The Journey to Required 2-Factor Authentication at Verisign

The option to use two-factor authentication (2FA) for logging into the Verisign registrar account management portal is far from new. But making it a requirement in the summer of 2022 was a move more than a decade in the making.

Once an unusual tool used by companies at the leading edge of security, multi-factor (MFA) and two-factor authentication have become ubiquitous and essential for privacy and security almost anywhere on the internet. It’s something of a coming-of-age story for this useful piece of security technology.

In late July 2022, ICANN gave its formal approval and Verisign announced the mandatory security change, requiring its more than 2,000 registrars to provide a time-based one-time password (TOTP) along with their username and password to log into Verisign’s registrar account portals, where registrars can check account balances, update contacts and access marketing materials. A TOTP is a standardized, algorithm-generated, numeric single-use password that uses the time of day for uniqueness and security – even if compromised, the credential is only valid for a short window, often less than a minute, and is only valid in combination with the user’s password.

Voluntary adoption of this additional layer of security for registrar-registry communications had been relatively low since it was first introduced in 2009, according to Verisign’s Registry Services Evaluation Process (RSEP) request, with only about 200 registrars participating. But when Verisign was first testing the MFA waters, these now ubiquitous additional authentication steps were virtually unknown by the average end user, as well as cumbersome and costly.

“You have to understand that two-factor authentication was brand new. Nobody knew what it was or how it was going to work or what the impact was going to be,” said Joe Waldron, now a Verisign consultant and previously the company’s vice president of core naming services. ICANN authorized the voluntary option in mid-2009. Making it mandatory was the ultimate goal even at that point, but no timeline was set.

The Long Process of Stepping Up Security

In the late 1990s and early 2000s, early adopters – banks and financial firms in particular – were using 2FA or MFA primarily through physical “tokens,” USB key fobs or cards that randomly generated a new PIN with the push of a button. Passing out hard tokens for authentication was a little cumbersome but far more flexible than allow-/deny-listing IP addresses on a static access control list (ACL) for each customer.

Before 2FA was commonplace or user friendly, there were, and still are, ACLs. IP ACLs work by granting access to a system only if the user’s communications originate from a pre-determined, trusted IP address. Anyone not connecting from one of these “allowlisted” IP addresses is denied access, which can cause problems for employees working from anywhere other than their corporate network or through a VPN.

As most of the internet-using world now knows, today MFA is available from any device, on any network and requires users to provide two or more pieces of “evidence” they are a trusted user before granting access to a system or website. So, even if a password is compromised or stolen, bad actors still can’t access an MFA-protected account or system without also somehow obtaining additional factors.

Those “factors” are divided into the categories of something the trusted user knows, like a password or the answer to a predetermined question; something the trusted user has, like a “token” or card with ever-changing, algorithmically derived codes; and something the trusted user is, their biometrics, like a fingerprint, face or eye scan, or their voice.

And take note: using two factors from the same category doesn’t count – a password and the answer to a question both come from the “something a user knows” category and therefore is still single-factor authentication. A password plus a token-generated code, however, would be something the users know and something they have.

Generating and delivering those single-use codes to the right trusted user is considerably easier and less expensive in 2023 than it was in 2009. Now, additional authentication factors are often delivered by mobile phone, via text message or with an authenticator app.

In 2009, it was still early in MFA’s maturation and adoption cycle but by the mid 2010s, adoption and general awareness were sufficient to enable Verisign to offer a higher level of security, Waldron said – and the need for increasing security and privacy on the internet was clear.

As the DNS grew exponentially through the early 2000s and into the following decade, security risks – and high-profile breaches – grew along with it. After a 2015 breach of the Office of Personnel Management computer systems in which millions of federal employees’ personal information was stolen, the federal government got involved in encouraging all internet users to step up their security practices, at work and on their personal devices. In February 2016, then-President Barack Obama penned a Wall Street Journal op-edcommitting $3 billion to modernize security on federal computing systems, declaring passwords were not enough to protect businesses or consumers from bad actors on the internet and announcing a national awareness campaign to help standardize stepped-up security, #TurnOn2FA. Multifactor authentication had finally gone mainstream.

“Fast forward to 2018… this is a best practice for all industries to evolve into,” Waldron said. “[Verisign was] right at the forefront of this back in 2009 when we started making it available. And our leading registrars jumped on the bandwagon and have been using it all along.”

By May 2021, these security measures were so broadly accepted the Biden Administration issued an executive order requiring MFA to log into any federal agency system, among other cybersecurity initiatives.

Now, and What’s Next?

With the approval of the company’s July 2022 RESP, Verisign’s registrar portal access was able to move to mandatory 2FA, where one factor is a username and password and the second is a one-time passcode.

In addition to this 2FA requirement, ACLs can still be specified by the registrar, said Suzanne Kennedy, product management director at Verisign. Some registrars may choose to add ACLs for now, ensuring all user access is from in-house channels only; others may opt to not use ACLs enabling greater flexibility for offsite workers. Both options allow registrars to help guard against hackers accessing accounts and potentially wreaking havoc with registrars’ proprietary information and interactions with Verisign. Kennedy went on to say both options provide equivalent access to the portal and registrars are empowered to make choices consistent with their own business security preferences.

Verisign was ahead of the security curve with the 2FA option in 2009 but, in consensus with ICANN, made the decision not to mandate the technology at first. Forcing change – even when it contributes to the security, stability resilience of the DNS – can result in negative outcomes, Waldron said.

“It would have been more dramatic. It would have been more costly to the registrars. Nobody would have understood,” he said. “You know, it would have faced a lot more resistance if we had tried to do a full implementation right out the gate.”

Today, industry and global internet users are accustomed to the technology and authentication process of MFA, enabling a consistent and universal adoption of the approach.

Cybersecurity threats are constantly changing and so solutions must be ever-evolving, too. How will registries and registrars work together to identify and implement the next improvements in security technology? Waldron said for Verisign and the global internet community, the lessons learned over the course of MFA adoption include the importance of “dipping your toe in the water, easing in and getting people educated.” This same careful, methodical approach to solution identification and implementation, balancing the end objective with the timeline, will be a key foundation to adopting the next shift in security with equal success.