[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Ross Tajvar ross at tajvar.io
Wed May 25 11:41:14 EDT 2022


>
> I remain unconvinced that inflicting 2FA on me solves a real problem that
> actually exists.

I'm not sure why you (and others) seem to think 2FA is so incredibly
inconvenient. In my experience, it only takes a few extra seconds, or a few
extra clicks/taps depending on how it's set up. The added overhead really
is very small.

Perhaps requiring better (non-dictionary) passwords on accounts that don’t
> have 2FA would be a solution more targeted at the actual problem.

 How would ARIN judge the complexity of a password? As far as I'm aware,
checking if it uses dictionary words is non-trivial. And even then, a
sufficiently long passphrase using dictionary words is pretty secure (vs a
short one) - I don't think it makes sense to penalize users for that.

On Wed, May 25, 2022 at 11:35 AM Owen DeLong via ARIN-consult <
arin-consult at arin.net> wrote:

>
>
> On May 25, 2022, at 08:13 , Matt Harris <matt at netfire.net> wrote:
>
> <image541905.png>
> Matt Harris​
> | VP of Infrastructure
> 816‑256‑5446
> | Direct
> Looking for help?
> *Helpdesk* <https://help.netfire.net/>
> | *Email Support* <help at netfire.net>
>
> We build customized end‑to‑end technology solutions powered by NetFire Cloud.
> On Wed, May 25, 2022 at 2:13 AM Owen DeLong via ARIN-consult <
> arin-consult at arin.net> wrote:
>
>> I’m not in favor of requiring 2FA. I agree that SMS 2FA is pretty awful,
>> but all forms of 2FA come with a variety of inconveniences.
>>
>> With an account that goes back to the beginnings of ARIN online, I’ve
>> never had a security problem with my ARIN online account, so I think that
>> 2FA is a solution looking for a problem here.
>>
>> I know that’s not a popular view among the more security conscious, but
>> the reality is that security should be commensurate with what is being
>> protected. Let users who think their account warrants such additional
>> measures opt in. Let those of use who feel that our passwords are adequate
>> continue in that manner.
>>
>> Owen
>>
>
> Owen,
> The problem is that compromised ARIN accounts can result in issues that
> don't just impact the owner of the account that held those resources.
> Compromised ARIN accounts with resources can potentially adversely impact
> us all in terms of upticks in spam and the resulting management burdens, at
> the very least, and potentially in other (perhaps even thus far unforeseen)
> ways as well.
>
>
> I disagree… If my ARIN account is compromised, I’m going to get notified
> of any changes made. (So far, that hasn’t happened). I know exactly where
> to go to get those changes reverted quickly.
>
> My account is associated with resources, but I remain unconvinced that
> inflicting 2FA on me solves a real problem that actually exists.
>
> I do agree with your statement "security should be commensurate with what
> is being protected." Thus, I would consider that we perhaps continue to
> allow accounts without control of any resources to continue without
> requiring 2fa, only requiring it when resources are allocated. An ARIN
> account with control of nothing, or perhaps just contact records for SWIP'd
> space, etc, is not one that is a huge hazard to the community at large imho
> compared to one that controls ASNs or IPv4 and IPv6 resources.
>
>
> Perhaps requiring better (non-dictionary) passwords on accounts that don’t
> have 2FA would be a solution more targeted at the actual problem.
>
> Owen
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/9d500c2e/attachment-0001.htm>


More information about the ARIN-consult mailing list