[ARIN-consult] Consultation on Password Security for ARIN Online Accounts
William Herrin
bill at herrin.us
Thu Feb 18 12:18:12 EST 2021
On Thu, Feb 18, 2021 at 9:05 AM Michael Richardson <mcr at sandelman.ca> wrote:
> > 3. Issue warning message that requires the customer to select and set a
> > different password immediately.
>
> This seems like the best situation, but there are issues when this is a
> password shared among a few operators. In particular, what we don't want is
> for one person to be forced to change the password under duress of getting
> their work done, and then picking another password which they then email to
> their colleagues.
Hi Michael,
That's frankly an issue with the operator. Group authentication
(password sharing) is forbidden by essentially every security standard
in existence. Each individual is supposed to have their own account
(authentication) which is then granted shared access (group access) to
the organization's ARIN resources.
> The alternative today should be TLS Client side certificates.
> There are many operational complexicities in maintaining them, but given that
> we web properties that have varieties of:
> 1) 2FA
Client certificates are a form of 2FA. They're a "what you have"
factor, same as a totp token or an email confirmation.
Regards,
Bill Herrin
--
William Herrin
bill at herrin.us
https://bill.herrin.us/
More information about the ARIN-consult
mailing list