I own several domains, one of which I use for my primary email address. A while ago I read Naoki Hiroshima's account of being held to ransom due to someone taking over the domain he used for his primary email address. At the time I contacted my registrars to ask what security measures they had in place to make sure this wouldn't happen to me (not that I think I have much of value to steal). Their replies didn't fill me with confidence. More recently I read of a registrar that can enforce two step authentication on accounts, Gandi.net. I decided to take the plunge and initiated the transfer of my two .co.uk domains (free), three .com domains (£8.63 each) and one .it domain (£9.20) to Gandi.net.
The .co.uk domains transferred very quickly, apparently without issue, however I noticed that the "owners" of the two domains were two different accounts to the one I was currently logged in as. Upon contacting Gandi they told me that because my details were slightly different for each of the two domains and for the administrative/technical contacts three accounts had been created. I could have used the two owner accounts and ditched the admin/tech account, but that was the account that I had also requested the .it and .com domains be transferred to. Gandi told me that to transfer the domains between accounts I would effectively be changing the owner of the domain. So I initiated the process to transfer the two domains to my main account, which would apparently cost me £4.60 per domain, not too expensive, and hopefully they'd be renewed in the process. But after following their instructions I was further notified that I would need to initiate the transfer with Nominet and pay them a further fee of £12 per domain. Considering I wasn't even transferring the domains between people I felt this was getting a bit ridiculous and gave up.
After three days I was notified that there had been an error transferring the .it domain. Gandi's wiki said that the error message meant that my previous registrar had blocked the transfer, so I contacted Livetodot. Livetodot said that the domain had been successfully transferred away from them and pointed out that the whois record even specifically said so. So I went back to Gandi. Another day later I got an email confirmation from Gandi saying that the domain transfer was complete, but gave no explanation as to what had gone wrong. During this period DNS had been failing on my domain for at least three days. It was at this point that I realised how stupid it was to use my primary email address on the domain that my primary email address uses, and I started to get nervous. While the .it transfer had now been successful, the domain owner apparently didn't exactly match any of my three Gandi accounts and so a fourth account had been created and marked as owner.
Luckily my three .com domains, including my primary email domain, eventually transferred without incident, and with the original Gandi account as the owner. I can now use this account as a central account to administer all of my domains as it is at least the technical contact for all my accounts. However I now have another issue besides the four accounts. As I said above I think it's stupid to have the contact email address of a domain using that same domain, so I would like to change the email address on just that domain. However Gandi's system doesn't seem to allow for that, only allowing one account to have one email address, so to change the email address for one of my .com domains I have to change it for all the domains owned by that account.
All in all I don't think I can recommend Gandi.net. Their system seems to be based on the incorrect assumption that each account is a different entity and each entity will only have one email address. I also wonder if other registrars (and why Gandi doesn't) just recognise an email address as a unique identifier and not worry if other details are slightly different.
Having done a bit more research there are other registrars that can do two step authentication, including Hover and EuroDNS. Reading Naoki Hiroshima's post again I notice that the hacker actually recommended NameCheap and eNom as secure registrars, although that information is a bit dated now and besides, I'm not sure if we should trust a hacker.
UPDATE: When I was initially thinking of going through with transferring the .co.uk domains to a single account I created an account with Nominet and I seem to remember being able to see both of my domains, but now I can only see one. Nominet and Gandi both say that this is because the two domains have different email addresses on the owner contact, but in the Gandi control panel they both look the same to me.
UPDATE II: After getting pretty much nowhere with their support I emailed their batline, nobullshit(at)gandi.net. Coincidentally or not the very same day their support agreed to transfer my .co.uk domains to my central account, if I were to change my email address at Nominet. Nominet let you change your email address without any sort of confirmation with the old email address or the new email address, something that I pointed out to them was likely to get domains lost or stolen. A week later my domains still haven't been transferred. I also got a direct reply from Gandi's COO and "Chief Evangelist". Unfortunately this email confirms that their "no bullshit" tag line is just that, bullshit.