[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

David Bass davidbass570 at gmail.com
Wed May 25 13:17:20 EDT 2022


We are generally *always* reviewing and recommending our customers enable
2fa on everything they use, and look for alternatives (when possible) for
things that don’t.  The problem is so much broader than people think.  They
don’t necessarily need to take, or change your data…if you are a high value
target, then they may be able to use the data in your account as an attack
vector to gain access to their ultimate target.

Anyone in control of high value resources should be taking additional steps
to protect their accounts.

On Wed, May 25, 2022 at 12:39 PM William Herrin <bill at herrin.us> wrote:

> On Wed, May 25, 2022 at 8:41 AM Ross Tajvar <ross at tajvar.io> wrote:
> >> I remain unconvinced that inflicting 2FA on me solves a real problem
> that actually exists.
> >
> > I'm not sure why you (and others) seem to think 2FA is so incredibly
> inconvenient. In my experience, it only takes a few extra seconds, or a few
> extra clicks/taps depending on how it's set up. The added overhead really
> is very small.
>
> It requires orgs which rarely interact with ARIN to keep track of THE
> cell phone which has the 2FA app. Oh, and the phone has to still be
> working. Otherwise, every interaction with ARIN for such orgs starts
> with a painful and likely insecure account recovery procedure.
>
>
> >> Perhaps requiring better (non-dictionary) passwords on accounts that
> don’t have 2FA would be a solution more targeted at the actual problem.
> >
> >  How would ARIN judge the complexity of a password? As far as I'm aware,
> checking if it uses dictionary words is non-trivial.
>
> The last time I worked on this problem I followed the NIST guidance:
> check the proposed password against a large list of known compromised
> passwords (e.g.
> https://github.com/danielmiessler/SecLists/tree/master/Passwords,
> https://drive.google.com/drive/folders/14xB93b5YveOzCY7EuDrcL5ElpN-HCNse)
> and reject it if found there. It took me a couple of days to find a
> decent data source and write an app around it. It was rather trivial.
>
> Dictionary attacks are ineffective against a site which rejects the
> overwhelming majority of passwords in the attack dictionary.
>
>
> > And even then, a sufficiently long passphrase using dictionary words is
> pretty secure (vs a short one) - I don't think it makes sense to penalize
> users for that.
>
> Among the reasons I'm against mandatory 2FA.
>
> Regards,
> Bill Herrin
>
> --
> William Herrin
> bill at herrin.us
> https://bill.herrin.us/
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/56d48fe4/attachment-0001.htm>


More information about the ARIN-consult mailing list