Internet infrastructure providers like domain registrars really need to implement an equivalent to landing.google.com/advancedprotec.
Supporting U2F/FIDO2 isn't enough. It needs to be possible to disable the account recovery backdoors. Customer support is too easily tricked by attackers.
Conversation
Replying to
support.cloudflare.com/hc/en-us/artic glosses over this topic. Doubt that the need to prove access to the origin server is a technical restriction on customer support rather than something they are *supposed* to require. Really need a way to opt-in to draconian restrictions / review for this.
1
2
