[ARIN-consult] increasing 2FA take-up

Kevin Blumberg kevinb at thewire.ca
Wed May 25 13:13:53 EDT 2022


Bram,

I’ve been using it since Day 1 that the feature came out.

https://www.arin.net/participate/community/acsp/suggestions/2013/2013-8/

My suggestion in 2013 was to allow multiple authentication options.  Since almost a decade has gone by since the ACSP request, my only regret is including SMS as an option back then. It has to many known vulnerabilities, with many better options (including TOTP which is being used).

I do find it interesting that people think they will have a say in whether MFA is mandatory or not.

That ship sailed a long time ago, insurance companies are mandating MFA for systems, it isn’t a question of IF but WHEN it will be mandatory.

TOTP is a great lowest common denominator, it doesn’t require any external connectivity for usage, and can be setup on multiple devices, if you have the private key or scan the QR code to those devices.

I would still like to see a hardware token or other robust MFA solution.

Kevin Blumberg

From: ARIN-consult <arin-consult-bounces at arin.net> On Behalf Of Bram Abramson
Sent: Wednesday, May 25, 2022 10:27 AM
To: ARIN-consult <arin-consult at arin.net>
Subject: [ARIN-consult] increasing 2FA take-up


All,

The current consultation is about rendering SMS a 2FA option, then making 2FA mandatory. But it also notes that TOTP 2FA has been available since 2015 with a 3.2 percent take-up.

Optional 2FA is perhaps inevitably doomed to low take-up, but I it’s likely worth documenting any learnings from the implementation thus far, on the way to that 3.2 percent take-up:

  *   Have most folks involved in this discussion already activated 2FA (are we preaching to the converted)? If not — why has it made sense for you not to?
  *   Do we think most of the broader community is aware of the 2FA opportunity — and are there thoughts, UX or otherwise, on why the crushing majority of folks haven’t availed themselves of it?

Thanks, and cheers,

________________________________

Bram Abramson
bda at bazu.org<mailto:bda at bazu.org> / @bramabramson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/5550f9fc/attachment.htm>


More information about the ARIN-consult mailing list