Namecheap logo

True TOTP 2FA and U2F Are Coming

Dear customers,

We’ve heard you loud and clear.

Our last implementation of 2FA, using Authy OneTouch matched to our proprietary app, was not well-received by many of you and did not serve you in the way many of you preferred to use 2FA.

While we had good intentions, we took a chance on what we thought was a new way to implement and use 2FA. I can tell by your feedback that we missed the mark.

In the future, we will do a better job of reviewing new technologies and products we are considering rolling out, as well as speak directly to you, our customers so that we can be sure we are bringing you only the solutions you actually want and need.

The above being said, I want to let you know that true TOTP (Time-based One-Time Password) implementation is on its way. We will also be implementing U2F (Universal Two-Factor Authentication). Look for TOTP to be rolled out first in the coming weeks and for U2F to follow not too far behind.

We will also make an official announcement once it is fully integrated.

Thanks again for being patient with us throughout this. You have my promise, we’ll get this right and do a better job on what we bring you going forward.

Grateful Yours,
Richard Kirkendall

21 thoughts on “True TOTP 2FA and U2F Are Coming”

  1. This is great news. The one-touch app caused me a lot of headache, but caused your Risk Management team as much headache as I had to constantly bug them to unlock accounts when I broke a phone and suddenly had no way to log in…

    Looking forward to U2F–that’s true security!

  2. Wow, I can’t wait for that. The one-touch app didn’t work on my phone and the SMS OTP didn’t work either; I wasn’t getting the sms.

    I think integration with the Google Authenticator app should be added.

  3. TRU! The ONLY way I got back into my account was to find an old transaction on paypal which was under my mothers name so I had to get her birth certificate to prove myself. 2FA did not help at all, it basically made it harder for ourselves to get in.

    CEO if you also could, please make a 2FA Remember-Cookie so that we don’t have to 2FA every single time we close our browser (Session Only cookies SUCK)

  4. It’s nice to see a company that is committed to implementing effective 2FA. I wish more sites would take it seriously like PayPal and banks.

  5. While I was not somebody who expressed dissatisfaction, I am still very pleased to hear that TOTP is on the way. This is what I currently use for the vast majority of 2FA, and find it’s much more convenient. After all, we *want* people to use good security practices… and if they aren’t convenient, would they?

    Kudos to Namecheap for listening and being responsive!

  6. Daaaamn, of real TOTP will be implemented, i’ll be happy forever.This was a looong way, because many other domain providers implemented this feafture long time ago, so i started to think about my domain migration, for sack of security.
    Now i can allow to myself to stay where i am, with your company.

    Great news!

  7. I agree with the previous posts, in particular regarding the possibility of including “an email method for 2FA, and not just cell phone”, and “Session Only cookies SUCK”: making the process so “secure” and inconvenient that many will simply not even use it, is counterproductive IMHO! Hopefully , each user can choose their own level of security (and convenience ).

    I agree with one more comment above: “Kudos to Namecheap for listening and being responsive!”! Thanks!

  8. Just to add to one of the requests, pieces of feedback listed above. Once you move to the more standard MFA implementation, is it also possible to implement (or extend at a future date) the ability to remember you’ve used MFA on a trusted device for up to a period of time?

    Microsoft offers this with their implementation. By default, you need to provide the MFA code each time. You can (as an admin) turn on the ability for the end user to elect to remember you’ve used a token on a trusted device up to a maximum period of time (eg 30days).

    It seems to work well, as if you have a physically secure and trusted device you can elect to not need MFA for up to 30 days. If you are using an untrusted device, you simply don’t tick the ‘remember code for 30 days’, then when you close the browser the session is destroyed.

    As a user/admin this level of control seems to work really well.

  9. Please do not allow email to be the second factor. It would not be 2 factor. Email is already the alternative first factor (if you can receive emails you do not need your password).

    As an industry we need to a much better job educating people about what 2FA really is and what it actually protects against.

  10. Just checking in on how this is tracking. The blog post said in the coming weeks, and we are now half way through November.

Leave a Reply