[ARIN-consult] Consultation on Password Security for ARIN Online Accounts

[Owen DeLong]

> On Feb 18, 2021, at 9:19 AM, William Herrin <bill at herrin.us> wrote:
> 
> On Thu, Feb 18, 2021 at 9:06 AM Michael Richardson <mcr at sandelman.ca> wrote:
>> William Herrin <bill at herrin.us> wrote:
>>> I don't know the current state of ARIN's account recovery process but
>>> unless ARIN first gets religion for it, there's not much point in
>>> forcing 2FA in the primary authentication path. "Click this email link
>>> to reset your password" is single-factor and not even strong
>>> single-factor.
>> 
>> ARIN requires a phone call.
> 
> Hi Michael,
> 
> That's single-factor: control of a phone number.

Control of the phone number is “something you have”.

Doesn’t that depend on what they ask for over the phone?

I.e. if they validate that the phone number matches the POC record _AND_
confirm some other private piece of information (e.g. SSN, answers
to security questions, etc. (something you know).

> AT&T defended itself from a lawsuit a year or two ago where someone
> lost millions of dollars of bitcoin because a hacker was able to get
> AT&T to activate a new phone with their phone number and then use that
> to reset the brokerage password. AT&T's position, which the court
> accepted, was that cell phone service was not advertised as or secured
> to a standard appropriate for authentication thus anyone who relied on
> it for such did so at their own risk.

As a single-factor token, sure, but as one of multiple factors, I think
it can be valid.

Owen