[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

William Herrin bill at herrin.us
Thu Feb 18 12:19:35 EST 2021


On Thu, Feb 18, 2021 at 9:06 AM Michael Richardson <mcr at sandelman.ca> wrote:
> William Herrin <bill at herrin.us> wrote:
>     > I don't know the current state of ARIN's account recovery process but
>     > unless ARIN first gets religion for it, there's not much point in
>     > forcing 2FA in the primary authentication path. "Click this email link
>     > to reset your password" is single-factor and not even strong
>     > single-factor.
>
> ARIN requires a phone call.

Hi Michael,

That's single-factor: control of a phone number.

AT&T defended itself from a lawsuit a year or two ago where someone
lost millions of dollars of bitcoin because a hacker was able to get
AT&T to activate a new phone with their phone number and then use that
to reset the brokerage password. AT&T's position, which the court
accepted, was that cell phone service was not advertised as or secured
to a standard appropriate for authentication thus anyone who relied on
it for such did so at their own risk.

Regards,
Bill Herrin


-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/


More information about the ARIN-consult mailing list