[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

William Herrin bill at herrin.us
Tue Feb 16 18:02:31 EST 2021


On Tue, Feb 16, 2021 at 2:38 PM Chris Woodfield <chris at semihuman.com> wrote:
> That’s true *if* the email link password reset flow also disables an already-registered second factor - which would be an extraordinarily bad idea. In my experience, disabling the second factor (in my case, due to a hardware failure on the phone running my 2FA app) is not something companies are willing do without extreme vetting - AWS, for example, required a notarized, snail-mailed form to consider it. Some companies won’t do it at all, which is why I now have two different Github accounts :/
>
> If it *is* the case that email-based password reset for ARIN Online bypasses a registered 2FA on the account, please fix ASAP.

Hi Chris,

An interesting aside here -

Resetting the 2FA using an email (when you have the password) can be
legitimate. Why? They're the same factor: something you have.

Resetting the password using an email (when you have the 2FA) is
probably not legitimate. Why? Because that reduces your authentication
to a single factor: things you have. Two factor authentication means
you supply something from at least two of three categories: what you
know, what you have, what you are. You -know- a password but you
-have- a cell phone or email account.

But a notarized letter might work... Why? The notary attests to your
identity -- a what-you-are factor.

Regards,
Bill Herrin


-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/


More information about the ARIN-consult mailing list