[ARIN-consult] ACSP Consultation: Advanced Security Features for ARIN Online

John Comfort john at comfortconsulting.com
Thu Apr 16 12:52:16 EDT 2020


Implementation of 2FA/MFA should fully support multiple authenticator
manufacturers (Google, MS, RSA, DUO, etc.).

On Thu, Apr 16, 2020 at 9:25 AM Michael Richardson <mcr at sandelman.ca> wrote:

>
> ARIN <info at arin.net> wrote:
>     > These suggestions include:
>
>     >    * 2017.1: Two-factor functionality improvement:
>     > https://www.arin.net/participate/community/acsp/suggestions/2017-1/
>
> I would find remember this browser for 30 useful.
> I would like to know which browsers have this enabled, and be able to
> clear it.
>
>     >    * 2018.22: Align ARIN password policy with current NIST SP800-63
>     > recommendations:
>     > https://www.arin.net/participate/community/acsp/suggestions/2018-22/
>
> YES, YES, YES! PLEASE.
>
>     >     * 2019.14: Implement FIDO2 (WebAuthn) for ARIN Online:
>     > https://www.arin.net/participate/community/acsp/suggestions/2019-14/
>
> This is a very good idea.  Please go in this direction.
>
>     > Based on this community input as well as suggestions received through
>     > other channels, we are opening a consultation to solicit feedback on
> a
>     > number of potential security improvements that are under
> consideration.
>     > We are specifically interested in your thoughts on a number of
> specific
>     > suggestions, listed below:
>
>     >    * ARIN uses challenge questions to verify users who are seeking to
>     > restore access to their ARIN Online user account and to complete
> other
>     > actions. It has been suggested that we eliminate the use of challenge
>     > questions for customer account verification in favor of other
> security
>     > measures.
>
> I'm unclear what the other security measures would be.
>
>     >    * Utilizing a personal passcode and/or SMS push codes to a mobile
>     > device for password resets and other account actions
>
> I'm unclear if this is intended to be one of them?
> I'm unclear if a personal passcode is something that would be in cleartext
> in
> the database, like the idiots at the banks do.
>
>     >    * Requiring the use of Two-factor Authentication (2FA) on all
>     > accounts, or allowing Admin Points of Contact (POCs) to control
>     > permissions on access to their Organization Records to only allow
> access
>     > from associated POCs who have 2FA on their user accounts
>
> I think start with "allowing", even "encouraging"
> Maybe even "encouraging" by eventually charging a premium if you don't
> have it.
> Also, it would be good to mark PoCs that do not have it in a public way, so
> that one can know that the POC might not be compromised more easily.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT
> architect   [
> ]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20200416/d468f64d/attachment.htm>


More information about the ARIN-consult mailing list