[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
rs at seastrom.com
Tue May 24 14:49:51 EDT 2022
> On May 24, 2022, at 1:40 PM, William Herrin <bill at herrin.us> wrote:
> While it's use should be encouraged, It
> is my opinion that 2FA should NEVER be required. Let customers
> identify the access process which fits THEIR use of ARIN Online.
Disagree strongly. Requiring a second factor, even a crummy one like SMS (colloquially "1.2FA-not-2FA") reduces risk substantially. We can expect some increased workload for ARIN help desk staff who will face incrementally more work dealing with credential issues due to increased complexity, lost second factor tokens, changed, phone numbers, etc. I believe the trade-off is worth it.
I applaud having FIDO2 on the roadmap and concur that requirement of a second factor should not be delayed to wait for it. I would support guidance to customerrs to only use SMS if they have no other option.
Based on hallway discussion at ARIN 49, I want to make sure to make it clear I am advocating for evolving to an underlying identity platform that supports multiple flavors of MFA and can be extended to support new ones. This is important for lifecycle management. No doubt the day will come that FIDO2 looks as old and crufty as TOTP or as inadvisable as SMS. In other words, it is the capability and the ability to implement the second factor using technology that will evolve over time that matters.
Speaking for myself, all the usual disclaimers,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ARIN-consult