[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

Matt Harris matt at netfire.net
Tue Feb 16 18:19:16 EST 2021


Matt Harris|Infrastructure Lead Engineer
816-256-5446|Direct
Looking for something?
Helpdesk Portal|Email Support|Billing Portal
We build and deliver end-to-end IT solutions.
On Tue, Feb 16, 2021 at 4:56 PM Rob Seastrom <rs at seastrom.com> wrote:

>
> TOTP is "OK but not ascendant".  The RFC is 10 years old; the technology
> has roots that are much older (HOTP).  There are better things now.
>
> It is still way way way better than "no 2FA", but if we are going to go
> from optional to required, we might want to consider a recalibration.  Job
> submitted this through the ACSP process less than a month ago:
> https://www.arin.net/participate/community/acsp/suggestions/2021/2021-2/
>
> -r
>

I'd strongly support adding support for additional methods as well. I use
both a TOTP app and a Yubikey on a daily basis, and the learning curve for
the end-user to implement either is extremely small.

That said, the requirements for implementing additional 2fa methods in
terms of writing the code to make the support happen in the various web
(and other?) applications is a much larger hurdle than simply forcing users
with control over resources to enable the existing 2fa support on those
accounts. I see these are two independent steps forward, and supporting
additional methods need not block the implementation of such a requirement.

- Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20210216/6db92920/attachment-0001.htm>


More information about the ARIN-consult mailing list