2FA for .nz Domains
There aren't many .nz domain name registrars supporting Two Factor Authentication.
My website is on
.co.nz. And so is my email. I want good security for my domain registration, because hacking domains allows you to intercept email, and intercepting email allows resetting passwords on other services.
A minimum bar for "good security" in 2020 is two-factor-authentication support, or 2FA. However, it seems relatively few
.nz domain registrars offer this. This post summarizes my research into which registrars do.
Domain registration in NZ is handled by the Domain Name Comission (DNC). DNC lists all the authorised NZ registrars. Other websites can sell
.nz domains, but are resellers.
DNC's wholesale price is 15NZD/year, so you won't see prices lower than that.
I'd like whois privacy. It's been available for NZ domains since 2018.
- The Individual Registrant Privacy Option (IRPO) is for individual registrants that are not using the domain name for significant trade.
All NZ registrars are required to provide this, but most international registrars go through resellers and don't support whois privacy. So I want an official NZ registrar that the DNC deals with directly.
I went through the registrars listed, and a few big international ones. I'm looking for ones that fill me with confidence - 2FA and preferably big enough to invest in a security team. I've (a bit harshly) ruled out a lot of sites that don't inspire confidence, through being small, having bad web design. These businesses are probably fine, but I'm explicitly prioritising security and confidence.
|Name||Authorised nz Registrar?||.nz Domains?||2FA?||co.nz Price/Year||Pricing URL||2FA URL||Comment|
|1stDomains||Yes||Yes||Yes||25.50 NZD||https://1stdomains.nz/register/||I've filed a feature request, they don't have it||I used to use 1stdomains for their low prices.Just ridiculous that they don't have 2FA in 2020. UI hasn't updated in ~10 years, which doesn't inspire confidence that they have an empowered dev/security team.|
|Gandi||Yes||Yes||Yes||34.73 AUD (~22 USD)||https://www.gandi.net/en-AU/domain/tld/nz||https://docs.gandi.net/en/account_management/security/totp.html||Huge international player. More confident in their security. More expensive|
|Metaname||Yes||Yes||Yes||25 NZD + GST(?)||https://metaname.net/my/pricing||https://metaname.net/public/two_factor_authentication||UI is quite bad. Registering with their UI is a pain. I ran into bugs in uploading zones, had to email them, they manually fixed my data but AFAICT didn't fix the underlying issue. Not confidence inspiring|
|GoDaddy||No||Yes||Yes||34.95 AUD||https://nz.godaddy.com/domainsearch/find?checkAvail=1&tmskey=&domainToCheck=asdfasdf.co.nz||https://au.godaddy.com/help/enable-two-step-verification-7502||Probably OK security, but they're a reseller, so probably don't support whois privacy.|
|Google Domains||No||Yes||Yes||28 AUD||https://support.google.com/domains/answer/6010092?hl=en&ref_topic=3314003||https://www.google.com.au/landing/2step/||Probably great security, but they're a reseller, so don't support whois privacy.
Google Domains now actually allows you to buy with a billing address in Australia (you used to have to fake it to the USA): https://support.google.com/domains/answer/4639612?hl=en. But not New Zealand billing addresses. Wild.|
|namecheap.com||No||No||Yes||Doesn't support .nz||https://www.namecheap.com/domains/registration/results/?domain=asdasdf.co.nz||https://www.namecheap.com/security/2fa-two-factor-authentication/||Doesn't support .nz|
|AWS||No||Yes||Yes||24 USD = 36 AUD||https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-register.html||https://help.hover.com/hc/en-us/articles/217282267-How-to-Enable-two-step-sign-in-on-your-Hover-account||Probably great security, but they're a reseller, so probably won't support whois privacy.|
|Hover.com||No||Yes||Yes||24.99 USD||https://www.hover.com/domains/results?utf8=%E2%9C%93&q=asdfasdf.co.nz||https://help.hover.com/hc/en-us/articles/217282267-How-to-Enable-two-step-sign-in-on-your-Hover-account||Lot of podcasts talking about Hover! But they go through resellers for .nz domains|
|iwantmyname.com||Yes||Yes||Yes||24.90 AUD||https://iwantmyname.com/?domain=asdfasdf.co.nz||https://iwantmyname.com/blog/2015/06/getting-started-with-iwantmyname||Their support page is broken. Everything redirects to https://iwantmyname.com/support/faq
Reddit says they're NZ based and have 2FA: https://www.reddit.com/r/newzealand/comments/761wge/good_domain_registrar/doc7lxf/. 2FA is by authy.|
|name.com||Yes||Yes||Yes||35.99 USD||https://www.name.com/domain/search/asdfasdf.co.nz||https://www.name.com/two-step-verification||Pretty expensive|
|register.com||Yes||Yes||No||75.00 USD!||Had to put it in cart, couldn't find a pricing page||Can't find any 2FA info.||Wildly expensive|
|instra.com||Yes||Yes||No||Unknown||Need to sign up to see pricing||Can't find any 2FA info.||No pricing transparency, no thanks|
|publicdomainregistry.com||Yes||Yes||No||$10 (must be USD)||Wholesale only||Can't find any 2FA info. Moot anyway||They're a wholesaler only, don't offer retail domains.|
|Free Parking NZ||Yes||Yes||Yes||47.95 NZD||https://secure.freeparking.co.nz/order/index/D/fpD/?domain=asdfasdf.co.nz||https://www.freeparking.co.nz/two-factor-authentication||Quite pricey. But good to see them supporting Google Authenticator|
|ai.net.nz||Yes||Yes||No||36 NZD||https://www.ai.net.nz/domain-names||Can't find any 2FA info|
|voyager.net.nz||Yes||Yes||No||N/A||They just redirect to 1stdomains: https://voyager.nz/business/domains||Can't find any 2FA info||They just redirect to 1stdomains|
|openhost.net.nz||Yes||Yes||No||39.95 NZD||https://openhost.net.nz/store/index.php?NAME_PATH=DOMAINS_PATH&SCREEN=DOMAINSEXTENSION_SCREEN&dialog=newLists||Can't find any 2FA info.|
|inspire.net.nz||Yes||Yes||No||45 NZD||https://www.inspire.net.nz/services/domains.html||Can't find any 2FA info.|
|godomains.co.nz||Yes||Yes||No||24.99 NZD||http://www.godomains.co.nz/domain-names/search/?domain=asdfasdf.co.nz||Can't find any 2FA info.||Their header logo 404s. Doesn't inspire confidence.
I emailed them on their contact email and got "Your message wasn't delivered to firstname.lastname@example.org because the domain godomains.co.nz couldn't be found. Check for typos or unnecessary spaces and try again."|
|tppinternet.co.nz||Yes||Yes||No||Can't find any 2FA info||Their site doesn't load|
|nownz.co.nz||Yes||Yes||No||Can't find a pricing page||Can't find any 2FA info|
|ourschool.co.nz||Yes||Yes||No||Can't find any 2FA info||Focussed on schools|
|websitebuilder.nz||Yes||Yes||No||Can't find any 2FA info|
|crazydomains.co.nz||Yes||Yes||Yes||31 NZD||https://www.crazydomains.co.nz/domain-names/search/?token=001d1df9de0e618df713cb113e454bff&domain=asdfasdf.co.nz||https://www.crazydomains.co.nz/help/how-to-enable-or-disable-two-step-verification-system/||Doc search is broken, had to hack the URL on the Australian site to get it to show me the .co.nz 2FA stuff. Doesn't inspire confidence.|
|domains4less.co.nz||Yes||Yes||No||24.95 NZD||https://secure.domains4less.co.nz/order/index/D/d4lD/?domain=asdfasdf.co.nz||Can't find any 2FA info|
|sitename.co.nz||Yes||Yes||No||29 NZD + GST||https://www.sitename.co.nz/register||Can't find any 2FA info|
|webconnect.nz||Yes||Yes||No||32 NZD||https://www.webconnect.nz/cart.php?a=add&domain=register||Can't find any 2FA info||Regional provider for Hawke's Bay|
|iserve.nz||Yes||Yes||No||20 NZD + GST||https://iserve.nz/||Can't find any 2FA info||Owned by VOCUS. Site looks lo-fi.|
|netvalue.nz||Yes||Yes||No||50 NZD||https://www.netvalue.nz/domain-name-pricing||Can't find any 2FA info||Hamilton. Open source consultants. Doing domains on the side|
|www.godzone.net.nz||Yes||Yes||No||24 NZD||https://www.godzone.net.nz/||Can't find any 2FA info||wow this is a really old website design|
|domainagent.co.nz||Yes||Yes||No||wholesale only||http://www.domainagent.co.nz/||Can't find any 2FA info||wholesale only|
|webaddress.co.nz||Yes||Yes||No||wholesale only||http://www.webaddress.co.nz/||Can't find any 2FA info||wholesale only|
Edit, June 2020: I missed https://www.onlydomains.com/, who have two-factor-auth, and sell worldwide (so might have the economy of scale to have a good security team) and are based out of Hawkes Bay!
Edit: April 2021: Apparently 1stDomains has had 2FA since August 2019, but it wasn't publicised. I've updated the table above.
I think I'll go with Gandi. They're a huge international operator with a long history and a big enough dev team to support an API, they probably also
Runner-up prize would go to Metaname. They were the first in NZ to do 2FA (as early as 2013!), and I tried their site, but it was very lo-fi, hard to use, and I found a few bugs, particularly with importing zones, and when I emailed them about this, I got good support (in that they reached into my domain and fixed the problem) but they didn't fix the underlying bug that caused me to get into a bad state in the first place. I don't want to have to contact them every time I get into a bad state. Sorry Metaname!
A lot of people recommend iwantmyname.co.nz as a NZ-based operator that's clued up, but their support pages are currently all broken, all redirecting to the same blog post from 2014, and that doesn't inspire confidence.
crazydomains.co.nz has reasonable prices, but their site search is broken, which doesn't inspire confidence. And they're part of an international outfit (crazydomains.com.au looks exactly the same) which increases the chance that they'll be big enough to support a security team.
freeparking.co.nz is probably fine but is quite expensive.
It's a real shame, but I think operators that only serve the NZ market are unlikely to have enough economy of scale to support a security team. There would be ways around this — contracting with some of the excellent security companies in NZ might be an alternative?
Discuss this post on: