[ARIN-consult] ACSP Consultation: Advanced Security Features for ARIN Online
Michael Richardson
mcr at sandelman.ca
Thu Apr 16 12:25:40 EDT 2020
ARIN <info at arin.net> wrote:
> These suggestions include:
> * 2017.1: Two-factor functionality improvement:
> https://www.arin.net/participate/community/acsp/suggestions/2017-1/
I would find remember this browser for 30 useful.
I would like to know which browsers have this enabled, and be able to clear it.
> * 2018.22: Align ARIN password policy with current NIST SP800-63
> recommendations:
> https://www.arin.net/participate/community/acsp/suggestions/2018-22/
YES, YES, YES! PLEASE.
> * 2019.14: Implement FIDO2 (WebAuthn) for ARIN Online:
> https://www.arin.net/participate/community/acsp/suggestions/2019-14/
This is a very good idea. Please go in this direction.
> Based on this community input as well as suggestions received through
> other channels, we are opening a consultation to solicit feedback on a
> number of potential security improvements that are under consideration.
> We are specifically interested in your thoughts on a number of specific
> suggestions, listed below:
> * ARIN uses challenge questions to verify users who are seeking to
> restore access to their ARIN Online user account and to complete other
> actions. It has been suggested that we eliminate the use of challenge
> questions for customer account verification in favor of other security
> measures.
I'm unclear what the other security measures would be.
> * Utilizing a personal passcode and/or SMS push codes to a mobile
> device for password resets and other account actions
I'm unclear if this is intended to be one of them?
I'm unclear if a personal passcode is something that would be in cleartext in
the database, like the idiots at the banks do.
> * Requiring the use of Two-factor Authentication (2FA) on all
> accounts, or allowing Admin Points of Contact (POCs) to control
> permissions on access to their Organization Records to only allow access
> from associated POCs who have 2FA on their user accounts
I think start with "allowing", even "encouraging"
Maybe even "encouraging" by eventually charging a premium if you don't have it.
Also, it would be good to mark PoCs that do not have it in a public way, so
that one can know that the POC might not be compromised more easily.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr at sandelman.ca http://www.sandelman.ca/ | ruby on rails [
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20200416/a63a2881/attachment.sig>
More information about the ARIN-consult
mailing list