[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

Michael Richardson mcr at sandelman.ca
Thu Feb 18 12:05:59 EST 2021


William Herrin <bill at herrin.us> wrote:
    > On Tue, Feb 16, 2021 at 1:58 PM Matt Harris <matt at netfire.net> wrote:
    >> Yepp, as you can see, the system for supporting it already exists and
    >> some (perhaps many?) of us are already taking advantage of it. So the
    >> next step would be to push it as a requirement for accounts which
    >> control resources such as IPv4, IPv6, and AS numbers in order to
    >> entirely prevent the brute-force attacks which were the original onus
    >> for this discussion.


    > Hi Matt,

    > I don't know the current state of ARIN's account recovery process but
    > unless ARIN first gets religion for it, there's not much point in
    > forcing 2FA in the primary authentication path. "Click this email link
    > to reset your password" is single-factor and not even strong
    > single-factor.

ARIN requires a phone call.



More information about the ARIN-consult mailing list