Three Factor Authentication Provided by DynaDot

Domains getting stolen is not new. Like every valuable object in the world, premium domains are susceptible to being taken. What differs is the mechanism by which these are stolen compared to physical objects. Usually, it’s one of these methods:

  • Phishing attacks: These manifest when users are tricked into clicking on links that mimic the real URL and site and the user is led to believe that they are on a legitimate site. Once the user enters the credentials on these illegal/fake sites, the password is stolen.
  • Simple/Obvious passwords: Having simple or obvious passwords is the biggest reason why passwords are a weak form of security. There are various reasons for users having weak passwords, but its a reality that we live in today.
  • Social Engineering: In this form of attack, the attacker tries to impersonate a user (when interacting with a registrar) or impersonate a registrar (when interacting with a user) and somehow gain access to to the domain(s). Social engineering predates the internet and can be as old as any trick.

There may be other forms of attacks in the wild as well, but the ones as mentioned above are the most common ones. In the past few years, as stolen domains are becoming a big issue and registrants wanting some more security, the registrars started offering two-factor authentication. With two-factor authentication, in addition to a password, some other form of authentication is used. Most commonly, the second form of authentication is something that the user possesses exclusively with him/her. These days, the second form of authentication involves a code that expires in a short span of time and is SMSed(texted) to the registrant after with authenticating with a correct password. So, the user enters the SMSed code to gain access to their account. This is another layer of security in case the password is compromised.

In my opinion, this a big step up by registrars to provide extra service to its customers. But, keep in mind that two-factor authentication is NOT a silver bullet against names being stolen, it just makes stealing harder. For example, it is possible that an attacker can social engineer the telecom company to transfer the SIM card to them (attacker). See these two links about how SIM cards can be compromised: Link1 and Link2. When this happens, the attacker can receive SMSs from the registrar for authentication and along with the compromised password, gain access to a user’s domains. DynaDot, a registrar, have recently come out with a different approach to preventing domains from getting stolen. Instead of using SMSs for authentication, DynaDot uses Google Authenticator  to authenticate user along with username and passwords. Google Authenticator is an APP that generates a time-based (60 seconds)one-time password and can be used to log in. However, even after the user logs in, the account is still secure, as the transferring domains out or getting EPP code requires unlocking the account again. The unlocking of the account requires:

  1. Month and date of birth
  2. The token code from Google Authenticator
  3. A token code from SMS

As you can observe from the above, getting all the three above could be challenging. Another reminder that these are extra layers of security which decrease the chances of domains being stolen, but not 100% secure. Also, note with DynaDot, after an account is unlocked after correctly entering the above three pieces of information, the account gets locked automatically after 60 minutes.

In the future, I expect that that biometrics being ubiquitous and would be used to secure domains.

Disclaimer: This is NOT a paid post.

The .bharat IDN Offered for Free by Indian Registry

First off, I apologize for being out of action for almost two weeks. Several awesome developments have taken place that I need to share. First, the news by the Indian registry about offering the .bharat IDN for free.

The registry is making a BIG BIG push to bring the Indian ccTLDs a mainstream extension that could rival .COM . You can check the news about this endeavor here. The first salvo is to offer .bharat extension for free. Currently, based on the information I have only Mitsu and are respecting the free .bharat domain mandate by the registry. Mitsu is charging Rs. 21 (~$0.29) platform fee ( that they pay to LogicBoxes). However, is bearing the cost and giving the names away for FREE. Keep in mind this is for the first year ONLY.

The IDNs are available in seven languages — Hindi, Telugu, Urdu, Gujarati, Bengali, Punjabi and Tamil. More information about it here – To convert Hindi words written in English to Hindi script , you can use this tool: . Finally, to convert between PunyCode and Unicode and vice-versa, you could also use this tool:

So, I think this is a noble and well-intended decision by registry to give these for free. I assume that the purpose to give .bharat IDN for free is so that the rural Indian businesses where English is not the primary language can get online and make their presence felt. I would imagine that the all most every company that is aware of the advantages of being online can use this opportunity to get a feel about the logistics of getting online and whether it helps them improve their business. Moreover, even if there only 5% of the businesses that have adopted a .bharat domain, renew their domain for the next year, its still a HUGE win for the registry. Also, since companies that have renewed the domains would spread awareness to other businesses!! Finally, hosting companies and web development companies can also take advantage of this.

My sincere request to Registry is to advertise the above promotion in non-English and regional newspapers. Will definitely help.

NEW Ad Campaign to Promote .IN Extension Planned

In the past week, there was an important news that broke out about the registry planning to launch a massive ad campaign to promote .in extension. So what does this mean and what could we expect? Here is my attempt to summarize what the news is and describe some background information as well.

1. The .IN registry which falls under NIXI and this, in turn, falls under the Ministry of Electronics and Information Technology (MEIT). The MEIT is headed by our honorable minister Mr. Ravi Shankar Prasad. Below is the org chart, there is a Secretary to the ministry and under the Secretary, there are a group of Joint Secretaries (JCs). NIXI group is headed by JC Mr. Rajiv Bansal and is designated as the CEO of NIXI. The announcement about the new ad campaign was made by him.


2. Based on the initiatives like Make in India, Digital India, and Start-up India which have taken off on a right and positive track, promotion of >IN make piggyback on their momentum and also provide a necessary service for launching their online presence.

3. Another point that the ad campaign wants to drive is to bring a nationalist flavour of owning the .in domain.

4. To promote registering on domains in the native language, the IDN .bharat will also be encouraged. I think, there is a place for .bharat NOW rather than later. Most of India do not use English as a first language and .bharat will facilitate rural India to get online. Imagine the power of this? Mind-blowing, to say the least. Even 1-2 pages by a local rural entity will go a long way. I’ll leave the reason why India is called Bharat for another day.

5. NIXI did run a few ad campaigns in 2012 as seen below.  Would be interesting to see how its done and what the theme is. IMHO, the registry has a few options:

a. Make a funny ad,
b. Make an informative ad with/without humour,
c. Make a provocative ad akin to what GoDaddy does. Although this would appeal to metros more than other places.

6. NIXI also has ran few social campaigns this year, I covered them here.


Sample Size and Sampling

Another off-beat post and the reason I bring this post up is to show that a small sample size is sufficient for most needs. You might have heard during elections that there are tons of opinion polls about the election result. Also, notice that every poll has small print at the bottom giving the margin of error. Usually it is between 3-5%. So how do they arrive at this number?

It is simply the power of sampling, and by just taking a survey of around 1,000-2,000 people, a margin of error of ~3% can be reached. Without kicking around the bush, the general way to calculate margin of error in sampling is by this formula:

 E \equiv \frac{1}{\sqrt{n}}

The above is NOT an exact formula for margin of error but an approximate one. In the above formula, n is the sample size and if we plug in 1000 for n, we get around 3.16% . Basically, I’m trying to explain that as n being just 1,000 , would not give a large margin of error.

Of course, opinion polls cannot always predict the outcome of an election because of several factors (even if you account for margin of error):

  • Selection bias: Usually folks being surveyed may be of the same demographics and hence not representative of the whole population.
  • Lying on the survey: People lie on the polls.
  • Do not vote: Some do not vote on election day.
  • Change mind: Some will change their mind on election day.
  • Method of sampling: There are many ways to sample, and each method has its own set of pros and cons. You can check the Wikipedia page for more details.

So, how is this related to domains or .in domains in general? Well, it all boils down to the number of reported .IN sales over the years, as you are aware, fewer sales are made public and thus difficult to gauge the trend of value of the domain. If you look at the sales page I maintain here; there are about 1,000 sales in there. This might seem small at first compared to .COM and others ccTLDs, but these are good enough sample size to gauge a pattern/approximate value.