I want to point out that as a ICANN registrar not a day goes by where some tech person working on behalf of a customer will contact us and request an auth code to transfer out a domain name. Just like that. As if we will send one to anyone that asks. Later when the customer makes the request many times the domain ends up at another registrar in the name of the tech person, isp, web designer etc. who has been told they need to be able to login and make changes. The name subsequently is deleted for non-payment (customer isn't notified and invoice goes to new contact) and they loose control of their domain.