Secure Your Account with U2F Authentication
At Namecheap, we know that your website is your business. It’s critical that your domains, hosting, and other products remain secure against hackers.
As part of our ongoing commitment to protecting our customers’ accounts, we’re excited to announce the addition of Universal Second Factor (U2F) authentication. It’s free and can be easily configured to use with your account.
The Importance of Two-Factor Authentication
Typically when you log into an online service, you use your username or email address and a password to authenticate yourself. The problem is, it’s relatively easy for hackers to gain access to that combination, putting your account at risk. Two-Factor Authentication (2FA) solves that problem by requiring an additional piece of identification to confirm you’re the actual owner of the user account.
Last fall Namecheap introduced a Time-based One-Time Password two-factor authentication (TOTP 2FA) for our accounts. But we always strive to do better for our customers.
Introducing Universal Second Factor (U2F)
Universal 2nd Factor (U2F) is an open authentication standard. Initially developed by Google and Yubico, the FIDO Alliance now oversees the U2F standard.
U2F is a different way to implement two-factor authentication (2FA) that is both stronger and simpler than other methods. It’s a more robust option than TOTP (Time-based One-Time Password algorithm) methods in particular because U2F uses public key cryptography to verify identity. In contrast with TOTP, the user is the only one who knows the secret (the private key).
With U2F you don’t need to type in codes from an app on your smartphone. Instead, this technology uses a small, specialized USB or NFC device that includes your encrypted information (not unlike a wireless mouse dongle or Chromecast stick).
Because there is no shared secret or code, and providers don’t have to maintain confidential databases, it’s impossible for unscrupulous individuals to gain access to your private accounts through hacking company databases.
Benefits of U2F
We recommend all customers consider using U2F to secure their Namecheap account—as well as other online accounts such as Facebook, GitHub, Google, Dropbox, and KeePass.
Why is this such a great idea? Here are some of the benefits of U2F:
- No shared secret (private key) sent over the Internet. Instead, your secret is stored inside U2F. It will never be shared, as it can never leave the device. No viruses or hackers can access it.
- No confidential information will ever be shared, thanks to public key cryptography.
- Easier to use. You don’t have to constantly retrieve codes from a smartphone.
- No retyping of one-time codes.
- It’s impossible to forge, copy, or duplicate keys (although you can register multiple security keys on an account).
- Protects against phishing attempts. The algorithm within the device includes the URL of all of your associated websites, so spoofed URLs will not work.
How Does U2F Work?
To get started with U2F, you’ll need just a few things:
- Windows, Mac, Linux, or Android device (Currently U2F does not work with iOS devices.)
- U2F security key. You can use any U2F key for 2FA, such as YubiKey. (If you want to use it with an Android device, make sure to purchase a security key with NFC.)
- Google Chrome, Mozilla Firefox or Edge browser
Each time you want to enable U2F for the first time at a participating website you’ll need to configure it with your account credentials. Then, once you’ve configured your device to work with the new site, you’d authenticate yourself with your username and a password, and then prove you’re the legitimate owner of the account with a tap on the device.
At Namecheap, we make configuration a snap. We allow an unlimited number of U2F identities, which means that you can have a number of devices registered for one account, and vice versa—one device can be used to login to an unlimited number of accounts. That can be very helpful if you manage an account with multiple users, or if you have multiple Namecheap accounts.
As a fail-safe, Namecheap will require you to save backup codes during the initial setup of the device. Those backup codes can allow you to login if you don’t have the device handy.
Need More Assistance?
Be sure to check out our helpful guide to help you get started with U2F at Namecheap.
If you have questions about U2F or need help getting it set up with your Namecheap account, you’re welcome to contact our customer support team, who are available 24/7 to assist you.
I’m not convinced. Instead of using TOTP, which would remove the need for an internet connection on my phone to login, you’ve added the need for an additional hardware device. How is this better?
I get that this would be great for very high security accounts that have a bunch of high profile domains, but an average joe is now still stuck with the crappy app. Can you please start supporting TOTP?
We currently offer both TOTP as well as U2F. You can learn more on our TOTP page.
We have had many people asking for U2F. Because it requires a special device with additional encryption, it is considered to be the most secure option. However, we understand that it may not be the best solution for everyone, which is why we now offer both options for our customers.
I have a problem with the 2 factor authentication, the connect a USB and connect to Bluetooth is confusing and frustrating, I can’t log in, please can you guys give me an option of finger print?
..
Sorry to hear you’re having trouble. To get assistance for now, please reach out to our customer support team. As for your suggestion, I will pass it along. Thanks!
With respect to 2FA and Namecheap’s Private Email hosting: can’t the second factor be bypassed simply by using POP3 or IMAP? Namecheap’s 2FA implementation seems to protect only the web interface to Private Email. An attacker with only a user’s password can read the user’s email using POP3 or IMAP.