[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

[Rob Seastrom]

> On Feb 16, 2021, at 6:19 PM, Matt Harris <matt at netfire.net> wrote:
> 
> That said, the requirements for implementing additional 2fa methods in terms of writing the code to make the support happen in the various web (and other?) applications is a much larger hurdle than simply forcing users with control over resources to enable the existing 2fa support on those accounts. I see these are two independent steps forward, and supporting additional methods need not block the implementation of such a requirement. 

There's a larger discussion to be had surrounding moving the authentication out of the applications themselves and moving to SAML/OAUTH which allows the centralization of the authentication mechanisms.  I wouldn't expect a community discussion to be prescriptive about implementation details, but evaluating a pivot to more modern IAM frameworks seems like a good thing for staff to consider before making a move as there may be an opportunity to retire tech debt while gaining capabilities.

I have no specific information on the state of affairs on ARIN's various systems (which might have this sort of thing partially or completely implemented already).  Moreover, bringing up federatable protocols is in no way a suggestion that ARIN move towards federated IAM (which at first blush seems like a poor fit for the ARIN Online model),

-r


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20210217/575e6379/attachment.htm>