[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

Michael Richardson mcr at sandelman.ca
Thu Feb 18 14:20:50 EST 2021


William Herrin <bill at herrin.us> wrote:
    >> William Herrin <bill at herrin.us> wrote: > I don't know the current
    >> state of ARIN's account recovery process but > unless ARIN first gets
    >> religion for it, there's not much point in > forcing 2FA in the
    >> primary authentication path. "Click this email link > to reset your
    >> password" is single-factor and not even strong > single-factor.
    >>
    >> ARIN requires a phone call.

    > Hi Michael,

    > That's single-factor: control of a phone number.

No, you have to phone ARIN.  Not them phoning you.
You then go through a process with their operator.

    > AT&T defended itself from a lawsuit a year or two ago where someone

Yes, SIM swapping is a serious issue, and as you say, the phone companies' really
aren't prepared to do proper authorization for possession of a phone-number.

    > lost millions of dollars of bitcoin because a hacker was able to get
    > AT&T to activate a new phone with their phone number and then use that
    > to reset the brokerage password. AT&T's position, which the court
    > accepted, was that cell phone service was not advertised as or secured
    > to a standard appropriate for authentication thus anyone who relied on
    > it for such did so at their own risk.

Too bad the banks don't seem to understand this.
Mine has arrived at SMS as 2FA with huge enthusiasm, a decade late.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20210218/bd2bf1bf/attachment.sig>


More information about the ARIN-consult mailing list