[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

[William Herrin]

On Wed, May 25, 2022 at 8:41 AM Ross Tajvar <ross at tajvar.io> wrote:
>> I remain unconvinced that inflicting 2FA on me solves a real problem that actually exists.
>
> I'm not sure why you (and others) seem to think 2FA is so incredibly inconvenient. In my experience, it only takes a few extra seconds, or a few extra clicks/taps depending on how it's set up. The added overhead really is very small.

It requires orgs which rarely interact with ARIN to keep track of THE
cell phone which has the 2FA app. Oh, and the phone has to still be
working. Otherwise, every interaction with ARIN for such orgs starts
with a painful and likely insecure account recovery procedure.


>> Perhaps requiring better (non-dictionary) passwords on accounts that don’t have 2FA would be a solution more targeted at the actual problem.
>
>  How would ARIN judge the complexity of a password? As far as I'm aware, checking if it uses dictionary words is non-trivial.

The last time I worked on this problem I followed the NIST guidance:
check the proposed password against a large list of known compromised
passwords (e.g.
https://github.com/danielmiessler/SecLists/tree/master/Passwords,
https://drive.google.com/drive/folders/14xB93b5YveOzCY7EuDrcL5ElpN-HCNse)
and reject it if found there. It took me a couple of days to find a
decent data source and write an app around it. It was rather trivial.

Dictionary attacks are ineffective against a site which rejects the
overwhelming majority of passwords in the attack dictionary.


> And even then, a sufficiently long passphrase using dictionary words is pretty secure (vs a short one) - I don't think it makes sense to penalize users for that.

Among the reasons I'm against mandatory 2FA.

Regards,
Bill Herrin

-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/