[ARIN-consult] ACSP Consultation: Advanced Security Features for ARIN Online
ARIN
info at arin.net
Thu Apr 16 10:40:51 EDT 2020
Security for ARIN Online accounts as it exists today is described on our
website, and includes optional Two-factor Authentication, API keys, and
Pretty Good Privacy (PGP) Authentication. More information about these
security features can be found at:
https://www.arin.net/reference/materials/security/
Over the last several years, we have received multiple ARIN Consultation
and Suggestion Process (ACSP) requests and fielded many customer
suggestions about ways ARIN might improve security for our online
customer accounts.
These suggestions include:
* 2017.1: Two-factor functionality improvement:
https://www.arin.net/participate/community/acsp/suggestions/2017-1/
* 2018.22: Align ARIN password policy with current NIST SP800-63
recommendations:
https://www.arin.net/participate/community/acsp/suggestions/2018-22/
* 2019.14: Implement FIDO2 (WebAuthn) for ARIN Online:
https://www.arin.net/participate/community/acsp/suggestions/2019-14/
Based on this community input as well as suggestions received through
other channels, we are opening a consultation to solicit feedback on a
number of potential security improvements that are under consideration.
We are specifically interested in your thoughts on a number of specific
suggestions, listed below:
* ARIN uses challenge questions to verify users who are seeking to
restore access to their ARIN Online user account and to complete other
actions. It has been suggested that we eliminate the use of challenge
questions for customer account verification in favor of other security
measures.
* Utilizing a personal passcode and/or SMS push codes to a mobile
device for password resets and other account actions
* Changing password length and entry requirements to better align
with NIST SP800-63 recommendations
* Requiring the use of Two-factor Authentication (2FA) on all
accounts, or allowing Admin Points of Contact (POCs) to control
permissions on access to their Organization Records to only allow access
from associated POCs who have 2FA on their user accounts
The feedback you provide during this consultation will help inform how
we move forward with improvements to the security of ARIN Online and
customer account access. We also are interested in hearing about other
ideas to improve the security of ARIN Online interactions that are not
listed above. Thank you for your participation in the ARIN Consultation
and Suggestion Process.
Please provide comments to arin-consult at arin.net. You can subscribe to
this mailing list at:
http://lists.arin.net/mailman/listinfo/arin-consult
This consultation will remain open through 5:00 PM ET on Friday, 15 May
2020.
Regards,
The American Registry for Internet Numbers (ARIN)
More information about the ARIN-consult
mailing list