[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Mark Elkins mje at posix.co.za
Wed May 25 04:06:20 EDT 2022


On 5/24/22 6:46 PM, ARIN wrote:
> **Background**
>
> In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation of Two-Factor Authentication (2FA). Since the time of implementing that login security feature, 3.2 percent of ARIN Online users have opted to use 2FA with their accounts.


Years back, I added TOTP (Time based one time password) to the front end 
of my "Virtual Web" management system (I sell domains - etc). The TOTP 
APP is easy to install on any modern mobile device (I use mOTP). I allow 
the customer to configure their TOTP backend "OTP management" codes and 
to also test that the TOTP works locally before enforcing it.


(the grey text above are prompts)

This is also combined with the ability to specify an access list made up 
of multiple network blocks from where the OTP is not needed, that is 
some machines with static IP's on the persons home network. To enforce 
OTP - just use an address such as 1.0.0.0/32 (or similar). This access 
list is similar to some of the validation that EPP uses. The php code 
was not too complicated. Using TOTP is free - no SMS's - etc.

One then has the best of both worlds - some secure locations from where 
OTP is not required and the OTP's for other (transient) locations.

TOTP security is optional - so of course very few customers use it (1% 
or so) - but it is there!
Education would be necessary. I provide the following...

-- 

Mark James ELKINS  -  Posix Systems - (South) Africa
mje at posix.co.za       Tel: +27.826010496 <tel:+27826010496>



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/31a3836a/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kbmdcmhlnngimhca.png
Type: image/png
Size: 10728 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/31a3836a/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mipgcaboncbcaodl.png
Type: image/png
Size: 82039 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/31a3836a/attachment-0003.png>


More information about the ARIN-consult mailing list