You have probably see the reports of the New York Times and high-profile registrars getting hacked, and domains getting used for political messages by partisan groups in the Syrian conflict.
While at Gandi this has not happened, we are all too aware that hackers are constantly trying to compromise Gandi accounts, and occasionally they succeed. Through techniques as simple as social engineering (basically, asking for the password), password guessing, and phishing, hackers try to gain access, and then transfer domains, use up your pre-paid account or use your hosting account to send spam mail. It is our job to make it harder for them to do this, while at the same time keeping our services easy for you to access and use. It is a difficult balance: "Security is the inverse of convenience" is a common way of saying it.
We think we have found that balance in two new features, one of which we are rolling out right now: Two-factor authentication. The other, IP address restriction, will be out in a few weeks.
What is two-factor authentication?
This simple technique for increasing the security of your Gandi account involves adding one of the principles on which security is based to the login process. Security, or specifically the authentication part of security, is based on:
- Who you are
- What you know
- What you have with you
With a login and password, we are using the second factor. With two-factor authentication, we add the third - your smartphone or computer. IP address restrictions will put a locational restriction on who can log in, which is an imperfect proxy for who you are (since presumably only you or someone close to you would be using your ISP account or your company network). Everything you do to make sure only you can access your account helps.
Your smartphone can run an app that generates a key, based on a seed value that we supply you when you activate two-factor authentication. We chose TOTP to generate the keys, since there are apps for iOS and Android, as well as apps for Windows and Apple computers.
So, how do you activate two-factor authentication for your account?
First, you will need a TOTP application. You can find a partial listing of workable apps here.
Then just follow the steps in the tutorial on our documentation site.
One big concern we had was how to recover from a lost key, for instance if you were to lose your smartphone. This is why we ask you for an emergency contact phone number, allowing us to get in touch with you there, when you ask us to help you set up the two-factor authentication again.
One final note: this is not a panacea. Please remember that all the factors of authentication are important, so even after you enable two-factor authentication, never share your password, or send it in email. We will do our part, but you are the one who has the most control over access to your accounts. Compute safely!