I was one of the people who wrote long support requests to you guys detailing how much I disliked the system you had in place. I really respect your forthrightness here.
Thank you, I need to explicitly call out our/my shortcomings if we want to improve as a company going forward. We are making big changes to the way we are doing things and a commitment to full transparency and having open and honest conversations with our customers are the biggest of those.
I want to let you know that your previous 2FA was so awful that I had to turn it off. I had Project FI service, and ported my number back to google voice, which permanently locked me out of my namecheap account. I contacted support for help, but by the time they had responded, I had already lost my opportunity on responding to a gig.
This is probably the worst place to air a grievance like this, but it seemed like my frustrations had fallen on deaf ears.
I haven't bought a domain from namecheap since.
Thanks for the feedback I appreciate it and I am very sorry to hear about your experience. While I can't go back and change what happened, I want to let you know we recognize the mistakes we've made and I can assure you we are committed to learn from them going forward. I hope one day you'll make it back.
Hello Fej, to be honest, we signed an exclusive contract with Comodo before Let's Encrypt even existed. The length of that contract is ten years. It's put us in a tough situation as far as what we can offer out of the box to our customers. While our customers can still install LE on our hosting services on their own, we can't actively do this for them. The only other option here is to break that contract which will cost us millions of dollars and it's something that I continue to consider.
Really appreciate the transparency shown in this comment. I recently moved away from Namecheap after 10 years of it being my primary registrar (mainly because of the crappy 2FA) but this is certainly making me reconsider.
Thank you and I'm sorry to hear that you left us. Please do try and check back with us at some point. I believe you'll see a difference in our approach to how we do things and the decisions we make going forward.
I don't know about Namecheap, but I'd suspect the banks use proprietary solutions for the standard 2 reasons:
1) Something expensive feels more secure. The 50yo farts in suits are the ones making the decisions, not the devs who actually know why open standards are inherently more secure.
2) They have someone to blame when something goes wrong. If they implement TOTP insecurely and data gets stolen, they're on the hook. If RSA (or whoever else) screws up, the bank can point their finger at them since their programmers are usually the ones who do the integration.
TOTP is far too easily phishable. User studies have shown that in any large organisation, some small percentage of even the most technical staff will enter an OTP into a phishing page. You might think 'I'm not that dumb', but study after study shows you are!
The future is hardware U2F tokens. They can securely check the web-origin of a request and only give the token to the correct origin.
Depends on your threat model, not everyone is going to pay for a hardware U2F . Not every application needs that high security. TOTP is an option definitely better than just plain password, which is what most services use today
Their old one was so bad I actually learned how to use route 53 just to migrate out of it.
Their CEO is just pretending to be forthright here. I have a tweet where he replied to me from February 2014 that said Google Auth support is coming in a couple of months.
This all happened because I got locked out of my namecheap account when THEIR system wouldn't sms me the code and they had problems with the voice calling.
So I emailed support. They called me 5 hours later to ask me a bunch of questions. Here's the funny part: they called me on the number I had used for 2FA. Isn't the fact that I answered that number proof enough that I had it?
Everything they do is half assed including their Frankenstein panel that's a mix of their old interface and their new one.
Anyway. Good riddance. Only use namecheap if you can't afford the $1 it costs to host your dns on route53.
Agreed, there was a big issue with the communication about 2FA. And then the proprietary app was rolled out, in what seemed more like a checkbox ticking exercise. At that point I also migrated and haven't looked back.
Why a checkbox ticking exercise? Even the Oct 2018 post by the CEO [1] says "[...] our proprietary app, was not well-received by many of you and did not serve you in the way many of you preferred to use 2FA." Apart from being such bullshit corpo speak, how was one single second factor device per person sufficient for critical infrastructure? What was I supposed to do, buy two phones? If a place is so clueless about 2FA, run. You can almost be sure they don't use 2FA internally.
(While I'm here, allow me to name and shame Patreon, who used to support TOTP, but removed that option and now only have SMS [2])
No excuses, you're right, we made a bad decision then and losing customers like you was the consequence of that. I apologize for that and any other negative experiences you may have had with us due to this.
I do respect you for stepping up here, and my experience with Namecheap was very good (barring 2FA). I guess it comes down to trust, which is hard to gauge.
The other thing that would stop me from returning to or recommending Namecheap is GDPR compliance, or lack thereof. While I don't expect you to fight ICANN, it's a blocker. (Obviously, not many registrars offering compliance at the moment...)
While we still have some gaps around GDPR we have active workstreams to close them. We've also rolled out free privacy protection to all of our customers, not just those in the EU. I can also say that we've always been extremely careful with sharing any customer data with third parties even before GDPR came into the conversation. Customer privacy is not something I believe should ever be compromised on. While we've made some dumb decisions, I can assure you it was always well intended. Even our previous lack of speed to fixes was due to us making a conscious decision to go back and rebuild our entire infrastructure and code base so that we can be more flexible and agile in the future. It was a hard sacrifice to make and it affected our customers negatively but I believe it will lead to a better future with what we'll be able to deliver to our customers in terms of effectively and seamlessly solving their problems. Hopefully you'll come back some time in the future and you can judge us by our actions and what we are building and delivering and not just my words.
Maybe I'm missing something (or just lucky) :-), but I have been using Namecheap for years (and recommended them to others) and I haven't had issue with the 2FA. What's the specific issue? Thanks.
