[ARIN-consult] ACSP Consultation: Advanced Security Features for ARIN Online
Adam Thompson
athompso at athompso.net
Thu Apr 16 13:16:28 EDT 2020
On 2020-04-16 11:25, Michael Richardson wrote:
> > * Requiring the use of Two-factor Authentication (2FA) on all
> > accounts, or allowing Admin Points of Contact (POCs) to control
> > permissions on access to their Organization Records to only allow
> access
> > from associated POCs who have 2FA on their user accounts
>
> I think start with "allowing", even "encouraging"
> Maybe even "encouraging" by eventually charging a premium if you don't
> have it.
> Also, it would be good to mark PoCs that do not have it in a public
> way, so
> that one can know that the POC might not be compromised more easily.
I'm OK with "encourage", but not "require". There are still WAY too
many orgs (and individuals) for who 2FA is either impossible, or a
disaster in the making. Heck, I've managed to permanently lock myself
out of nearly every 2FA-enabled account I've ever had, and I'm not
clueless - I'm just a klutz with phones, dropping them in ways that
manage to circumvent even OtterBox-level protection.
Remember: everyone's threat model is different. One of my
historically-validated top risks is damaging or losing the 2FA token.
-Adam Thompson
athompso at athompso.net
More information about the ARIN-consult
mailing list