Over 2,000 registrars are likely to be affected by a new Verisign policy making two-factor authentication mandatory when logging into the company’s registrar portal.
ICANN has given the preliminary nod to a Verisign proposal to make 2FA, which has been available on an optional basis for over a decade, mandatory.
Voluntary adoption of the security feature has been light since it was first introduced in 2009. According to Verisign’s Registry Services Evaluation Process request (pdf) only around 200 registrars currently use it.
There were 2,446 active .com registrars at the last count. The RSEP also applies to .net and .name.
The 2FA system requires registrars to enter a one-time password, in addition to their usual credentials, whenever they log in to their accounts.
The change only applies to registrars logging into Verisign’s web site to manage their accounts, not to registrants who have .com domains. It does not apply to under-the-hood EPP transactions.
The company is hoping to implement the change pretty damn quick — its June 30 RSEP states that it will start to give registrars a 30-day noticed period the following day, before ICANN had even formally approved the change.
ICANN approval (pdf) came yesterday, so presumably 2FA will become mandatory in a matter of days.