[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
rlaager at wiktel.com
Tue May 24 14:59:12 EDT 2022
I believe ARIN absolutely should require 2FA. Your actual experience with dictionary attacks confirms that.
SMS 2FA seems like a pragmatic compromise. I’m aware that SMS is generally considered a less secure 2nd factor, but: 1) I’m not sure how much less secure it really is. It obviously cannot be worse than a password alone. 2) Major financial institutions seem okay with it. 3) It might be necessary in practice to get people to turn on / accept 2FA.
You will have to think hard about recovery procedures. They will become the weak link in the security.
More information about the ARIN-consult