EPP Changes and TAC Codes Transfer Friction and Fraud

The process of transferring domain names between registrars has always been one of the more sensitive areas of the domain industry. Transfers are where security, ownership rights, and marketplace liquidity intersect, and any friction or vulnerability in this process has ripple effects across the entire ecosystem. The Extensible Provisioning Protocol, or EPP, has been the backbone of registrar-registry communication for years, and its mechanisms for handling authorization codes—historically known as AuthInfo or EPP codes—have long been central to how transfers are authorized. Recent changes, however, including the adoption of Transfer Authorization Codes (TACs) and the adjustments mandated by ICANN’s Transfer Policy updates, are introducing new dynamics. These changes are designed to reduce fraud and increase clarity, but they are also altering the balance between ease of transfer and security, creating both opportunities and disruptions for registrants, registrars, and investors who depend on smooth domain mobility.

The legacy system revolved around AuthInfo codes, essentially passwords that authenticated the transfer of a domain from one registrar to another. While effective in principle, this system was not without flaws. Codes were sometimes static, long-lived, or not easily retrievable, leading to confusion and frustration for registrants. In other cases, they were mishandled or leaked, opening the door to unauthorized transfers. The lack of uniformity across registrars in how codes were generated, delivered, and validated created an inconsistent experience for users and sometimes exploitable gaps for bad actors. For high-value domains, these weaknesses translated into significant risk, as a stolen or misused code could result in a loss of control over a multimillion-dollar digital asset.

The shift to TAC codes represents an attempt to standardize and strengthen this process. Under the updated policy framework, TACs are intended to be unique, time-limited credentials generated for specific transfer requests. Rather than existing indefinitely, as many AuthInfo codes effectively did, TACs expire after a defined window, minimizing the risk of reuse or interception. They are also designed to be retrievable in a consistent, predictable way across registrars, improving the user experience. By tightening the lifecycle of these codes, the industry aims to strike a balance between reducing fraud and preserving the portability of domains, which is critical for competition and investor liquidity.

However, these changes are not without their own sources of friction. For registrants, especially those managing large portfolios, the shift to time-sensitive TACs introduces new operational challenges. Bulk transfers, already a complex undertaking, now require more careful coordination to ensure that all codes are valid and used within their windows. Investors accustomed to maintaining ready-to-go EPP codes for quick moves between registrars now face more planning overhead, as TACs must be requested and executed in tighter timelines. This adds administrative burden, particularly for those with thousands of domains spread across multiple registrars. Delays in obtaining or using TACs can disrupt sales, transfers tied to marketplace transactions, or consolidation strategies aimed at optimizing costs and management.

From the registrar’s perspective, implementing the TAC framework requires infrastructure changes and customer support adjustments. Systems must be able to generate, store securely, and deliver TACs reliably while also enforcing expiration rules. This increases technical complexity and demands better security practices internally. Support staff, often the first point of contact for frustrated registrants, must also be trained to explain these changes, which can feel like an unnecessary complication to less experienced users. Registrars that fail to adapt quickly may see increased transfer abandonment, frustrated clients, or even reputational damage if their processes are perceived as too cumbersome or opaque.

Fraud remains at the center of why these changes are being implemented, and here the stakes are particularly high. Unauthorized transfers—sometimes referred to as domain hijacking—can devastate individuals and businesses. For example, an ecommerce company that suddenly loses control of its primary domain could experience catastrophic revenue loss in just hours. Fraudulent transfers often exploit weaknesses in authentication, social engineering at registrars, or insecure handling of codes. By moving to TACs, which are shorter-lived and generated only for explicit requests, the industry is attempting to close off one of the main avenues for abuse. In theory, even if an attacker gains access to a TAC, its short validity window reduces the chance it can be used successfully.

Yet attackers are adaptive, and new systems often bring new attack surfaces. The reliance on timely communication for TAC delivery means that phishing campaigns targeting registrants are likely to evolve, attempting to trick users into revealing or mishandling codes during the transfer process. Attackers may also target registrar support channels, exploiting confusion about the new system to engineer unauthorized code issuance. The move to TACs may thus reduce some categories of fraud while inadvertently creating new vectors, especially during the transition period when user understanding is low. Registrars must remain vigilant, not just in their technical implementation but also in their customer education and fraud detection systems.

The interplay between transfer friction and marketplace liquidity is another critical dimension. Domain investors, who often move assets between registrars as part of sales or portfolio optimization, depend on smooth transfers to keep deals from collapsing. A buyer who completes payment for a domain expects timely transfer; any delays caused by expired TACs or registrar bottlenecks can sour the transaction. This friction introduces risk for brokers and marketplaces as well, who must manage buyer expectations and maintain trust in their platforms. If the perception grows that transfers are cumbersome or unreliable, it could depress aftermarket activity or drive consolidation of portfolios to registrars perceived as more efficient. In this sense, transfer policy changes, though aimed at security, directly affect the velocity of domain trading.

There is also a broader question of how these changes interact with consolidation trends in the registrar market. Larger registrars with sophisticated systems may adapt more easily to TAC requirements, offering streamlined processes that reduce friction. Smaller registrars, by contrast, may struggle with implementation, creating uneven experiences for registrants. This could incentivize investors and enterprises to consolidate holdings at the biggest players, further concentrating market share and reducing diversity in the registrar ecosystem. While this may simplify life for large portfolio holders, it risks undermining competition, which has long been a central principle of ICANN policy.

The economics of transfer friction should not be underestimated either. For registrars, making transfers more complex can serve as a subtle form of customer retention. Even when unintentional, friction reduces churn by discouraging users from moving domains elsewhere. While TACs are designed to standardize and simplify, poorly implemented processes could inadvertently act as barriers, locking in customers. For investors, these barriers translate into costs—time, support fees, or even lost deals. Over time, such hidden costs add pressure to margins already squeezed by rising renewal fees and marketplace commissions.

Looking ahead, the success of TAC adoption will depend heavily on how well the industry manages education and consistency. If registrants come to see the new system as predictable, secure, and manageable, it may restore confidence in transfers and reduce fraud incidents. But if the system is experienced as confusing, inconsistent across registrars, or prone to errors, it could erode trust in the portability of domains—a cornerstone of the DNS ecosystem. Education campaigns, registrar support readiness, and clear ICANN oversight will all be necessary to ensure that the benefits of TACs outweigh the new frictions they introduce.

Ultimately, EPP changes and the move to TAC codes represent an evolution in the ongoing balancing act between security and usability. Fraud prevention requires stronger safeguards, but every safeguard adds potential friction, and in a market where liquidity and trust drive value, too much friction can be as damaging as fraud itself. Domain investors, registrants, and enterprises must adapt to these changes with new operational habits, while registrars must ensure that implementation prioritizes clarity and efficiency. The domain industry thrives when assets are secure yet portable, and TACs are the latest experiment in walking that fine line. Whether they succeed in reducing fraud without stifling liquidity will determine not just the fate of the transfer process but also the broader trust in domains as reliable, tradable digital assets.

The process of transferring domain names between registrars has always been one of the more sensitive areas of the domain industry. Transfers are where security, ownership rights, and marketplace liquidity intersect, and any friction or vulnerability in this process has ripple effects across the entire ecosystem. The Extensible Provisioning Protocol, or EPP, has been the…