[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

[Ross Tajvar]

>
> The added overhead is small if you are in an office with your cell phone
> handy.
>
> It’s less convenient if your cell phone isn’t handy (for a variety of
> reasons), and you’re trying to do something quickly without having to
> retrieve said phone.
>

I don't need my cell phone to do 2FA. I normally don't - I just use my
password manager, or a hardware token depending on what I'm authenticating
to. I *can* use my cell phone, but I don't have to.

On Wed, May 25, 2022 at 11:00 PM Owen DeLong <owen at delong.com> wrote:

>
>
> On May 25, 2022, at 08:41, Ross Tajvar <ross at tajvar.io> wrote:
>
> I remain unconvinced that inflicting 2FA on me solves a real problem that
>> actually exists.
>
> I'm not sure why you (and others) seem to think 2FA is so incredibly
> inconvenient. In my experience, it only takes a few extra seconds, or a few
> extra clicks/taps depending on how it's set up. The added overhead really
> is very small.
>
>
> The added overhead is small if you are in an office with your cell phone
> handy.
>
> It’s less convenient if your cell phone isn’t handy (for a variety of
> reasons), and you’re trying to do something quickly without having to
> retrieve said phone.
>
>
> Perhaps requiring better (non-dictionary) passwords on accounts that don’t
>> have 2FA would be a solution more targeted at the actual problem.
>
>  How would ARIN judge the complexity of a password? As far as I'm aware,
> checking if it uses dictionary words is non-trivial. And even then, a
> sufficiently long passphrase using dictionary words is pretty secure (vs a
> short one) - I don't think it makes sense to penalize users for that.
>
>
> Yes, sufficient length if just words (alpha only), or sufficient entropy
> if not long.
>
> Checking for dictionary words isn’t completely trivial, but it’s not
> particularly computationally difficult, either.
>
> Plenty of sites manage to do this.
>
> Owen
>
>
>
> On Wed, May 25, 2022 at 11:35 AM Owen DeLong via ARIN-consult <
> arin-consult at arin.net> wrote:
>
>>
>>
>> On May 25, 2022, at 08:13 , Matt Harris <matt at netfire.net> wrote:
>>
>> <image541905.png>
>> Matt Harris​
>> | VP of Infrastructure
>> 816‑256‑5446
>> | Direct
>> Looking for help?
>> *Helpdesk* <https://help.netfire.net/>
>> | *Email Support* <help at netfire.net>
>>
>> We build customized end‑to‑end technology solutions powered by NetFire Cloud.
>> On Wed, May 25, 2022 at 2:13 AM Owen DeLong via ARIN-consult <
>> arin-consult at arin.net> wrote:
>>
>>> I’m not in favor of requiring 2FA. I agree that SMS 2FA is pretty awful,
>>> but all forms of 2FA come with a variety of inconveniences.
>>>
>>> With an account that goes back to the beginnings of ARIN online, I’ve
>>> never had a security problem with my ARIN online account, so I think that
>>> 2FA is a solution looking for a problem here.
>>>
>>> I know that’s not a popular view among the more security conscious, but
>>> the reality is that security should be commensurate with what is being
>>> protected. Let users who think their account warrants such additional
>>> measures opt in. Let those of use who feel that our passwords are adequate
>>> continue in that manner.
>>>
>>> Owen
>>>
>>
>> Owen,
>> The problem is that compromised ARIN accounts can result in issues that
>> don't just impact the owner of the account that held those resources.
>> Compromised ARIN accounts with resources can potentially adversely impact
>> us all in terms of upticks in spam and the resulting management burdens, at
>> the very least, and potentially in other (perhaps even thus far unforeseen)
>> ways as well.
>>
>>
>> I disagree… If my ARIN account is compromised, I’m going to get notified
>> of any changes made. (So far, that hasn’t happened). I know exactly where
>> to go to get those changes reverted quickly.
>>
>> My account is associated with resources, but I remain unconvinced that
>> inflicting 2FA on me solves a real problem that actually exists.
>>
>> I do agree with your statement "security should be commensurate with what
>> is being protected." Thus, I would consider that we perhaps continue to
>> allow accounts without control of any resources to continue without
>> requiring 2fa, only requiring it when resources are allocated. An ARIN
>> account with control of nothing, or perhaps just contact records for SWIP'd
>> space, etc, is not one that is a huge hazard to the community at large imho
>> compared to one that controls ASNs or IPv4 and IPv6 resources.
>>
>>
>> Perhaps requiring better (non-dictionary) passwords on accounts that
>> don’t have 2FA would be a solution more targeted at the actual problem.
>>
>> Owen
>>
>> _______________________________________________
>> ARIN-Consult
>> You are receiving this message because you are subscribed to the ARIN
>> Consult Mailing
>> List (ARIN-consult at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
>> ARIN Member Services
>> Help Desk at info at arin.net if you experience any issues.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220525/3b84e4e3/attachment.htm>