What is Registrar Lock?
Registrar Lock (also called Client Transfer Prohibited) is a domain status setting that prevents unauthorized transfers by requiring the domain owner to explicitly unlock the domain before any transfer request can proceed.How Registrar Lock Works
Transfer with Lock Enabled:
1. Attacker requests transfer
└── Gaining registrar sends transfer request
2. Request reaches losing registrar
└── System checks domain status: clientTransferProhibited
3. Transfer automatically denied
└── Lock prevents processing without owner action
Transfer After Unlock:
1. Owner logs into registrar account
2. Owner unlocks domain
3. Owner obtains auth/EPP code
4. New registrar initiates transfer
5. Owner approves transfer request
6. Domain transfers successfully
Domain Status Codes
| Status Code | Level | Effect |
|---|---|---|
| clientTransferProhibited | Registrar | Blocks transfer requests |
| clientDeleteProhibited | Registrar | Prevents domain deletion |
| clientUpdateProhibited | Registrar | Blocks contact/NS changes |
| serverTransferProhibited | Registry | Registry-level transfer block |
Lock vs Unlock Comparison
| State | Transfer Allowed | Auth Code Works | Risk Level |
|---|---|---|---|
| Locked | No | No effect until unlocked | Low |
| Unlocked | Yes (with auth code) | Yes | Higher |
Security Benefits
1. Hijacking prevention: Social engineering attacks fail without account access
2. Accidental transfer protection: Prevents unintended transfer initiations
3. Time buffer: Provides window to detect unauthorized access attempts
4. Multi-factor security: Requires both unlock AND auth code
Registrar Lock vs Registry Lock
| Feature | Registrar Lock | Registry Lock |
|---|---|---|
| Control level | Registrar | Registry |
| Cost | Usually free | Premium service |
| Unlock method | Self-service | Manual verification |
| Protection level | Standard | Enhanced |
Best Practices
1. Keep locked by default: Only unlock for intentional transfers
2. Enable notifications: Get alerts for status changes
3. Secure account access: Use 2FA on registrar account
4. Re-lock after changes: Return to locked state promptly
5. Verify lock status: Periodically check via WHOIS
Checking Lock Status
whois example.com | grep -i status
# Output showing locked domain:
Domain Status: clientTransferProhibited
Domain Status: clientDeleteProhibited
Domain Status: clientUpdateProhibited
Registrar Lock is a fundamental security measure that should be enabled on all domains except during intentional transfers.