In a recent meeting to update the current Registrar Accreditation Agreement (RAA), Registrars and ICANN staff reviewed suggested changes to the RAA which could impact the domain registration process. Law enforcement representatives produced updates to their recommendations with respect to two core issues: Data maintenance and WHOIS validation.
What they are trying to accomplish:
“The data provided by domain name registrants will be validated to ensure the registrant is providing correct, complete, and valid data upon domain name registration and subsequent renewals.”
How it will be accomplished:
- “When a prospective registrant submits a registration request, the Registry will send a unique HTML link to the registrant’s email of record or to the email of record of the beneficial registrant.
- The registrant/beneficial registrant must then follow the link, and provide supplementary information that will permit registrar to verify the registrant, including phone number. This process inherently identifies the IP address of the registrant/beneficial registrant.
- Registrar will call or SMS the phone number provided during the registration form.
- In that phone call, Registrar will provide the person with a PIN # (real time) and the applicant will input the PIN# in the designated area in the registration link.
- No domain name will be placed into the zone file and will not resolve until the account e-mail and telephone number have been verified.”
Essentially, law enforcement is urging ICANN to make it a requirement that all Domain Registrars email and phone verify every domain registrant. This is where TeleSign comes in. We have already been verifying phone numbers with many of the largest Domain Registrars around the world. When a registration is submitted, we send an automated call or SMS to the registered phone number with a one-time verification code to prove that the user is available at this working number. This verified number is then stored in the WHOIS database by the Registrar.
Furthermore, once a phone number has been verified, this number can be used as an authentication method in the future. Anytime the registrant is making account changes, such as a password reset, the Registrar can send a one-time authentication code to that registered number to authenticate that it is truly the original user making these changes and not a fraudster.
Implementing TeleSign Verify is great for both the Registrar and for ICANN. Verifying WHOIS phone numbers upon registration allows Domain Registrars to;
- Fulfill compliance with this potential ICANN regulation
- Record contactable and verified information for all of their customers in case of potential issues with that domain
- Protect account access from compromise
My two cents:
This process can be improved. Law enforcement is suggesting a link via email which is dangerous and can lead to malware and fraud. Many consultants in the industry advise clients not to click on links in emails because of the potential threat. My recommendation is during the registration process the user completes the phone verification step all within the Domain Registrars website. The final step is to send a verification email to the registrant with a code that the user enters back into the Domain Registrars website. This will prevent users from receiving links that can be potentially dangerous to the users.
To learn more about TeleSign, please visit https://www.telesign.com/industries/hosting-registrars
To learn more about the ICANN RAA negotiations, please visit http://bit.ly/JuxxNV