[ARIN-consult] Consultation on Password Security for ARIN Online Accounts
Michael Richardson
mcr at sandelman.ca
Thu Feb 18 14:20:50 EST 2021
William Herrin <bill at herrin.us> wrote:
>> William Herrin <bill at herrin.us> wrote: > I don't know the current
>> state of ARIN's account recovery process but > unless ARIN first gets
>> religion for it, there's not much point in > forcing 2FA in the
>> primary authentication path. "Click this email link > to reset your
>> password" is single-factor and not even strong > single-factor.
>>
>> ARIN requires a phone call.
> Hi Michael,
> That's single-factor: control of a phone number.
No, you have to phone ARIN. Not them phoning you.
You then go through a process with their operator.
> AT&T defended itself from a lawsuit a year or two ago where someone
Yes, SIM swapping is a serious issue, and as you say, the phone companies' really
aren't prepared to do proper authorization for possession of a phone-number.
> lost millions of dollars of bitcoin because a hacker was able to get
> AT&T to activate a new phone with their phone number and then use that
> to reset the brokerage password. AT&T's position, which the court
> accepted, was that cell phone service was not advertised as or secured
> to a standard appropriate for authentication thus anyone who relied on
> it for such did so at their own risk.
Too bad the banks don't seem to understand this.
Mine has arrived at SMS as 2FA with huge enthusiasm, a decade late.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20210218/bd2bf1bf/attachment.sig>
More information about the ARIN-consult
mailing list