Verisign to mandate 2FA for .com registrars
Over 2,000 registrars are likely to be affected by a new Verisign policy making two-factor authentication mandatory when logging into the company’s registrar portal.
ICANN has given the preliminary nod to a Verisign proposal to make 2FA, which has been available on an optional basis for over a decade, mandatory.
Voluntary adoption of the security feature has been light since it was first introduced in 2009. According to Verisign’s Registry Services Evaluation Process request (pdf) only around 200 registrars currently use it.
There were 2,446 active .com registrars at the last count. The RSEP also applies to .net and .name.
The 2FA system requires registrars to enter a one-time password, in addition to their usual credentials, whenever they log in to their accounts.
The change only applies to registrars logging into Verisign’s web site to manage their accounts, not to registrants who have .com domains. It does not apply to under-the-hood EPP transactions.
The company is hoping to implement the change pretty damn quick — its June 30 RSEP states that it will start to give registrars a 30-day noticed period the following day, before ICANN had even formally approved the change.
ICANN approval (pdf) came yesterday, so presumably 2FA will become mandatory in a matter of days.
If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.
Smart move by Verisign especially considering the Supply Chain security requirements contained in Article 18 paragraph 2.d of NIS 2.0 regarding “direct suppliers or service providers.” While some TLD registries impose 2FA between Registrars and Registrants (e.g. .BANK) it appears that Verisign has limited this 2FA to Registrars only which would seem to align with the “direct supplier or service provider” requirements in Article 18.
While most of the domain name industry has focused on Article 23, Article 18 is much more relevant as Article 31 Paragraph 4 provides the following “infringements by essential entities of the obligations laid
down in Article 18 or Article 20 shall, in accordance with paragraphs 2 and 3 of this Article, be subject to administrative fines of a maximum of at least 10 000 000 EUR or 2% of the total worldwide annual turnover of the undertaking to which the entity belongs in the preceding financial year, whichever is higher.”
Hopefully the entire domain name ecosystem will up their security game.
You couldn’t be any more wrong than to support this.
That is just so wrong and reprehensible.
Things can and do go wrong with it. And of course they know it. Which is perhaps even the point.
Since 1984 style power-mad nation-destroying covid tyranny and psychopathy began, everyone’s been letting loose running to get in on the “mandate” mania now.
Sick people just love having power and imposing control over others.
PS: and to further state the obvious that shouldn’t even need to be said (and they obviously don’t care about), it’s a horrible waste of time to impose on people.