Archive for the ‘Login Security’ Category

Login Security Agent Live

Monday, January 25th, 2016

Login Security AgentUsually, for the weekly blog post we try to write about something informative, about a new service we’re rolling out, etc.  This past Wednesday, though, we had an interesting incident in our support team we’d like to share with you.

Mid afternoon, William Wakely, an relatively new customer for Register4Less, contacted our support via the secure online chat on our website.  He was reporting that overtime he logged our of his account, his password would get reset.  He was able to log back in by using the email that is sent with the Lost Password function.

Passwords of course will not reset themselves.  The only way for a password to get changed is for someone that is already logged in to go to the menu Profile > Change Password and submit a new password.  Once we were able to confirm William was the true domain owner, we asked him to check the Login Security Agent (LSA) page (also under Profile).

Sure enough, William was able to see there was another login session active from a different IP address.  William provided us with the IP address, and we were able to see this was coming from a different internet service provider from his, and not one that he recognized.

William had not yet setup the LSA kill password, so he did that while we were still on our chat session, and once set up, terminated the other person’s login session, and then reset his password.

We don’t actively track how frequently the LSA kill session function is used, though we could if we went through all of our log files.  It was however interesting and rewarding to be chatting with a customer and help them use this function live.  With any other registrar, the customer and true domain owner would not able been able to kick the other person off of their account, so resolving this problem would not have been easy.  LSA saved the integrity of William’s account!

Register4Less.com Account Security Features

Monday, December 14th, 2015

Domain security is in our opinion the most important service a registrar can provide for their clients.  The ramifications of an account being compromised are potentially huge.

Encrypted Passwords

Your password, whether it’s for domain management, and FTP password, or access to your email are stored encrypted.  We do keep the last 4 characters of the login password for account verification purposes.  Keeping passwords encrypted in our databases ensure only you (and those to whom you have chosen to share your password) will be able to log into your account with us.  No employee or service provider to register4less.com will ever be able to see your login password.

Login Security Agent

Our patented Login Security Agent provides 24/7 account monitoring, and is set up to notify you when a login session has been created on your account.  In addition to notifying you of a successful login to your account, the LSA service gives you the ability to terminate the login session.

LSA has been designed to deal with the one element of account security that we as a registrar cannot control, the human factor.  Ways in which an account could be compromised include:

  • Leaving a login session active on computer
  • Logging into your account on a public terminal that’s infected with malware
  • Sending an email in plaint text with the account information in the body of the email
  • Leaving login credentials written down, etc.

When you set up LSA on your account, you will specify LSA to send a notification when logging in from a connection on any IP address, or you can specify an IP to be ignored.  You will create a “kill password” with the account as well.  This kill password cannot be changed, so you want to ensure it’s one that you will remember.

Let’s go with the scenario that someone malicious has gained your login username and password, and is logging into your account in order to steal your domains.  As soon as this person logs into your account, you will receive a notice that a login session has been created, and from what IP address the person is connecting.  You will recognize that this is not you logging in.

To kick the hacker off, log into your account, and go to Profile > Login Security Agent.  You’ll enter in the Kill Password, and then click the Kill Sessions button.  The next link the hacker will click will log them off the account.  The login password is automatically reset by LSA when you click the Kill Sessions button.  You’ll then need to change your password to a new one, and your account is now once again secure.

Two Factor Authentication

Two Factor Authentication combines the Google Authenticator app for your smartphone and your normal login password password.  The app will generate a 6 digit number that’s unique to the app that’s running on your phone.  When you log in, you will enter in the 6 digit code after your password (no spaces).

Our Patented Login Security Agent

Friday, September 19th, 2014

As an ICANN accredited registrar, we take the security on your account very seriously. The measures we take include

  • Having any page where sensitive information you provide is SSL encrypted and behind a login session.
  • Optional two factor authentication, where an app on your smart phone or tablet provides 6 digit code you add to your regular password. A new code is generated every thirty seconds.
  • A strength indicator rates your password when you create or update a new password on our system.

(more…)

Two Factor Authentication

Friday, April 25th, 2014
Sample screen shot of iPhone app showing TFA code

TFA – Two Factor Authentication

The development team at R4L has added a new security feature for account login called Two Factor Authentication (TFA).  Once configured, TFA will automatically generate a new 6 digit code every 30 seconds, and this is required with your current login password in order to access your account.

(more…)