[ARIN-consult] Consultation on Password Security for ARIN Online Accounts
Michael Richardson
mcr at sandelman.ca
Thu Feb 18 12:05:59 EST 2021
William Herrin <bill at herrin.us> wrote:
> On Tue, Feb 16, 2021 at 1:58 PM Matt Harris <matt at netfire.net> wrote:
>> Yepp, as you can see, the system for supporting it already exists and
>> some (perhaps many?) of us are already taking advantage of it. So the
>> next step would be to push it as a requirement for accounts which
>> control resources such as IPv4, IPv6, and AS numbers in order to
>> entirely prevent the brute-force attacks which were the original onus
>> for this discussion.
> Hi Matt,
> I don't know the current state of ARIN's account recovery process but
> unless ARIN first gets religion for it, there's not much point in
> forcing 2FA in the primary authentication path. "Click this email link
> to reset your password" is single-factor and not even strong
> single-factor.
ARIN requires a phone call.
More information about the ARIN-consult
mailing list