[ARIN-consult] ACSP Consultation: Advanced Security Features for ARIN Online

Gary Buhrmaster gary.buhrmaster at gmail.com
Thu Apr 16 14:05:06 EDT 2020


On Thu, Apr 16, 2020 at 2:42 PM ARIN <info at arin.net> wrote:

> Please provide comments to arin-consult at arin.net.

> These suggestions include: ......

I would prefer if the FIDO2/WebauthN option be included
in the available options (it is a W3C recommendation, and
seems to be broadly accepted by most of the major players
and implemented by most of the major browser/platform
vendors).  Personally, I look forward to the day I can
just use a security key, or an on-device authenticator,
rather needing a password manager (even if that day
may be beyond my useful service life).

> Requiring the use of Two-factor Authentication (2FA) on all
> accounts, or allowing Admin Points of Contact (POCs) to control
> permissions on access to their Organization Records to only allow access
> from associated POCs who have 2FA on their user accounts

An org's admin should have the discretion to determine
their orgs specific requirements.  There is no one size
that fits all.  That might include the ability for a poc
associated with the account to change a password via
SMS, although if a poc is shared between orgs I can
see some interesting cases and opportunities.


More information about the ARIN-consult mailing list