Quote:
Originally Posted by Vendot
With Namecheap 2FA you always have to confirm using the code you get in Phone or SMS so I don't see how this will add any extra benefit.
|
The idea is that the additional challenge (say, in the event of an alien IP) would require you to access the registrar site directly. The SMS could warn that the client should type in the URL directly, and/or check the verified company name in the address bar.
So it goes like this...
1) First 2FA value is captured by phish site, and passed through. At this point if login was to succeed they would have control of your account.
2) Registrar sees unknown & geographically disparate IP (the phish site) logging into that account, sends SMS to client with further instructions to further verify the login.
3) SMS warns of possible breach and advises client to load registrar site directly in order to complete login, which may then require them to change password, or confirm that the new IP on the other side of the world is actually legit.