On Mon, 25 Feb 2019 12:14:59 -0700, Paul Ebersman said:
ekuhnke> One thing to consider with authentication for domain registrar ekuhnke> accounts:
ekuhnke> DO NOT USE 2FA VIA SMS.
Yup. This is a good example of what I'm advocating. Just saying "use 2FA" or "use DNSSEC" or "have a CAA" isn't sufficient detail to make informed decisions of risk/effort/reward tradeoffs. Simplistic suggestions without details or context isn't doing anyone any favors.
That said, even SMS 2FA is better than no 2FA. Barely. Just like forcing lousy passwords is better than no password but still not a best practice.
Feel free to suggest a workable 2FA. Personally, I use a Yubikey where I can. Oath seems to be a reasonable approach for technically minded people, but I'm not sure that it scales well to the people who own the long tail domains in the 40 million .coms. I can get oathtool to behave the way I want, but I'm not sure the owner of joes-bait-tackle-and-gunshop.com will be able to deal with it. Unless you get it down to the SMS "wait for a msg, type in the 6 digit number" level, it's going to be a tough start...