A few years ago I sold all my stuff to explore the world, creating 12 startups in 12 months and building $1M+/y companies as an indie maker such as Nomad List and Remote OK. I'm also a big pusher of remote work and async and analyze the effects it has on society. Follow me on Twitter or see my list of posts. My first book MAKE is out now. Contact me
Subscribing you...
Subscribed! Check your inbox to confirm your email.
levels.io

Namecheap still doesn't support 2FA in 2017 (update: they do now!)

Tech
May 8, 2017

Namecheap supports an outdated form of 2FA, namely SMS-based authentication. It doesn’t support the modern crypto-based 2FA you probably know from using Google Authenticator (or Authy). Namecheap instead send you a numeric code by SMS that you enter. This sounds like a good idea, but it’s not anymore:

Time to stop using mobile SMS for two factor authentication.
https://t.co/ic5M7DGhjY (via @thepacketrat)

— Steve Song (@stevesong) May 5, 2017

It’s been proven repeatedly over the last few years that SMS is insecure and easily hijackable. Just this week someone’s Verizon phone got socially engineered and hacked:

  1. Hackers got access to my @verizon through what I'm sure was social engineering. They then reset 2fa on my gmail using my number. 2)

— Philip Francis (@philfrancis77) May 8, 2017

He recommends to disable SMS 2FA on all your accounts:

.@verizon USE 2FA for everything. Disassociate mobile number from 2fa. and use a @BitcoinTrezor or @LedgerHQ

— Philip Francis (@philfrancis77) May 8, 2017

In Namecheap’s case that means no 2FA at all, because SMS 2FA is all they offer in 2017.

Now, people run million dollar businesses with Namecheap domains that are literally secured by a single SMS code. Domains are a great attack vector: take control over someone’s domains, and you can deface or impersonate them copying their website or receive ALL the domain’s email coming in. As well as sending email impersonating them. From there you can get request Forget Password on people’s user accounts on any platform and in turn break in to those accounts. That means potentially access to people’s private email, social media accounts, badly secured bitcoin wallets (e.g. on Bitstamp) and any service where you have auto-payment enabled, which means they can just buy a lot of stuff and you’ll pay for it. We know this. Namecheap knows this.

And we knew this 4 years ago already, so we asked them to add Google 2FA:

@Namecheap Are you guys going to add Google 2FA / #Authy 2FA?

— Jason Swindle (@Human_USB) December 17, 2013

@Human_USB In the next coming months. Should be Q1 2014 🙂

— Namecheap.com (@Namecheap) December 19, 2013

I asked them about it 3 years ago:

If you'd like @Namecheap to support 2FA w/ Google Authenticator, let them know and RT this

— Pieter Levels @ (@levelsio) May 7, 2014

@levelsio We're well aware and it's something we're currently in the process of building. We have acknowledged this as well.

— Namecheap.com (@Namecheap) May 7, 2014

Even Matt Cuts from Google asked:

@Namecheap two-factor authentication is a big step forward–congrats! Would love to see a Google Authenticator/offline option, not just SMS.

— Matt Cutts (@mattcutts) January 30, 2014

@mattcutts thanks. google authenticator is in the works – we’ve had 2fa since october!

— Teddy Worcester (@teddy) January 30, 2014

Then 2 years ago:

RT this if you'd like to get @NameCheap to support Google Authenticator-type 2-factor authentication (2FA)

— Pieter Levels @ (@levelsio) November 19, 2015

@levelsio We are already working on it.

— Namecheap.com (@Namecheap) November 19, 2015

1 year ago:

RT if you want @namecheap to start supporting Google 2FA

— Pieter Levels @ (@levelsio) February 8, 2016

@DeanPerry @levelsio  I've forwarded it to the department responsible so that they consider implementing Google 2FA

— Namecheap.com (@Namecheap) February 8, 2016

Today:

.@Namecheap why do you still use mobile SMS for two factor authentication? https://t.co/4772pO6TOm

— Natan Gesher (@gesher) May 7, 2017

@Namecheap Great. That wasn't so difficult, was it?

So why is it taking you over four years to do something that lots of companies do in four months?

— Natan Gesher (@gesher) May 8, 2017

@gesher Certainly, the advance of 2FA is prioritized and we are working at it

— Namecheap.com (@Namecheap) May 8, 2017

That’s an awfully long time to “build” 2-factor authentication isn’t it?

Implementing 2FA is not trivial at the level of Namecheap. It’s a giant company, with probably millions of users accounts. It needs to be developed and tested. You don’t want to make security WORSE if you implement it badly. I get it.

But it shouldn’t take 4 years. It should take maybe 4 months or a bit longer. Something else is going on and Namecheap isn’t talking.

This isn’t just “annoying” anymore, this is now a solid attack vector for any and all Namecheap customers.

Namecheap, 2017 is calling, are you going to pickup?

Update: Yes, after 3 years Namecheap finally picked up. I received a Twitter DM after this post from one of their amazing support reps with more details why 2FA wasn’t ready yet:

We made the difficult decision to pause all new integrations and features until we could build and deliver a new platform that would set our technology development free. Finally, we are approaching the end of that process.

TL;DR it was a big engineering struggle. I told them to just tell that instead of beating around the bush. People are okay, but please just be transparent. So they did:

2FA was the most urgent priority that had to be sidelined while we built that capability. It is now first in the queue to be addressed. As CEO of Namecheap, I give you my commitment that we will deliver true 2FA within the next 60 days.

— Richard Kirkendall NameCheap blog

That means, in 60 days, that’s ~ 10 July 2017, Namecheap supports 2FA. Let’s hope they can make it! If not, cue Twitter Outrage II…

Update 2017-07-12: We did it! All our pressure worked. Namecheap has introduced true 2FA. Not via Google Authenticator, but via their iOS app to approve or deny log in attempts with fingerprint authentication:

P.S. I'm on Twitter too if you'd like to follow more of my stories. And I wrote a book called MAKE about building startups without funding. See a list of my stories or contact me. To get an alert when I write a new blog post, you can subscribe below:

Subscribing you...
Subscribed! Check your inbox to confirm your email.

2022
18 Sep
This House Does Not Exist
2022
14 Jul
Sam Parr + Shaan Puri asked me about bootstrapping, open startups and lifestyle inflation (My First Million Podcast)
2022
16 May
Thinking and doing for yourself (Life Done Differently Podcast)
2022
10 May
Relocation of remote workers (Building Remotely Podcast)
2022
26 Jan
Money, happiness and productivity as a solo founder (Indiehackers Podcast)
2022
20 Jan
Bootstrapping, moving to Portugal and setting up Rebase (Wannabe Entrepreneur Podcast)
2021
25 Mar
Why I'm unreachable and maybe you should be too
2021
25 Mar
The next frontier after remote work is async
2021
19 Mar
List of all my projects ever
2021
08 Mar
Why coliving economics still don't make sense
2021
14 Feb
Inflation Chart: the stock market adjusted for the US-dollar money supply
2021
10 Jan
I did a live 4+ hour AMA on Twitch w/ @roxkstar74
2020
20 Dec
No one should ever work
2020
10 Dec
Normalization of non-deviance
2020
05 Dec
Copywriting for entrepreneurs: explain your product how you'd explain it to a friend
2020
30 Nov
Entrepreneurs are the heroes, not the villains
2020
12 Nov
The future of remote work: how the greatest human migration in history will happen in the next ten years
2020
05 Nov
Will millions of remote workers become location independent in 2021?
2020
11 Apr
5 years in startups with Abadesi
2020
11 Jan
Twitter giveaways can be hacked to win every time
2019
16 Oct
Lorn - The Slow Blade ✕ Hong Kong
2019
28 Sep
Most decaf coffee is made from paint stripper
2019
12 Sep
The odds of getting a remote job are less than 1% (because everyone wants one)
2019
08 Sep
In the future writing actual code will be like using a pro DSLR camera, and no code will be like using a smartphone camera
2019
29 Aug
Instead of hiring people, do things yourself to stay relevant
2019
28 Aug
Nobody cares about you after you're dead and the universe destroys itself
2019
28 Aug
The only real validation is people paying for your product
2019
05 Aug
Monitoring Bali's undersea internet cable
2019
29 Jul
Nomad List turns 5
2018
29 Jan
I'm Product Hunt's Maker of the Year again!
2018
28 Jan
Why Korean Jimjilbangs and Japanese Onsens are great
2018
24 Jan
Turning side projects into profitable startups
2018
03 Jan
What I learnt from 100 days of shipping
2017
28 Dec
As decentralized as cryptocurrency is: so will be the people working on it
2017
22 Oct
How to 3d scan any object with just your phone's camera
2017
09 Aug
In a world of outrage, mute words
2017
03 Aug
How to pack for world travel with just a carry-on bag
2017
26 Jul
Building a startup in public: from first line of code to frontpage of Reddit
2017
24 Jul
Facebook and Google are building their own cities: the inevitable future of private tech worker towns
2017
21 Jul
The TL;DR MBA
2017
12 Jul
We did it! Namecheap has introduced 2FA
2017
08 Jun
It's about time for a digital work permit for remote workers
2017
23 May
Using Uptime Robot to build unit tests for the web
2017
08 May
Namecheap still doesn't support 2FA in 2017 (update: they do now!)
2017
03 May
Taipei is boring, and maybe that's not such a bad thing
2017
16 Apr
What we can learn from Stormzy about transparency
2017
17 Feb
The ICANN mafia has taken my site hostage for 2 days now
2017
10 Feb
Most coworking spaces don't make money; here's how they can adapt to survive the future
2017
11 Jan
A society of total automation in which the need to work is replaced with a nomadic life of creative play
2017
07 Jan
Nomad List Founder
2016
12 Dec
Make your own Olark feedback form without Olark
2016
29 Oct
How to fix flying
2016
19 Oct
Robots make mistakes too: How to log your server with push notifications straight to your phone
2016
17 Oct
Hong Kong Express - 上海 (Shanghai)
2016
17 Oct
Choosing entrepreneurship over a corporate career
2016
13 Oct
"I can't buy happiness anymore. I've bought everything that I ever wanted. There's not really anything I want anymore."
2016
11 Oct
From web dev to VR: How to get started with VR development
2016
05 Oct
What I would do if I was 18 now
2016
22 Sep
Bootstrapping Side Projects into Profitable Startups
2016
27 Aug
Kids
2016
13 Aug
How I cured my anxiety (mostly)
2016
26 Jul
We have an epidemic of bad posture
2016
17 Jul
Fixing "Inf and NaN cannot be JSON encoded" in PHP the easy way
2016
26 Jun
My third time in a float tank and practicing visualizing the future
2016
15 Jun
How to add shareable pictures to your website with some PhantomJS magic
2016
29 May
My chatbot gets catcalled
2016
19 May
From web dev to 3d: Learning 3d modeling in a month
2016
09 Mar
My second time in a sensory deprivation chamber
2016
04 Mar
Day 30 of Learning 3d 🎮 Cloning objects 👾👾👾
2016
02 Mar
Day 29 of Learning 3d 🎮 Glass, reflectives, HD, coloring and more details
2016
29 Feb
Day 27 of Learning 3d 🎮 Details, details, DETAILS!
2016
25 Feb
Day 23 of Learning 3d 🎮 Filling up the street and adding shadows
2016
24 Feb
Day 22 of Learning 3d 🎮 Added rain, blinking lights, sound, textured menu sign and a VR web app
2016
23 Feb
Day 21 of Learning 3d 🎮 High res textures, physical rendering and ambient occlusion
2016
22 Feb
Day 20 of Learning 3d 🎮 Objects and camera perspectives 🙆
2016
19 Feb
My first time floating in a sensory deprivation tank ☺️
2016
12 Feb
Day 10 of Learning 3d 🎮 Making complex objects by combining shapes 🙆
2016
06 Feb
Day 4 of Learning 3d: @shoinwolfe visits the actual street I'm modeling 🏮😎🏮
2016
03 Feb
Day 1 of Learning 3d 🎮 I learnt how to make shapes, move, rotate and scale them + how to texturize, and add colored lights 💆
2016
02 Feb
I'm Learning 3d 🎮
2016
27 Jan
The things I have to do to read an email sent to me by my government
2016
12 Jan
How to use your iPhone as a better Apple TV alternative (with VPN)
2015
23 Dec
Here's a crazy idea: automatically pause recurring subscription of users when you detect they aren't actually using your app
2015
17 Dec
Stop calling night owls lazy, we're not
2015
16 Dec
We are the heroes of our own stories
2015
25 Oct
There will be 1 billion digital nomads by 2035
2015
21 Oct
Tobias van Schneider interviewed me about everything
2015
18 Oct
Why doesn't Twitter just asks its users to pay?
2015
17 Oct
Punk died the moment we learnt that the world WAS in fact getting better, not worse
2015
15 Oct
Stop being everyone's friend
2015
14 Oct
Vaporwave is the only music that fits the feeling futuristic Asian mega cities give me
2015
09 Sep
We live in a world built by dead people
2015
01 Sep
Why global roaming data solutions don't make any sense
2015
26 Aug
How to export your Slack's entire archive as HTML message logs
2015
24 Aug
How to play GTA V on your MacBook (and any other PC game)
2015
14 May
I uploaded 4 terabyte over Korea's 4G, and paid $48
2015
08 May
How I sped up Nomad List by 31% with SPDY, CloudFront and PageSpeed
2015
04 May
My weird code commenting style based on HTML tags
2015
01 May
Now is probably the time to make HTTPS the default on all your sites and apps
2015
17 Apr
Do the economics of remote work retreats make any sense?