[ARIN-consult] Consultation on Password Security for ARIN Online Accounts
William Herrin
bill at herrin.us
Thu Feb 18 12:19:35 EST 2021
On Thu, Feb 18, 2021 at 9:06 AM Michael Richardson <mcr at sandelman.ca> wrote:
> William Herrin <bill at herrin.us> wrote:
> > I don't know the current state of ARIN's account recovery process but
> > unless ARIN first gets religion for it, there's not much point in
> > forcing 2FA in the primary authentication path. "Click this email link
> > to reset your password" is single-factor and not even strong
> > single-factor.
>
> ARIN requires a phone call.
Hi Michael,
That's single-factor: control of a phone number.
AT&T defended itself from a lawsuit a year or two ago where someone
lost millions of dollars of bitcoin because a hacker was able to get
AT&T to activate a new phone with their phone number and then use that
to reset the brokerage password. AT&T's position, which the court
accepted, was that cell phone service was not advertised as or secured
to a standard appropriate for authentication thus anyone who relied on
it for such did so at their own risk.
Regards,
Bill Herrin
--
William Herrin
bill at herrin.us
https://bill.herrin.us/
More information about the ARIN-consult
mailing list