On Mon, 25 Feb 2019 12:14:59 -0700, Paul Ebersman said: > ekuhnke> One thing to consider with authentication for domain registrar > ekuhnke> accounts: > > ekuhnke> DO NOT USE 2FA VIA SMS. > > Yup. This is a good example of what I'm advocating. Just saying "use > 2FA" or "use DNSSEC" or "have a CAA" isn't sufficient detail to make > informed decisions of risk/effort/reward tradeoffs. Simplistic > suggestions without details or context isn't doing anyone any favors. > > That said, even SMS 2FA is better than no 2FA. Barely. Just like forcing > lousy passwords is better than no password but still not a best > practice.
Feel free to suggest a workable 2FA. Personally, I use a Yubikey where I can. Oath seems to be a reasonable approach for technically minded people, but I'm not sure that it scales well to the people who own the long tail domains in the 40 million .coms. I can get oathtool to behave the way I want, but I'm not sure the owner of joes-bait-tackle-and-gunshop.com will be able to deal with it. Unless you get it down to the SMS "wait for a msg, type in the 6 digit number" level, it's going to be a tough start...
