[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
scottleibrand at gmail.com
Wed May 25 11:52:04 EDT 2022
On Wed, May 25, 2022 at 8:41 AM Ross Tajvar <ross at tajvar.io> wrote:
> I remain unconvinced that inflicting 2FA on me solves a real problem that
>> actually exists.
> I'm not sure why you (and others) seem to think 2FA is so incredibly
> inconvenient. In my experience, it only takes a few extra seconds, or a few
> extra clicks/taps depending on how it's set up. The added overhead really
> is very small.
When 2FA is set up "properly", you're correct. It's often not, either by
users or system designers. One main challenge is when users make one of the
very common errors in managing 2FA, like losing access to their second
factor (often by only enrolling their phone and then switching phones).
It's also quite common to want to log in but not have immediate access to
your second factor. That can be addressed by allowing multiple types of 2FA
to be set up simultaneously, but many implementations do so poorly.
In ARIN's case, there's the added complexity of ARIN accounts being the
property of an organization, not an individual, and all the
chain-of-custody complications that introduces. Many organizations solve
those by using shared credentials. If they don't have a shared-credential
storage system like 1Password set up, 2FA significantly complicates that
Whatever solutions you introduce to all of those problems, you have all the
overhead of resetting people's 2FA credentials when they inevitably lose
access. Such account reset workflows must be secure enough to avoid social
engineering making the problem worse than it is today, while minimizing the
additional burden on users and staff.
This is not an easy problem, so some of the maximalist positions that have
been previously expressed on this thread strike me as poorly-considered.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ARIN-consult