[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

William Herrin bill at herrin.us
Tue May 24 13:40:42 EDT 2022

On Tue, May 24, 2022 at 9:46 AM ARIN <info at arin.net> wrote:
> -------------------
> Once SMS-based two-factor authentication (2FA) is available for ARIN Online, do you believe ARIN *should not* proceed with requiring 2FA authentication (SMS-based or TOTP) for all ARIN Online accounts?  If so, why?
> -------------------


I believe ARIN is IN ERROR to yet again consider requiring Two Factor
Authentication (2FA) of its customers.

Firstly, 2FA is technologically unsuitable for API access to ARIN. Is
it ARIN's intention to also disable portions of the API access? Or
simply leave it open as a less secured hole in the system?

Secondly, 2FA is problematic for rarely accessed systems. When systems
are not accessed on a daily or weekly basis, phone numbers change and
TOTP devices are replaced or lost. This is especially true when
network administrators who brought their cell phones with them take
them when they move on to new jobs. This leaves registrants more
frequently going through the password recovery procedures which, when
structured to be frequently usable, are almost always less secure than
a suitably long or complex password.

I note that both of the proposed technologies rely on the user's cell
phone. More COMPETENT 2FA implementations also support placing a voice
call with a code so that users with company-provided desk phones may
use them too, and often support optionally setting a browser
authentication cookie which allows frequent logins without repeating
the hassle of the 2FA process. The implementation proposed by ARIN
does not read like a competent one.

Moreover, there are suitable alternatives to generalized 2FA. For
example, processing potentially irreversible changes like transfers
from non-2FA accounts could require a postal mail confirmation -- a
process far more secure than generalized SMS.

In some use cases, 2FA is an excellent security tool which should be
available to ARIN customers. While it's use should be encouraged, It
is my opinion that 2FA should NEVER be required. Let customers
identify the access process which fits THEIR use of ARIN Online.

Bill Herrin

William Herrin
bill at herrin.us

More information about the ARIN-consult mailing list