[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Matt Harris matt at netfire.net
Wed May 25 11:40:23 EDT 2022


Matt Harris|VP of Infrastructure
816-256-5446|Direct
Looking for help?
Helpdesk|Email Support
We build customized end-to-end technology solutions powered by NetFire Cloud.
On Wed, May 25, 2022 at 10:25 AM John Curran <jcurran at arin.net> wrote:

>
>
> On 25 May 2022, at 11:13 AM, Matt Harris <matt at netfire.net> wrote:
>
> I do agree with your statement "security should be commensurate with what
> is being protected." Thus, I would consider that we perhaps continue to
> allow accounts without control of any resources to continue without
> requiring 2fa, only requiring it when resources are allocated. An ARIN
> account with control of nothing, or perhaps just contact records for SWIP'd
> space, etc, is not one that is a huge hazard to the community at large imho
> compared to one that controls ASNs or IPv4 and IPv6 resources.
>
>
> Matt -
>
> Wouldn’t the “compromise approach” shown above leave ARIN with accounts
> that are still subject to brute-force login attacks, and therefore not
> address the other aspect raised in the consultation:
>
> *However, we continue to see frequent attacks on our log-in systems, and
> ARIN staff continues to be heavily engaged in mitigating these
> attacks. Accounts not using 2FA are susceptible to these attacks. We
> recently updated the community on this topic during ARIN 49 held in
> Nashville and online in April. You can review this information from the
> ARIN 49 Meeting Report (https://www.arin.net/participate/meetings/ARIN49/
> <https://www.arin.net/participate/meetings/ARIN49/>) by looking for the
> presentation titled “Brute Force Login Attacks”. *
>
>
>
> Thoughts?
> /John
>

Indeed, it's a compromise, just like the proposed use of SMS as a method is
a compromise. The ideal is, imho, probably to implement FIDO as a second
2fa measure in addition to the already well-supported TOTP method and leave
SMS off the table, and enforce it on all accounts across the board. I don't
want to let perfect be the enemy of good, though.

- mdh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/81ac5a63/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image618101.png
Type: image/png
Size: 14877 bytes
Desc: image618101.png
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/81ac5a63/attachment-0001.png>


More information about the ARIN-consult mailing list