Domains Help

What is a one-time password?

A one-time password, or OTP, might be used to verify your identity on domains with Domain Protection when completing certain domain actions.

Select a question to see its answer:

What is a one-time password?

A one-time password is a speficic authentication code sent to you when completing certain actions on domains with Domain Protection. This unique code lets us verify your identity and helps protect your domains from unauthorized actions, such as transferring a domain, turning off Domain Privacy, or making DNS edits. Accounts with 2-step verification (2SV) turned on won't get a one-time password for identity verification.

What is identity verification?

Identity verification is an additional security measure we use on domains with Domain Protection added to make sure only authorized users can complete certain domain actions. You may have heard of 2-step verification or multi-factor authentication when logging into different accounts online. Identity verification uses that same concept of a secondary verification method to protect your domains and make sure you're an authorized user in the account. The additional identity verification on your domains helps protect your business and brand from unauthorized or malicious actions.

How does a one-time password work?

When completing certain actions on domains with Domain Protection, you'll be asked to enter a verification code. We'll automatically send a one-time password to the registrant email address on your domain (in some cases, you may need to select Send Password to manually send the one-time password). Enter that code in the verification window to confirm your identity and complete the action on your domain. If you've had 2-step verification (2SV) turned on for at least 24 hours, you won't use a one-time password to complete identity verification.

Back to top

When will I get a one-time password?

You'll receive a one-time password when completing certain domain actions, such as transferring, forwarding or changing nameservers. Remember, if you've had 2-step verification set up for at least 24 hours, you won't use a one-time password for identity verification.

These domain actions are considered high-risk and will prompt for identity verification.

  • Delete a domain
  • Turn off auto-renew
  • Downgrade or remove Domain Protection
  • Turn off Domain Privacy
  • Change domain contact info
    • Only applies when changing the first name, last name, organization or email address of the registrant contact info.
  • Add to CashParking
  • Unlock a domain
  • Export domain list with authorization codes
  • Transfer domain to another registrar (away from GoDaddy)
  • Transfer domain to another GoDaddy account
  • List a domain for sale via List for Sale
  • Change nameservers
  • Add, edit, or delete domain or subdomain forwarding
  • Import DNS zone file
  • Edit custom hostnames

Where will the one-time password be sent?

We'll send the one-time password to the registrant email address listed on your domain name. You can view your domain contact info, including the registrant email address, in your GoDaddy account and make any necessary updates.

Are there any one-time password limitations?

Yes, there are a few limitations when using one-time passwords.

  • Your one-time password is only valid for 60 minutes after it's been requested.
  • A maximum of 5 one-time passwords can be sent in a 7-day period per action, per domain.
    • Example: You changed nameservers on your domain Monday and used a one-time password to complete identity verification. Then you changed nameservers on the same domain 4 more times on Thursday and each time used another one-time password. You'll now be locked out of changing nameservers on that domain until Sunday.
    • Note: You can still complete other actions on this domain and you can complete actions on other domains, too.
  • If you enter an incorrect one-time password 3 times, you'll be locked out of that action on that domain for 24 hours.

Related step

More info