App-based authentication is better than SMS authentication.
Two-factor authentication is a must-have to improve the security of your domain name registrar accounts. Most major domain registrars offer it now. If yours doesn’t, it’s time to change registrars.
There are two main types of two-factor authentication in use today:
1. SMS based. When you enter your username and password you receive a text message with a one-time verification code that you enter in your browser.
2. App based. After you enter your username and password you open an app to get a one-time code.
While most registrars started with an SMS approach, more are offering the app-based approach. You should consider enabling app-based authentication.
SMS authentication has a couple issues. First, they aren’t always reliable since you’re dealing with mobile phone networks. Second, people are starting to crack them.
I recently set up app-based authentication with GoDaddy and prefer it to the text messages I used to receive. The only downside is when you need to authenticate in its app; you need to go back to the authenticator app and remember the code instead of having the SMS pop up over the app.
The most popular two-factor app is Google’s Authenticator app. You can get codes for all of your accounts (GoDaddy, Uniregistry, eNom, etc) on one screen.
I hope that registrars add support for security keys soon, too.
For added security against domain theft, check if your registrar offers added security checks. If you spend enough money with GoDaddy to have an account manager, you can have them call to verify transfers before they leave your account.