Namecheap supports an outdated form of 2FA, namely SMS-based authentication. It doesn’t support the modern crypto-based 2FA you probably know from using Google Authenticator (or Authy). Namecheap instead send you a numeric code by SMS that you enter. This sounds like a good idea, but it’s not anymore:
Time to stop using mobile SMS for two factor authentication.
https://t.co/ic5M7DGhjY (via @thepacketrat)— Steve Song (@stevesong) May 5, 2017
It’s been proven repeatedly over the last few years that SMS is insecure and easily hijackable. Just this week someone’s Verizon phone got socially engineered and hacked:
- Hackers got access to my @verizon through what I'm sure was social engineering. They then reset 2fa on my gmail using my number. 2)
— Philip Francis (@philfrancis77) May 8, 2017
He recommends to disable SMS 2FA on all your accounts:
.@verizon USE 2FA for everything. Disassociate mobile number from 2fa. and use a @BitcoinTrezor or @LedgerHQ
— Philip Francis (@philfrancis77) May 8, 2017
In Namecheap’s case that means no 2FA at all, because SMS 2FA is all they offer in 2017.
Now, people run million dollar businesses with Namecheap domains that are literally secured by a single SMS code. Domains are a great attack vector: take control over someone’s domains, and you can deface or impersonate them copying their website or receive ALL the domain’s email coming in. As well as sending email impersonating them. From there you can get request Forget Password on people’s user accounts on any platform and in turn break in to those accounts. That means potentially access to people’s private email, social media accounts, badly secured bitcoin wallets (e.g. on Bitstamp) and any service where you have auto-payment enabled, which means they can just buy a lot of stuff and you’ll pay for it. We know this. Namecheap knows this.
And we knew this 4 years ago already, so we asked them to add Google 2FA:
@Namecheap Are you guys going to add Google 2FA / #Authy 2FA?
— Jason Swindle (@Human_USB) December 17, 2013
@Human_USB In the next coming months. Should be Q1 2014 🙂
— Namecheap.com (@Namecheap) December 19, 2013
I asked them about it 3 years ago:
If you'd like @Namecheap to support 2FA w/ Google Authenticator, let them know and RT this
— Pieter Levels @ (@levelsio) May 7, 2014
@levelsio We're well aware and it's something we're currently in the process of building. We have acknowledged this as well.
— Namecheap.com (@Namecheap) May 7, 2014
Even Matt Cuts from Google asked:
@Namecheap two-factor authentication is a big step forward–congrats! Would love to see a Google Authenticator/offline option, not just SMS.
— Matt Cutts (@mattcutts) January 30, 2014
@mattcutts thanks. google authenticator is in the works – we’ve had 2fa since october!
— Teddy Worcester (@teddy) January 30, 2014
Then 2 years ago:
RT this if you'd like to get @NameCheap to support Google Authenticator-type 2-factor authentication (2FA)
— Pieter Levels @ (@levelsio) November 19, 2015
@levelsio We are already working on it.
— Namecheap.com (@Namecheap) November 19, 2015
1 year ago:
RT if you want @namecheap to start supporting Google 2FA
— Pieter Levels @ (@levelsio) February 8, 2016
@DeanPerry @levelsio I've forwarded it to the department responsible so that they consider implementing Google 2FA
— Namecheap.com (@Namecheap) February 8, 2016
Today:
.@Namecheap why do you still use mobile SMS for two factor authentication? https://t.co/4772pO6TOm
— Natan Gesher (@gesher) May 7, 2017
@Namecheap Great. That wasn't so difficult, was it?
So why is it taking you over four years to do something that lots of companies do in four months?
— Natan Gesher (@gesher) May 8, 2017
@gesher Certainly, the advance of 2FA is prioritized and we are working at it
— Namecheap.com (@Namecheap) May 8, 2017
That’s an awfully long time to “build” 2-factor authentication isn’t it?
Implementing 2FA is not trivial at the level of Namecheap. It’s a giant company, with probably millions of users accounts. It needs to be developed and tested. You don’t want to make security WORSE if you implement it badly. I get it.
But it shouldn’t take 4 years. It should take maybe 4 months or a bit longer. Something else is going on and Namecheap isn’t talking.
This isn’t just “annoying” anymore, this is now a solid attack vector for any and all Namecheap customers.
Namecheap, 2017 is calling, are you going to pickup?
Update: Yes, after 3 years Namecheap finally picked up. I received a Twitter DM after this post from one of their amazing support reps with more details why 2FA wasn’t ready yet:
We made the difficult decision to pause all new integrations and features until we could build and deliver a new platform that would set our technology development free. Finally, we are approaching the end of that process.
TL;DR it was a big engineering struggle. I told them to just tell that instead of beating around the bush. People are okay, but please just be transparent. So they did:
2FA was the most urgent priority that had to be sidelined while we built that capability. It is now first in the queue to be addressed. As CEO of Namecheap, I give you my commitment that we will deliver true 2FA within the next 60 days.
— Richard Kirkendall NameCheap blog
That means, in 60 days, that’s ~ 10 July 2017, Namecheap supports 2FA. Let’s hope they can make it! If not, cue Twitter Outrage II…
Update 2017-07-12: We did it! All our pressure worked. Namecheap has introduced true 2FA. Not via Google Authenticator, but via their iOS app to approve or deny log in attempts with fingerprint authentication:
P.S. I'm on Twitter too if you'd like to follow more of my stories. And I wrote a book called MAKE about building startups without funding. See a list of my stories or contact me. To get an alert when I write a new blog post, you can subscribe below: