[ARIN-consult] Consultation on Password Security for ARIN Online Accounts
Chris Woodfield
chris at semihuman.com
Tue Feb 16 17:38:23 EST 2021
That’s true *if* the email link password reset flow also disables an already-registered second factor - which would be an extraordinarily bad idea. In my experience, disabling the second factor (in my case, due to a hardware failure on the phone running my 2FA app) is not something companies are willing do without extreme vetting - AWS, for example, required a notarized, snail-mailed form to consider it. Some companies won’t do it at all, which is why I now have two different Github accounts :/
If it *is* the case that email-based password reset for ARIN Online bypasses a registered 2FA on the account, please fix ASAP.
Thanks,
-Chris
> On Feb 16, 2021, at 2:28 PM, William Herrin <bill at herrin.us> wrote:
>
> On Tue, Feb 16, 2021 at 1:58 PM Matt Harris <matt at netfire.net> wrote:
>> Yepp, as you can see, the system for supporting it already exists and some (perhaps many?) of us are already taking advantage of it. So the next step would be to push it as a requirement for accounts which control resources such as IPv4, IPv6, and AS numbers in order to entirely prevent the brute-force attacks which were the original onus for this discussion.
>
>
> Hi Matt,
>
> I don't know the current state of ARIN's account recovery process but
> unless ARIN first gets religion for it, there's not much point in
> forcing 2FA in the primary authentication path. "Click this email link
> to reset your password" is single-factor and not even strong
> single-factor.
>
> Regards,
> Bill Herrin
>
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>
More information about the ARIN-consult
mailing list