[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

William Herrin bill at herrin.us
Tue Feb 16 17:28:18 EST 2021


On Tue, Feb 16, 2021 at 1:58 PM Matt Harris <matt at netfire.net> wrote:
> Yepp, as you can see, the system for supporting it already exists and some (perhaps many?) of us are already taking advantage of it. So the next step would be to push it as a requirement for accounts which control resources such as IPv4, IPv6, and AS numbers in order to entirely prevent the brute-force attacks which were the original onus for this discussion.


Hi Matt,

I don't know the current state of ARIN's account recovery process but
unless ARIN first gets religion for it, there's not much point in
forcing 2FA in the primary authentication path. "Click this email link
to reset your password" is single-factor and not even strong
single-factor.

Regards,
Bill Herrin

-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/


More information about the ARIN-consult mailing list