[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Tue May 24 14:47:56 EDT 2022

While I'm sure most of us agree that SMS based MFA is the worst option out
of all the MFA options, I support proceeding with requiring MFA for all
accounts.

The rest of this message is outside the scope of this consultation, so it
can be safely ignored.  This should probably be a different consultation
discussion.  I would like to see the option for multiple MFA options for a
single account and additional MFA options like a YubiKey hardware token.
Having a YubiKey locked in the office safe would help negate the risk of a
single person's phone being the key to all the records.  Having the option
of choosing which MFA option to use during login would mean I wouldn't have
to go get my phone if my YubiKey was in my pocket, or vise-versa.  Thanks.
--Rich

On Tue, May 24, 2022 at 9:46 AM ARIN <info at arin.net> wrote:

> **Background**
>
> In 2015, ARIN deployed a Time-Based One-Time password (TOTP)
> implementation of Two-Factor Authentication (2FA). Since the time of
> implementing that login security feature, 3.2 percent of ARIN Online users
> have opted to use 2FA with their accounts.
>
> Since October 2020, the ARIN Online system has been subject to a series of
> dictionary-based password guessing attacks. In March of 2021, we conducted
> ACSP Consultation 2021.2: Password Security for ARIN Online Accounts (
> https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/)
> on proposed improvements to increase account security. This consultation
> resulted in an agreement to move forward with several improvements that
> have subsequently been deployed. However, we continue to see frequent
> attacks on our log-in systems, and ARIN staff continues to be heavily
> engaged in mitigating these attacks. Accounts not using 2FA are susceptible
> to these attacks. We recently updated the community on this topic during
> ARIN 49 held in Nashville and online in April. You can review this
> information from the ARIN 49 Meeting Report (
> https://www.arin.net/participate/meetings/ARIN49/) by looking for the
> presentation titled “Brute Force Login Attacks”.
>
> It is our intention to make 2FA mandatory for all existing and new ARIN
> Online accounts going forward. The security of ARIN Online accounts is
> paramount to the success of the registry, and we do not believe it is
> tenable to continue without making 2FA required for all ARIN Online
> accounts.
>
> We are currently developing a second method of 2FA use with ARIN Online to
> add to our long-deployed TOTP implementation. In the coming months, we will
> deploy a Short Message Service (SMS) 2FA implementation, thereby adding a
> second 2FA option for ARIN Online users. At that time, users will be able
> to choose between two types of 2FA – SMS and TOTP.   Adoption of TOTP 2FA
> has been limited in part due to perceived complexity, and the addition of
> SMS-based 2FA will provide a second option that is easier to use for many
> customers – and provide much more protection than the simple
> username-password condition of many ARIN Online user accounts today.  (ARIN
> also plans on adding support for a third 2FA option in the future – Fast
> Identity Online 2 (FIDO2) – in response to community suggestions, but we do
> not believe it is prudent to delay requiring 2FA on ARIN Online accounts
> until that third option becomes available.)
>
> **Requiring 2FA For ARIN Online Accounts**
>
> By requiring 2FA for ARIN Online accounts that control number resources,
> the ARIN community should see stronger security for the registry, reduced
> risk of account fraud attempts, and increased confidence in the integrity
> of their ARIN resources.
>
> ARIN intends to require 2FA for all ARIN Online accounts shortly after
> SMS-based 2FA authentication is generally available.  We are seeking
> confirmation from the ARIN community regarding this plan, and ask the
> following consultation question:
>
> -------------------
> Once SMS-based two-factor authentication (2FA) is available for ARIN
> Online, do you believe ARIN *should not* proceed with requiring 2FA
> authentication (SMS-based or TOTP) for all ARIN Online accounts?  If so,
> why?
> -------------------
>
> The feedback you provide during this consultation will help form our path
> forward to increasing the security of ARIN Online for all customers. Thank
> you for your participation in the ARIN Consultation and Suggestion Process.
> Please provide comments to arin-consult at arin.net. You can subscribe to
> this mailing list at:
>
> http://lists.arin.net/mailman/listinfo/arin-consult
>
> This consultation will remain open through 5:00 PM ET on 24 June 2022.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
> Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online
> Accounts
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>

-- 
Rich Greenwood
Network Engineer
Shasta County Office of Education

Information Technology

1644 Magnolia Ave.

Redding, CA 96001

Office: 530-225-0161

Hotline: 530-225-0279

rgreenwood at shastacoe.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220524/67d2d5d3/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5623 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220524/67d2d5d3/attachment-0001.p7s>