Authy based 2-Factor Authentication Is Coming!
In today’s world we live so much of our lives online. We stay in contact with our friends. We shop online. We manage our finances online. And we run our businesses online. The security of our online world is of utmost importance to us, as individuals and as business owners.
At Namecheap, your security is hugely important to us. We want you to be able to experience the full breadth of the Internet securely and seamlessly. Which is why it has been a huge frustration to us here at Namecheap that we have only had 2-Factor Authentication via SMS and have not yet been able to deliver more secure 2FA to you. I know that we’ve been promising that it’s coming for some time now.
Now, it is coming.
Over the past two and half years we have been doing the painful, yet vital, work to build a new technology platform that will enable us to bring new products and features to market much more quickly.
It will enable us to continuously adapt to your feedback about what you want and what you need: living up to our commitment to put our customers first. Prior to this, we’ve been operating on a technology system that was built from our birth 17 years ago. Our desire to deliver 2FA became victim to the limitations of this legacy platform.
We have offered 2FA via SMS. And we know that there are some limitations to that approach. We know that we have to do better.
We made the difficult decision to pause all new integrations and features until we could build and deliver a new platform that would set our technology development free. Finally, we are approaching the end of that process.
2FA was the most urgent priority that had to be sidelined while we built that capability. It is now first in the queue to be addressed. As CEO of Namecheap, I give you my commitment that we will deliver true 2FA within the next 60 days.
2FA is coming. Thank you for your patience while you’ve been waiting.
Can’t come soon enough! SMS isn’t great 2FA; Authy is good though, I use that as my primary keygen now. Cheers
This is good news. Great job.
GOOD!!! hope it will arrive as soon as possible.
Great news!
I actually have been waiting for this feature since I singed up for Namecheap 2 years ago (and the reason I chose it was that it supported net neutrality). It’s very good to have it at last as I really like Namecheap and didn’t want to be forced to move to another service because of the lack of features.
Having an entire new in-house made platform sounds even better and I think it will put you ahead in the competition.
Thanks and please keep up the great service!
*loud applause*
Great news! As a longtime customer of Namecheap, as well as a guy who works hard to utilize every security measure possible personally and in my business, I’ve been concerned about insecure SMS 2FA.
I know it’s hard to implement 2FA in many environments as evidenced by all the companies that offer 2FA but do so through SMS ( like I have in the past with Namecheap, I ping all companies I do business with and strongly encourage them to choose a secure 2FA methodology!).
I applaud your commitment to make secure 2FA happen and believe me, it is much appreciated!
Bringing it down to the wire, only about a week left in those 60 days!
Seems like time is almost up and support say it this is not going to happen by this date. Any update by some one that might have a clue?
Good news that Namecheap is making progress.
One more simple security factor seems to be overlooked is your incorrect use of the “You last logged in at….” feature.
Instead of indicating when someone (hopefully me) last logged into my account it shows when i just logged in for that session! This is patently useless as a security feature and actually blanks any detail of when the account was last used prior to my immediate login.
Take a look at Banks and other financial institutions on line for a quick guide – it’s only common sense and yet someone agreed that Namecheap would do it this insecure way…. probably without realising exactly how it would not work!
I strongly request that it be corrected please.
John Reed
Yay! Authy is great 🙂
Are there any plans to support Yubikey in the (near) future? Where possible, I’d like the ability to use mine, but so far only a handful of services support it.
There are no plans to use Yubikey at this time. Our team is always looking for ways to improve all of our services, so additional options may be available in the future.
Any update on this? 60 days has come and gone…
It’s live now.
:/
Guys, it’s coming tomorrow (July 11) at noon EST. Hold your horses, that’s less than 18 hours away 🙂
😀
We didn’t get Authy — we got your own app. Now I need to be online on my laptop AND my phone in order to approve login requests. With Google Authenticator / Authy, I don’t.
I left two comments on this post several days ago and they never got out of your moderation queue. I suspect Namecheap was embarrassed since one of your people inadvertently published a reply saying 2FA was launched. Obviously it was not.
Not owning up to that is pretty bush-league, and not bothering to publish my comments is not acceptable if you are running a blog, especially for a long-time customer like me,
Our new OneTouch 2FA launched today. I mistakenly posted an update before we had launched the updated 2FA option. My apologies for the confusion. We will have additional information about the new OneTouch option here on the blog shortly.
Appreciate the apology, Jackie. Two of my geek buddies with whom I share a passion for cyber security and 2FA in specific (two guys who are also Namecheap customers, BTW) read the post as well and, like me, had received your inadvertent post via an email push.
After I’d told them both at lunch how I’d commented but someone obviously nuked the comments or left them unapproved in the moderation queue, they were also bugged.
Just a helpful tip for next time: Don’t just unpublish a post in to draft-mode and then leave any comments unapproved. All it does is reflect negatively on Namecheap which then makes people like my two buddies and me suspect about any future communications.
Hope this helps.
I appreciate your feedback. I assure you, there was no intent to deceive anyone. I just posted an update prematurely, as it was still in final testing, but it is live now.
Can I use the Authy app, or do I have to install yet another app on my phone to use your 2FA?
If you have your Namecheap account listed in the Authy app, you should be able to use the Authy app as well as the Namecheap app. Please report back if you have any issues with this.
It looks like the person who told me the Authy app will work was mistaken. Once again sorry for the misinformation – after I commented, I was informed that the Authy app will NOT be supported for this release but may be in the future. Again, I apologize for the confusion – we have a lot of people working on this project because it’s important to us. I can promise is that we are always striving to improve things, and we take customer feedback seriously, so I will make sure the devs know this functionality is desired.
It’s a little bit confusing because to me the account appears inside authy, but authentication only works inside namecheap app. I hope I can use only authy soon
Please can you let it be known to your product managers and dev team – it’s the 2FA *standard* that was desired, not a separate app – allow us to use standard TOTP/Authy/Google2FA so that we can mange the 2FA in our own way with apps that manage 2FA ‘for a living’ versus . This was a highly misleading blog post unfortunately.
Yup, we were all hoping for a standard 2FA method that will work with apps we already use (such as google authenticar or Authy)
I left this comment a little while ago, but it’s still not up: Is there a way to just use the existing Authy app, rather than the OneTouch app?
I’m disappointed. The mobile app is terrible and would like to use Google Authenticator or Authy instead. I’d wish this meant the mobile app has getting better, but it has been honestly just a joke since its launch.
Our new OneTouch 2FA does utilize Authy, though it does require our app for now. Based on early feedback it sounds like they’re looking at ways to more fully integrate our system with the Authy platform.
I really hope so- the NameCheap app doesn’t seem available for my Windows Phone, while Authenticator works fine.
Some more information about the new system’s downfalls: The app backs-up the login and 2FA information with Google Drive on Android phones and when restored it shows it’s working but it doesn’t. Most Authy systems have an SMS fallback, backup codes, or something but yours doesn’t. So for lack of any backup options and a wonky first-party option, I had to tell a support agent 10 fields of private information over about 30 minutes to get into my account.
I am using 2FA, but I’m not being able to log into my account cause I don’t receive SMS’s !!!
We’re sorry to hear you’re experiencing difficulties using 2FA and logging into your account. Please reach out to our support team for assistance. https://www.namecheap.com/support.aspx
This made me register my newer domains with a competitor that has proper TOTP 2FA. Rest will follow.
Paid more than double for the domain, but this solution just won’t do :/
It’s disappointing to see after all this time that a proprietary (3rd party) app is needed. I don’t want to rely on my phone as a single point of access—what if I lose it? How will I get into my account? I’m sure that there will be a way, and I’m equally sure that it will cause unneeded extra stress.
Almost every app that I’ve used which offers 2FA will give me a code which I can save in my app of choice. (The only exceptions are banks.) For me, I don’t use Google Authenticator or Authy, but 1Password, but this is no problem: I use the same code (or scan a QR code) an save it to 1Password rather than Google Authenticator or Authy. One reason this is great is because if I lose my phone, all of my 1Password data is still available to me. The second reason is I don’t need an extra app. The third reason is I can authenticate from any device which has 1Password installed, not just a phone.
Since security is so important on domain names, this really is going to be a deal-breaker for many people.
But at the end of the day, some form of 2FA is better than none, and the app that the team have developed is better than relying on SMS. (We all know how easily hackers use social engineering to take control of mobile phone numbers.)
Very much looking forward to being able to use standard HMAC-based OTP 2FA apps. I’d much rather use Authy proper than the NameCheap based version – I want one app unified across all my devices – Authy can do this for me. In this day and age I’m surprised the choice would be to go with a proprietary build rather than leverage the time and dollars and time invested in well-known and industry standard 2-factor technologies.