When we talked about how to manage your domain online, one tip we mentioned was using two-factor authentication on your registrar login for added security, without describing what two-factor authentication is and why it gives you any more security than a password.
At this point, we’re all familiar with logging in to an account online with a password, whether it’s email, social media, or your bank’s online portal. The reason is obvious. If someone who wanted access to your personal data, or in the case of a registrar’s online portal, your domains, they would only need to obtain your username or even just your email address in order to steal your domains or personal data. When you enter your password, you authenticate yourself, which is just another way of saying that you prove your identity. A password is one “factor”.
While a password is pretty safe, because it’s based on something you *know*, it’s possible for a bad actor to obtain it in some way or another. A second factor adds another type of information that proves you are you: either something you have or something you are.
This is actually not such a new-fangled idea. When you go to an ATM to access your bank account, not only do you need your ATM card (something you have, the first factor), but you also need your PIN (something you know, the second factor). That way, if someone has your card, but not your PIN—or if they have you PIN but not your card—they can’t steal your money. Someone would have to have both things to get access to your bank account.
Online, one way to augment an account password with a second form or factor of proving who you are is using a password that only works once. When you log in with your username and password, before you can proceed you’ll have to enter an additional password or code. The simplest way this is done is by sending the code or password to you by email or by text message, proving that you either have access to your email address or to your phone.
But of course these messages could potentially be intercepted and phone numbers and email addresses can be compromised. Another, more advanced option is a time-based one-time password (or TOTP). This uses a secret algorithm that generates a new password every however-many seconds, based on the current time. This ensures a unique password every time you log in to your account.
This is the first two-factor authentication option we offered at Gandi. See more about how to use time-based, one-time password (TOTP) two-factor authentication with your Gandi account https://docs.gandi.net/en/account_management/security/totp.html
One-time passwords do have one flaw, though, which is they are not immune to phishing or man-in-the-middle attacks. Phishing is when a fake website looks enough like the real thing to trick you into giving them your username, your password, and your one-time password. A man-in-the-middle attack is similar, though less common. Think of it like someone wiretapping you. You aren’t aware of it, but someone in listening in. Even with a time-based one-time password, it’s possible, if unlikely, for someone listening in or a fake site to get your password when you are entering it—or think you’re entering it—where it’s supposed to be.
The solution to this is to use public-key encryption—which is the same kind of encryption used by websites with https—to make sure that the right website and the right password are being used with nobody in between. This is called universal two-factor authentication or U2F.
An added benefit of U2F is the use of a hardware USB key for the whole process. The key plugs into a USB port like any other USB device and communicates automatically with your browser to authenticate the connection to the website you’re trying to log in. It’s like having a physical house key (you can even put it on your keyring), so not only is it more secure, it’s also easier. There’s no typing involved (so no typos), and you don’t have to worry about being locked out of your account if your phone falls into a fish tank.
U2F is on the cutting edge of security. If you want to learn how to set this up on your Gandi account, check out our post here https://docs.gandi.net/en/account_management/security/u2f.html