Hover Blog > Insight > Hover’s Security Best Practices
  • Thanks for addressing this issue—although I’m left wondering why this took so long to get to the top of the to-do list. Moreover, it’s been disheartening watching the forum thread on the topic go ignored for so long. Regardless, this will probably be enough to keep me on board as a customer, since in general I do like Hover quite a lot.

    One question remains: Are you planning on implementing two-factor authentication for email accounts as well?

    • Priorities are always tough to manage, and there’s a lot that goes into determining what gets done next. That said, we’ve been working out the implementation for quite some time and that work having already been done is what allowed us to move very quickly to get it in place for you.

  • Tracy Rotton

    This is great news! Thank you for being responsive to your customers’ concerns. Another great reason to use Hover!

  • Robin Kearney

    Would any of these recommendations prevented the @n hack?

    Any word on 2fa and what mechanisms do you have in place to prevent social engineering like that used against GoDaddy?

  • While I wish that this exploitation didn’t happen to Naoki Hiroshima,
    I am glad that his publicising of the event has helped push two-factor
    authentication and improvement of identity confirmation to higher

    Thanks for the update. I look forward to enabling two-factor on my account soon.

  • Agree with Trevor – it’s disappointing this took so long to get to the top of the list, but I’m glad it’s happening. I would also suggest thinking through password resets (https://www.hover.com/signin/forgot_password) – if someone compromised the email address I use here, they could reset my password, and then they could compromise every domain I have here (including email on those domains).

  • Hover, you are awesome. This really puts my mind at rest.

  • Thanks for addressing this. I look forward to the solution.

  • Jeff

    Please use Google Authenticator, please use Google Authenticator….
    Thank you Hover for addressing this issue. You guys rock!

    • We’re starting with an SMS based approach. Google Authenticator is something we’re thinking about adding based on demand.

      I’m assuming we can put you down as a “+1” for that. :)

      • Francisco Javier

        I was ready to leave for a competitor that already has two step verification ready. I’ll wait for you guys to release your improved auth mechanism but you must support all foreign cellular carriers. I’m a mexican customer who uses Movistar, so I you don’t support it then I’ll have to leave. I really think Google Auth should have the way to go anyway.

        • We’ll be able to support Movistar with SMS.

          • Francisco Javier

            That’s music for my ears, thanks!

      • SMS based 2 factor, unfortunately, isn’t secure enough. SMS’s can be intercepted, and in today’s modern world, increasingly are. There have been high profile thefts of bank information and similar using intercepted SMS messages, mostly through compromised phones.

        Using a mathematical approach, like Google Authenticator does, is the only real way to ensure security. It doesn’t require “Google”, or indeed any form of network communication whatsoever.

        So, if SMS based 2FA is all you’re adding, then I’ll have to start recommending that people with actual security needs look elsewhere.

        • Thanks for the feedback.

          I’m guessing we should put you down as another “+1” for using a TOTP authenticator. :)

          SMS gives us a good starting point and allows people without smartphones to participate.

          I’m sure we’ll keep evolving our approach and as I said, the feedback is appreciated.

          • +1, +1 million, whatever it takes. The bottom line is that the lack of security is stark nowadays, and without something like TOTP or similar, a service as important as domain registration can no longer be considered seriously.

            If this takes as long as 2-3 months from now, then I’ll have already switched to another provider. Nothing personal. I like you guys. But security is increasingly important, and for this, real security matters. Fake SMS trickery won’t cut the mustard.

          • So, 4 months later, I’m checking back, and sure enough, you’ve added Google Authenticator support. Way to go, guys! Enabled it and stored my recovery code securely.

            Very glad I don’t have to search for a new provider. Keep up the good work!

  • GF-REX

    Thank you, Hover! Put my mind at ease.

  • Rob

    If you want to say you take security seriously, you should implement https redirects on all http webmail addresses. I suspect there are too many Hover webmail customers who don’t even realize they are giving away their username and password in clear text. Strong passwords don’t matter when an attacker can easily intercept them.

  • Iskie

    There may be a drawback to WHOIS Privacy. Those of us who are spammed often want to check who is sending it. WHOIS Privacy will protect the spammers’ privacy too.

  • Roseline

    I tried to purchase a mailbox, but when i entered my credit card info it goes to some internal problems and transaction was unsuccessful, hover will be back soon. what happens to my purchase now that kept me left hanging? should i do it all over again? is there any security that i did not purchase same mailbox address over and over again? pls help me with this!