We recently added a new security feature to all Hover accounts — when logging in, any user who doesn’t already have app- or SMS-based two-step sign-in (aka 2FA) enabled will now be prompted for a code that we send to their account email address(s).
This email-based two-step sign-in isn’t quite as secure as the app-based or SMS-based method, but it’s a significant upgrade from just a username and password.
You’ve probably run into a similar process on some of your other online accounts. Many banks, airlines, streaming services, and other service providers use this kind of email-based 2FA system.
Why we’ve enabled 2FA for all accounts
Simply put, domain names and email are incredibly important, and we want to ensure your account is secure. 2FA is the best way to do that.
We’ve been planning on introducing mandatory 2FA for a while. We introduced email address verification back in mid-2021 as a precursor to rolling out email-based 2FA. Since then, the vast majority of our users have completed the verification process on their account email addresses. This gives us high confidence that nearly all of our active users have access to the email addresses associated with their account.
Enabling 2FA for all users does come with the potential for locking a legitimate user out of their account if they don’t have access to either the account email address or the backup email address, but we think that’s a reasonable trade-off to make given the increased security provided. We also have a recovery process in place for the rare case where this does occur.
Learn more about email-based two-step sign-in.
Additional Security Features
While we’re on the subject of security, we figure it’s a good time to point out some of the security and sign-in features you might not be aware of.
While we do our best to ensure the security of all Hover accounts, you also play an important role in keeping your account safe. Security features are only beneficial if they are enabled, and we encourage all of our customers to take advantage of the features we offer to help you help us keep your domains and email safe. Here they are:
1. App or SMS two-step sign-in (2FA)
We offer two-step sign-in using either SMS or an authenticator app. If you don’t have it enabled on your account, we strongly suggest you enable it even though we’ve added email-based two-step sign-in by default.
We recommend the app-based method, as it’s a bit more secure than SMS. But having either 2FA method enabled ensures you’re protected even if the email account associated with your Hover account is compromised or hacked. Without that “second-factor” authentication code from a text of app, a person with your username and password, and even access to your email account, won’t be able to get into your Hover account.
Here’s how to enable SMS- or app-based two-step sign-in.
2. Sign-in notifications
When we detect a new device accessing your account, we send an email to the account email (and the backup email if you have one set up). This email:
Lets you know that there has been a sign-in to your Hover account
Contains a “panic” button that can be used to quickly lock down your account if the sign-in isn’t you
If you get one of these notifications and it’s not you signing in, you should use that panic feature as soon as possible. It locks your account and boots out any signed-in users, but it won’t impact any of the services in the account. Once locked, our support team can help you get back in (after verifying you are the legitimate account owner and investigating the access).
Here’s how to turn on sign-in notifications.
3. Magic token sign-in
We offer a simpler way to sign in using what we call a “magic token.” You’ll see this option on the sign-in page. As long as you have a verified account email address (most Hover customers do), you can enter it and we’ll then send a token to your account email. It’s a simpler way to sign in and it’s just as secure as using a username and password combination. It even works with accounts that have two-step sign-in enabled, providing that additional layer of account security.
Learn more about Magic Token Sign-In.
4. Primary and backup email
We suggest all users add both a primary and backup account email to their Hover account. If possible, we recommend using email addresses that use different services to help out in situations where your email service might be down.
We also strongly suggest that you don’t use an email address that’s tied to one of the domains in your account, unless you have a backup email that uses a different service.
For users of Hover Email, you can configure one of your custom domain email addresses as the primary and then use a backup from something like Gmail or Yahoo Mail.
Here’s how to update your primary and backup account email addresses.
To Wrap Up
There’s more security going on behind the scenes, but those are the customer-facing features we strongly suggest you take advantage of. It also never hurts to mention the importance of password length (the longer it is, the harder to hack) and not re-using credentials for your various online accounts.
If you have any questions or need help setting up any of these features, get in touch with our support team.
