[ARIN-consult] increasing 2FA take-up

Scott Leibrand scottleibrand at gmail.com
Wed May 25 11:40:45 EDT 2022 

Putting TOTP in 1Password makes login far more convenient than SMS 2FA, and
almost as convenient as password-only, even for shared accounts.

ARIN should probably provide instructions for how to add your TOTP to
1Password (and any other password managers that support that workflow),
because it's not a very intuitive enrollment experience.

We could also make 2FA only mandatory for activities that change resource
control (outbound transfers, reassignments, etc.)...

-Scott

On Wed, May 25, 2022 at 8:21 AM Richard Laager <rlaager at wiktel.com> wrote:

> You can put your TOTP in something like 1Password.
>
> --
> Richard
>
> On May 25, 2022, at 09:46, Adam Thompson <athompso at athompso.net> wrote:
>
> 
> I have not enabled 2FA.
>
> TOTP lies at the unfortunate confluence of vendor misfeatures and
> organizational policies that render it not durable or resilient in the face
> of mobile device failure (which seems to happen to me a LOT more often than
> normal).  Possibly I don't know something about our approved
> authenticator apps that might solve the problem, but last time I checked,
> it was a no-go for me.
>
> I've instead opted to use a long, randomly-generated password that I can
> store in ways that are both secure and durable/resilient.
>
> -Adam
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> ------------------------------
> *From:* ARIN-consult <arin-consult-bounces at arin.net> on behalf of Bram
> Abramson <bda at bazu.org>
> *Sent:* Wednesday, May 25, 2022 9:26:59 AM
> *To:* ARIN-consult <arin-consult at arin.net>
> *Subject:* [ARIN-consult] increasing 2FA take-up
>
>
> All,
>
> The current consultation is about rendering SMS a 2FA option, then making
> 2FA mandatory. But it also notes that TOTP 2FA has been available since
> 2015 with a 3.2 percent take-up.
>
> Optional 2FA is perhaps inevitably doomed to low take-up, but I it’s
> likely worth documenting any learnings from the implementation thus far, on
> the way to that 3.2 percent take-up:
>
>    -
>
>    Have most folks involved in this discussion already activated 2FA (are
>    we preaching to the converted)? If not — why has it made sense for you not
>    to?
>    -
>
>    Do we think most of the broader community is aware of the 2FA
>    opportunity — and are there thoughts, UX or otherwise, on why the crushing
>    majority of folks haven’t availed themselves of it?
>
> Thanks, and cheers,
> ------------------------------
>
> Bram Abramson
> bda at bazu.org / @bramabramson
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/293b0d7b/attachment.htm>

More information about the ARIN-consult mailing list