Domains could be rapidly transferred out in the event of account compromise (without email compromise)


So basically, even though I use a secure, unique password along with FIDO2-only 2FA, it makes me a bit nervous that anybody who manages to compromise a Cloudflare account could transfer its domains away very quickly and without breaking into anything else (e.g. the registrant’s email account).

Domain hijacking is, of course, extremely serious and once it happens, it’s generally very hard to get your domain back. Most registrars have a transfer process that prevents rapid transfers via registrar account access only, such as sending auth codes via email and/or not allowing users to override the 5-day waiting period.

I understand that Cloudflare offers incredible registrar security for Enterprise accounts, but I am just an individual and cannot afford a Business account let alone an Enterprise account. I would love to have the option to be able to purchase registry locking separately regardless of plan, but if that is not realistic, just some way to prevent rapid outbound transfers with only account access would be greatly appreciated.

Thank you for your time.