Namecheap announces support for TOTP-based 2FA

Namecheap announces support for TOTP-based 2FA(namecheap.com)

32 points by pR0Ps 7 years ago | 25 comments

It's about time. This has been a wish list item for years. They had a proprietary 2FA option but that was a non-starter for me.

philfrasty 7 years ago | |

Any idea why companies would choose a proprietary 2FA solution? I see this with European banks all the time.

NamecheapCEO 7 years ago | | |

Honestly, we seriously dropped the ball trying something new. It was a mistake on my part and a bad decision looking back. I posted about it on our blog here https://www.namecheap.com/blog/true-totp-2fa-and-u2f-are-com...

franga2000 7 years ago | | |

I don't know about Namecheap, but I'd suspect the banks use proprietary solutions for the standard 2 reasons: 1) Something expensive feels more secure. The 50yo farts in suits are the ones making the decisions, not the devs who actually know why open standards are inherently more secure. 2) They have someone to blame when something goes wrong. If they implement TOTP insecurely and data gets stolen, they're on the hook. If RSA (or whoever else) screws up, the bank can point their finger at them since their programmers are usually the ones who do the integration.

londons_explore 7 years ago |

TOTP is far too easily phishable. User studies have shown that in any large organisation, some small percentage of even the most technical staff will enter an OTP into a phishing page. You might think 'I'm not that dumb', but study after study shows you are!

The future is hardware U2F tokens. They can securely check the web-origin of a request and only give the token to the correct origin.

manquer 7 years ago | |

Depends on your threat model, not everyone is going to pay for a hardware U2F . Not every application needs that high security. TOTP is an option definitely better than just plain password, which is what most services use today

r1ch 7 years ago |

I hated having to use a proprietary app for this (even if it was based on the Authy SDK), so this is a nice improvement.

I'd really like to see U2F support though as well, domains are very valuable assets and deserve the strongest protection possible.

philtar 7 years ago |

Their old one was so bad I actually learned how to use route 53 just to migrate out of it.

Their CEO is just pretending to be forthright here. I have a tweet where he replied to me from February 2014 that said Google Auth support is coming in a couple of months.

This all happened because I got locked out of my namecheap account when THEIR system wouldn't sms me the code and they had problems with the voice calling.

So I emailed support. They called me 5 hours later to ask me a bunch of questions. Here's the funny part: they called me on the number I had used for 2FA. Isn't the fact that I answered that number proof enough that I had it?

Everything they do is half assed including their Frankenstein panel that's a mix of their old interface and their new one.

Anyway. Good riddance. Only use namecheap if you can't afford the $1 it costs to host your dns on route53.

guitarbill 7 years ago | |

Agreed, there was a big issue with the communication about 2FA. And then the proprietary app was rolled out, in what seemed more like a checkbox ticking exercise. At that point I also migrated and haven't looked back.

Why a checkbox ticking exercise? Even the Oct 2018 post by the CEO [1] says "[...] our proprietary app, was not well-received by many of you and did not serve you in the way many of you preferred to use 2FA." Apart from being such bullshit corpo speak, how was one single second factor device per person sufficient for critical infrastructure? What was I supposed to do, buy two phones? If a place is so clueless about 2FA, run. You can almost be sure they don't use 2FA internally.

(While I'm here, allow me to name and shame Patreon, who used to support TOTP, but removed that option and now only have SMS [2])

[1] https://www.namecheap.com/blog/true-totp-2fa-and-u2f-are-com...

[2] https://support.patreon.com/hc/en-us/articles/206538086-How-...

NamecheapCEO 7 years ago | | |

No excuses, you're right, we made a bad decision then and losing customers like you was the consequence of that. I apologize for that and any other negative experiences you may have had with us due to this.

kc3 7 years ago | |

Maybe I'm missing something (or just lucky) :-), but I have been using Namecheap for years (and recommended them to others) and I haven't had issue with the 2FA. What's the specific issue? Thanks.