[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Matt Harris matt at netfire.net
Wed May 25 11:13:09 EDT 2022

On Wed, May 25, 2022 at 2:13 AM Owen DeLong via ARIN-consult <
arin-consult at arin.net> wrote:

> I’m not in favor of requiring 2FA. I agree that SMS 2FA is pretty awful,
> but all forms of 2FA come with a variety of inconveniences.
> With an account that goes back to the beginnings of ARIN online, I’ve
> never had a security problem with my ARIN online account, so I think that
> 2FA is a solution looking for a problem here.
> I know that’s not a popular view among the more security conscious, but
> the reality is that security should be commensurate with what is being
> protected. Let users who think their account warrants such additional
> measures opt in. Let those of use who feel that our passwords are adequate
> continue in that manner.
> Owen

The problem is that compromised ARIN accounts can result in issues that
don't just impact the owner of the account that held those resources.
Compromised ARIN accounts with resources can potentially adversely impact
us all in terms of upticks in spam and the resulting management burdens, at
the very least, and potentially in other (perhaps even thus far unforeseen)
ways as well.

I do agree with your statement "security should be commensurate with what
is being protected." Thus, I would consider that we perhaps continue to
allow accounts without control of any resources to continue without
requiring 2fa, only requiring it when resources are allocated. An ARIN
account with control of nothing, or perhaps just contact records for SWIP'd
space, etc, is not one that is a huge hazard to the community at large imho
compared to one that controls ASNs or IPv4 and IPv6 resources.

- mdh

Matt Harris|VP of Infrastructure
Looking for help?
Helpdesk|Email Support
We build customized end-to-end technology solutions powered by NetFire Cloud.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/318130bb/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image007435.png
Type: image/png
Size: 14877 bytes
Desc: image007435.png
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/318130bb/attachment-0001.png>

More information about the ARIN-consult mailing list