Nominet 2FA Two Factor Authentication...

[Murray]

Sad to report the reply from Nominet... 2FA will be mandatory, the nag won't stop and cannot be stopped, WALOB!

That's ridiculous

What about people who don't have a smart phone

 

[ian]

That's ridiculous

What about people who don't have a smart phone

There is a browser app I believe.

 

[Edwin]

What about when you're overseas, or out of cell reception like deep in a building? A system that relies on a single technological point of failure is surely worse than the current optional passphrase one?

 

[ian]

What about when you're overseas, or out of cell reception like deep in a building? A system that relies on a single technological point of failure is surely worse than the current optional passphrase one?

Oh I agree with you, but I guess that is down to the individual and their working habits. Unfortunately the passphrase option will be invalid soon enough, so there is little choice. I guess no different to many other services now, you need either your mobile phone device, or a keyfob device to help protect your accounts.

 

[ian]

Wouldn't you already have to have Internet access in order to be able to access Nominet's servers from that location, or am I missing something more obvious?

The point maybe that in any circumstance where you are away from your usual devices, you'd have no way of accessing the online service; but that isn't much different than most.

 

[Skinner]

Nominets understanding of "optional" appears to be similar to their understanding of "consultation", just not the same definition as everyone else understands.

 

[Admin]

I'm still wrangling with Nominet on this to try and make it so 2fa is not mandatory. Apparently they are collating all feedback and my comments are being passed to someones manager...vamos a ver as they say over here.

 

[Adam H]

Ok..............don't enable Nominets 2FA, yesterday tried to login to my member panel and the 2FA code doesnt work which has been on my Google authenticator since setting it up.

As a result I phoned Nominet, they confirmed who I was and told me to send a utility bill via email to confirm address/name etc and they would remove the 2FA..............I then get an email saying :

In order to remove 2fa from your account we require a signed letter from the registrant NAME asking us to remove 2fa from your account, as well as a form of ID such as a driving licence and passport.

Once we receive the letter and ID we will be able to remove 2fa from your account.

Are they really asking for a physical signed letter to be sent just to remove 2FA, its not like im asking my logins to change as well and all I wanted to bloody do was change my address on all the domains in the account due to a house move. Not what I need a couple of days before moving.

I wont be activating it again once its unlocked, I cant be doing with sending a letter every time their codes mess up. ( never had any codes mess up with any other company in all the years of using 2FA and Google Authenticator )

 

[Admin]

@[email protected] signed up here yesterday, perhaps they want to listen to their customers to provide a better service. Sure she will be along soon with an easier solution.

 

[Adam H]

I should say Tony who I spoke to on the phone was extremely helpful, pitty I didnt reach him when emailing them as he said he the Utility bill would have been enough proof.

 

[Adam H]

I'm sat here with @DaveP thinking about lunch. We both wonder whether you may have multiple Google Authenticator entries for the same email address, as is commonplace and, as a result, could be picking the wrong code for Nominet? We aren't saying you're stupid, just that people make mistakes particularly when under stress (house move).

Reminds me of the old days when one had to post letters to undertake domain name transfers. Will they accept the material by email?

Obviously they don't know you and don't want to be responsible for giving someone access to your WDM while you could be out of contact on an exotic holiday in the Seychelles. Better safe than sorry?

No....one device for Nominet which is my Iphone, stupidly didnt save the backup codes ( or I did but they are now in a pile of boxes ready to head to the our new house ).

I've emailed back asking what was wrong with the utility bill that was requested over the phone, 2FA doesnt instantly grant access to my account, someone would still need to be able to know my logins to gain access and so removing 2FA alone shouldnt really be a massive deal. ( or at least being able to reset it over the phone or via email ).

When sending emails to Nominet from the domain of which the account belongs to, a document with my name and address on.... and a phone call confirming my details you would think they'd that would be enough just to turn it off and let me login normally.

 

[Adam H]

I'm sat here with @DaveP thinking about lunch. We both wonder whether you may have multiple Google Authenticator entries for the same email address,

Just re-read what you wrote..............and blow me.......looking at Google Authenticator I have got two entries for Nominet. Why I have no idea as I only scanned the barcode once. Thanks @invincible I will attempt to use the second code now.

EDIT: And I'm in , unreal.

 

[mally]

Trying to log in to online services on a weekend with a ne mobile phone. My Authenticator details haven't transferred so need to contact Nominet. They only work weekdays

 

[jasman]

It's worth setting up an extra 2fa auth app on a second device. I think you can have up to 5 for a Nominet account. Then if you change your phone, you can still log in with the second device and set up the new phone's 2fa key.

 

[Systreg]

@Pedigree, do you mean the Authy app on Chrome?

If so, that app has been showing a no longer supported message for about 3 years, although it still worked for logging in, but from this Dec 22nd, Google is removing the app from Chrome completely, and people still using that app need to install the desktop version instead.

[Edited to add]

https://support.authy.com/hc/en-us/articles/360042973993-Authy-for-Chrome-App-Extension-End-of-Life

 

[super-whois]

I use this web extension, and it works well:
https://authenticator.cc/

 

[jasman]

A word to the wise. Some of these apps ask for the URL or name of the website using 2fa when you create an entry for its particular 2fa key. This is not actually needed as the key and the time are all that are needed to generate the login code. The URL or name of the website are just asked for to create a label in the app in case you log in to lots of different 2fa websites, so you can identify which profile is for which website.

Therefore I would advise you to give a false URL/ name because A) it is possible the app may send the key and website info to the app creator if it has been coded by a rogue, and B) if you lost your phone or it got hacked etc and someone gained access to the app they would be able to generate 2fa codes and the app would tell them which website the code is for!

This is particularly insecure if you are foolish enough to have the browser remember the website password as well as they would then have everything they need to log in.

Often a QR code is provided by the website using 2fa and read by the app. This contains the key and the website name, to save you typing it in. But again, this is a bad idea for the same reasons.

It is of course also more risky to have the app on your pc (or the same device you are logging into the website with), in case that device gets compromised. But you could keep a copy of a second spare 2fa key somewhere safe in case you lose/ change your phone, so you could install one of the 2fa apps and with the 2nd spare key get into Nominet so you can set up a new key for your new phone.

 

[jasman]

No, the QR code would not contain your password, just the 2fa key and the website details which in my opinion are better deleted/ edited to be something different so if a criminal gained access to the app they wouldn't know what website that 2fa code was for (or they would think it's for a different website e.g. you could call the Nominet one Facebook or something like that). If you do use the QR code and discover it's not possible to edit the website details then why bother with the QR code. It's really not much effort to just type the key into the app manually instead of using the QR code.

The browser extension isn't necessarily a risk per se, but obviously the whole point of 2fa is that a criminal would need both 2fa code and password to log in. So if the device you log on with (and enter the password with) is a different device to the one generating the 2fa code, then if they had compromised or stolen one they would not have the other so you have that extra layer of security.

 

[Systreg]

@Pedigree, with the Authy app being removed from Chrome on Dec 22nd, have you deleted it and installed the desktop version?

I haven't done mine yet, and am wondering, when changing to the desktop version, does it also move the current token from the Authy app to the desktop version, anyone know?

I'm hoping it's just a case of downloading the desktop version and it's good to go to be able to login to Nominet, without all the tokens needing to be reset.

 

[jasman]

Say a criminal pickpockets someone's phone and manages to get into it somehow. Whilst trawling through the apps he finds the 2fa app with a profile called "Godaddy". He visits godaddy.com in the browser and finds the site has remembered the password. Or if not, he goes into the owner's email app, notes down the email address and does a password reset at godaddy. Then he's in and it's goodbye domains. But if the 2fa profile wasn't called Godaddy, if it was called Facebook or something it wouldn't be so easy.