[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Owen DeLong owen at delong.com
Wed Jun 1 14:04:18 EDT 2022



> On May 30, 2022, at 21:35 , Peter Beckman <beckman at angryox.com> wrote:
> 
> On Sun, 29 May 2022, Owen DeLong via ARIN-consult wrote:
> 
>>> Ideally, you shouldn't be logging into an ARIN account from such a machine. What sort of real world scenarios are occurring where you need to do that, as opposed to just wait until you're back at a device you control?
>> 
>> On-call consulting work.
> 
> And you are unable to bring your own laptop or other personal device to
> this on-call consulting work, where you can use their computers and their
> Internet access but you cannot use your own?

In some cases, yes.

>>> If you login from a device you don't control, a password alone (no
>>> matter how strong) is vulnerable to replay. While I don't think you
>>> should login to ARIN at the library, if you do so anyway but use 2FA,
>>> then that replay risk goes away: your account is only exposed while
>>> logged in at that machine. Replay of passwords is _the_ scenario that
>>> 2FA is designed to address.
>> 
>> It’s only vulnerable to replay until it is changed. When I’m faced with
>> such a situation, I’m smart enough to change it once I am able to use a
>> machine I control to do so. The odds of a replay attack in the time that
>> takes are relatively small. The odds of the replay attack causing
>> significant damage given ARIN ticket turnaround times are even smaller.
> 
> Sure, the odds are pretty low that ARIN members wouldn't understand good
> security practices or get phished, yet it happens, often enough for ARIN
> to consider taking steps to reduce those odds further.

Whether ARIN members in general do or not, I do and you were making allegations
about my particular behavior.

> It's all theoretical to someone until it happens to them. At that point,
> the odds are no longer too small to make no changes.

Well… I’ve got more than 20 years of it not happening to me, so I think that’s a reasonably good track record.

Owen



More information about the ARIN-consult mailing list