[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Matt Harris matt at netfire.net
Tue May 24 17:45:58 EDT 2022

On Tue, May 24, 2022 at 4:35 PM Adam Thompson <athompson at merlin.mb.ca>

> c) choice of 2FA system (SMS vs OTP) isn't an XOR selection, i.e. any
> supported 2FA system can be used to login at any given time.
> I believe TOTP and/or FIDO both require significant user education, even
> among ARIN users, and AFAIK no user-friendly guides exist today.
> -Adam

A couple of points here:

For one, I would never want SMS 2fa to be allowed on my account. I have had
totp setup for years with no issues. Adding an additional vulnerability to
my existing strong configuration is not acceptable. So indeed, if SMS is an
option that 2fa users can opt into, it must be that, and not something that
those of us with totp configurations currently need to opt out of, or
worse, are forced to accept.

Another is that I disagree that TOTP or FIDO require significant user
education. TOTP apps for android and ios are readily available and easy to
use: in most of them (Google Authenticator is a good example, and if you
don't want to use Google's app, you can also check out Duo (owned by Cisco)
or any number of other apps), the process is simply to click add account,
point your device's camera at the QR code associated with the account which
you'll be presented with during setup, and off you go. FIDO isn't
significantly more difficult when using a yubikey with modern browsers.

- mdh

Matt Harris|VP of Infrastructure
Looking for help?
Helpdesk|Email Support
We build customized end-to-end technology solutions powered by NetFire Cloud.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220524/66f23144/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image728475.png
Type: image/png
Size: 14877 bytes
Desc: image728475.png
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220524/66f23144/attachment-0001.png>

More information about the ARIN-consult mailing list