[arin-announce] Results of Consultation on Expanding 2FA Options in ARIN Online

ARIN info at arin.net
Tue Mar 21 12:02:46 EDT 2023


On 1 November 2022, ARIN announced that we will require two-factor authentication (2FA) on all ARIN Online accounts beginning 1 February 2023. ARIN currently has three options for customers to set up 2FA on their ARIN Online accounts. Following the announcement of the planned enforcement date of 1 February 2023, we received several suggestions for further expansion of our authentication offerings, including:

- Allowing email as an authentication method
- Enabling SMS support for customers who reside outside of the ARIN service region
- Allowing registration of multiple hardware security keys

In January 2023, ARIN conducted Community Consultation 2023.1 (https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/) on expanding the available 2FA options in ARIN Online. The consultation was held for two weeks and received a total of 36 comments. After reviewing the feedback received, we have determined a path forward on each of the three topics.

**Allowing Email as an Authentication Method**
Noting the number of security concerns raised by the community and ARIN’s internal engineering and security departments, ARIN will not be including email as an additional authentication method for ARIN Online.

**Enabling SMS Support For Customers Who Reside Outside of the ARIN Service Region**
Feedback on this topic was mixed; however, in reviewing staff experience since implementation in January, we have had several out-of-region customers inquire about SMS, and staff successfully redirected them to set up 2FA using Time-based One-time Password (TOTP) authentication methods. There have been no instances where customers have been unable to set up 2FA because SMS was unavailable to them. To this date, ARIN is not aware of any instances where a customer has been unable to fully implement 2FA on their ARIN Online account using another authentication method because SMS was unavailable. We will revisit offering SMS outside the ARIN region if we hear from customers who are unable to use the other 2FA methods.

**Allowing Registration of Multiple Hardware Security Keys**
The consultation feedback showed clear support from the community for expanding the number of security keys allowed on an account, and it is within scope for our Engineering department to enable that functionality. However, less than two percent of accounts have registered security keys as an authentication option, and we have placed it on our development roadmap where it is pending prioritization.

ARIN thanks those who provided valuable feedback during this consultation. We rely on this input from our members and community to help steer the organization as we continue our mission in support of the operation and growth of the Internet.

Regards,

John Curran
President and CEO
American Registry for Internet Numbers (ARIN)




More information about the ARIN-announce mailing list