHub.

Here's how to set up two factor authentication on your domain's registrar or DNS provider.

Providers who DON'T offer 2FA

And here are some domain providers who need some shaming.

Providers working on 2FA now

Tweet at @konklone with any providers I'm missing, and I'll add them to the list.

Update: Mentioned the social engineering aspect to the attack, which 2FA wouldn't have prevented.

Image credit: http://halfelf.org/2013/two-factor-authentication/


  1. Pigmentación en Jaén de cejas pelo por pelo pelo a pelo

    It's going to be finish of mine day, however before ending I am reading this wonderful article to increase my know-how.

  2. Maurine

    The currency exchange rate with Western Union has historically been rather good, and also this can be a viable way to send out cash to yourself or to someone else in China.

  3. สุ่มหมายเลข ลุ้นเงิน

    I quite like reading through an article that will make men and women think.

    Also, thank you for allowing me to comment!

  4. friv 2017

    Thankfulness to my father who shared with me about this web site, this weblog is in fact remarkable.

  5. aLex

    What about ITITCH?

  6. Steve

    Network Solutions is too busy trying to sell their Weblock product for 2FA, which is $500/year and $500 setup. Laughable.

  7. Ray Schmitz

    Name Silo (www.namesilo.com) is another registrar offering 2FA, using google authenticator. No annoying initial SMS required - unlike other implementations.

  8. Eric

    @Laurence: Thanks! I updated the post.

  9. Laurence Gonsalves

    I got an email today from Hover saying they just added 2FA. They call it "Two-step Sign-in" on the settings page. I just tried it with my account, and it seems to work.

  10. Eric Mill

    FWIW, I just read Lee Hutchinson's writeup on Ars Technica (http://arstechnica.com/security/2014/01/picking-up-the-pieces-after-the-n-twitter-account-theft/) and he includes this:

    "In his write-up, Hiroshima laments his use of his own e-mail domain for registering at services like Facebook and Twitter, saying that the use of a Gmail address or something similar would have kept the attacker from using this method to gain access to his Facebook account, among other things. This is true—but it's also throwing the baby out with the bathwater."

    The article as a whole is great, too. It recommends 2FA everywhere, and storing as little information as possible with cloud services, while recognizing that human systems will always be fallible.

  11. Eric Mill

    I don't believe I'm skirting around the main issue at all. Hiroshima is absolutely correct that he wouldn't have been vulnerable to his DNS being hijacked if he'd used a @gmail.com address. A custom domain means another service you depend on, so it widens the attack surface.

    But that isn't his only conclusion. He then makes a value judgment, which is to recommend not using custom domains to register for services. It's this judgment that I disagree with.

    I disagree with it because of a few factors:

    1) Hiroshima's situation could also have been avoided if his DNS provider had better security protocols, and more clearly indicated what they rely on to prove identity.

    2) The general intimidation factor of setting up custom domains for email discourages people from doing it in the first place, and Hiroshima's conclusion contributes to that.

    3) Custom domains for email enhance other kinds of security -- namely, reducing your dependence on any one corporation. I view this as a security issue -- but even if you don't see it as a security issue, dependence is an issue that factors into my judgment.

    So I'm not saying Hiroshima's objective description is mistaken; it's the subjective conclusion he takes from it. I'm happy to stand by that, and will very confidently continue to recommend people use an email address with a custom domain for 100% of their online business.

    I'll also confidently and energetically push DNS providers to tighten up both their robotic security (2FA) and their human security (clear, disclosed, resilient customer service practices). Those are battles worth waging to make domain ownership on the Internet more secure and empowering.

  12. Paul

    You're skirting around the main issue.

    This attack was made possible because Hiroshima was using a custom domain. If he hadn't used a custom domain, the attack wouldn't have worked. This is the conclusion he presented in his article and it's perfectly valid – you're wrong to suggest he's mistaken.

    The argument you're making is a side issue. Sure, you can continue using a custom domain if you want to. You can certainly mitigate the risks of doing so by using a domain registrar "whose security you generally trust". There are many benefits to having your domain, as you outline. But you could use the most secure registrar in the world and it'll still be a potential attack vector. You can eliminate this attack vector entirely by not using a custom domain.

    This was the point Hiroshima was making and he's absolutely right in saying this.

  13. Eric Mill

    @Paul: Let's say you run a website on your own domain, like a lot of people do. If someone hijacked your DNS and took over your website, is the right lesson that you should have just hosted your website at a *.github.io or *.wordpress.com or *.tumblr.com address, because those companies' DNS servers are probably less vulnerable to hijacking? Or is it just time to go find a better DNS service, and make sure you've got 2FA enabled forevermore?

    Custom domains are meant to be used for fundamental services - websites and emails top among them. The bigger problem here is that GoDaddy let this guy down, by resetting his password to someone with 4 digits of his credit card #. The fault is on GoDaddy, not the idea of using your own domain name. The only reason it even feels credible for the guy to recommend not using a custom domain is because it is so much less widely practiced (and to our detriment, I would argue).

  14. Paul

    But surely it was the custom domain that did him in?

    If he'd avoided a custom domain and instead used a regular @gmail.com email address, the attackers wouldn't have been able to hijack his DNS. Therefore they'd have been unable to intercept his password reset emails, and unable to take over his Twitter account.

  15. Eric

    It's true that by using a custom domain, you're introducing a second place that your email can be compromised. But if you pick a domain provider with 2FA, and whose security you generally trust, you shouldn't fear using a custom domain.

    While 2FA alone wouldn't have saved Hiroshima -- because of how vulnerable to social engineering PayPal was, and that GoDaddy apparently didn't require the second factor in a customer service context -- it wasn't the custom domain that did him in.

  16. Paul

    "The only reason that a @gmail.com address would have been more secure for Hiroshima is that he would have Google’s two factor authentication (2FA) enabled."

    I'm not sure that's true. Firstly he mentions that he was using Google Apps with his custom domain, so 2FA would have been available to him there too.

    But I think the main point he's making is that by using a custom domain, you're susceptible having your domain hijacked, at which point the attacker can intercept all your password reset emails. This wouldn't be a viable attack on an @gmail.com email address because there's no custom domain to hijack.