[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
max at codingdirect.com
Tue May 24 15:23:30 EDT 2022
I find SMS highly insecure since it can be intercepted (it goes across the
system in plain text, similar to HTTP) and there is also SIM hijacking.
This article by Krebs goes into more detail of why it's insecure.
The fact that major financial institutions use it is a detriment to them.
As TOTP or FIDO2 are way more secure. But this is where reality hits the
road. Most people will not want to set up TOTP or FIDO2, but as long as
those of us who are more security minded can make sure SMS or the phone
number in general cannot be used for authentication purposes I would be
fine with including it as a stop gap.
On Tue, May 24, 2022 at 1:59 PM Richard Laager <rlaager at wiktel.com> wrote:
> I believe ARIN absolutely should require 2FA. Your actual experience with
> dictionary attacks confirms that.
> SMS 2FA seems like a pragmatic compromise. I’m aware that SMS is generally
> considered a less secure 2nd factor, but: 1) I’m not sure how much less
> secure it really is. It obviously cannot be worse than a password alone. 2)
> Major financial institutions seem okay with it. 3) It might be necessary in
> practice to get people to turn on / accept 2FA.
> You will have to think hard about recovery procedures. They will become
> the weak link in the security.
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
Phone: (682) 232-4867
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ARIN-consult