[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
John Curran
jcurran at arin.net
Wed May 25 11:24:59 EDT 2022
On 25 May 2022, at 11:13 AM, Matt Harris <matt at netfire.net<mailto:matt at netfire.net>> wrote:
I do agree with your statement "security should be commensurate with what is being protected." Thus, I would consider that we perhaps continue to allow accounts without control of any resources to continue without requiring 2fa, only requiring it when resources are allocated. An ARIN account with control of nothing, or perhaps just contact records for SWIP'd space, etc, is not one that is a huge hazard to the community at large imho compared to one that controls ASNs or IPv4 and IPv6 resources.
Matt -
Wouldn’t the “compromise approach” shown above leave ARIN with accounts that are still subject to brute-force login attacks, and therefore not address the other aspect raised in the consultation:
However, we continue to see frequent attacks on our log-in systems, and ARIN staff continues to be heavily engaged in mitigating these attacks. Accounts not using 2FA are susceptible to these attacks. We recently updated the community on this topic during ARIN 49 held in Nashville and online in April. You can review this information from the ARIN 49 Meeting Report (https://www.arin.net/participate/meetings/ARIN49/) by looking for the presentation titled “Brute Force Login Attacks”.
Thoughts?
/John
John Curran
President and CEO
American Registry for Internet Numbers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/77bb3004/attachment.htm>
More information about the ARIN-consult
mailing list