[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Matthew Pounsett matt at conundrum.com
Tue May 24 17:22:05 EDT 2022

I agree with making 2FA required on all accounts.  SMS is absolutely less
secure than other 2FA options, but more secure than no 2FA at all.    This
would be a marginal security improvement for users, and from the sounds of
things a massive decrease in workload for staff.

However, given the known problems with SMS, I would urge staff to make it
possible for those of us with other 2FA methods configured to be able to
*disable* SMS 2FA on our accounts, to prevent it from ever being used even
as a fallback authentication method.  Additionally, if SMS-based password
recovery is ever on the table I would like to be able to indicate that it
should never be available for recovery for my account.

 As RS says, I'm happy FIDO is on the roadmap, but I don't see a reason to
wait for it to be ready before making 2FA mandatory.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220524/896b228d/attachment.htm>

More information about the ARIN-consult mailing list