Correct. Use a registrar with 2FA using authenticator or hardware key. No SMS 2FA. Rolling 5 year renewals will work for not letting the domain expire, but not for this scenario.
Agreed, definitely use 2fa if it’s offered. What many people don’t realize is that there are a lot of registrars still using less secure platforms. So moving to a more secure registrar can help as well.
I mention registering for 5 years in the future because if something like this happens, there will be no question as to whether or not you lost the domain because it expired.
I'm actually not sure for this type of attack how much I'd value OTP authenticators over SMS. They are both vulnerable to phishing in the same way.
What I'd like to see a lot more of is WebAuthn specifically, rather than "hardware keys" generally. It's frustrating to me that the outfits I deal with only have OTP and not WebAuthn.
This actually rules out a substantive number of registrars. I have a statement from an account manager at our wholesale supplier arguing that the requirement to know both the email address and password is considered "two factor" in the industry.
I don't see why offering MFA hasn't been made a requirement in order to be an accredited domain registrar.
I mention registering for 5 years in the future because if something like this happens, there will be no question as to whether or not you lost the domain because it expired.