[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

[Peter Beckman]

On Wed, 25 May 2022, Owen DeLong via ARIN-consult wrote:

> The added overhead is small if you are in an office with your cell phone
> handy.
>
> It’s less convenient if your cell phone isn’t handy (for a variety of
> reasons), and you’re trying to do something quickly without having to
> retrieve said phone.

  What exactly are you using then to log into ARIN?!?

  You do NOT need a mobile phone to use TOTP 2FA.

  I use 1Password on my Desktop all day long, and the same TOTP 2FA code
  generated on my desktop is the same TOTP 2FA code that is generated on my
  mobile phone.

  Watch how easy it is to add a new TOTP 2FA to 1Password.
  https://www.youtube.com/watch?v=lT-bPrkT4ds

  I am feeling like you aren't hearing that TOTP 2FA has support for
  practically ALL COMPUTERS: Linux, Windows, MacOS, IOS, Android,
  Javascript/Web.

  There is also a GitHub project code for running TOTP 2FA on a TI-83
  calculator. https://github.com/jshin313/ti-authenticator


>> Perhaps requiring better (non-dictionary) passwords on accounts that don’t have 2FA would be a solution more targeted at the actual problem.
>>  How would ARIN judge the complexity of a password? As far as I'm aware, checking if it uses dictionary words is non-trivial. And even then, a sufficiently long passphrase using dictionary words is pretty secure (vs a short one) - I don't think it makes sense to penalize users for that.
>
> Yes, sufficient length if just words (alpha only), or sufficient entropy if not long.
>
> Checking for dictionary words isn’t completely trivial, but it’s not particularly computationally difficult, either.
>
> Plenty of sites manage to do this.

  This does not solve the problem if the account and password are disclosed
  in a breach, and someone is re-using passwords on ARIN and elsewhere. 2FA
  prevents the disclosure of account creds from giving an unauthorized 3rd
  party from gaining access to other/any accounts.

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                https://www.angryox.com/
---------------------------------------------------------------------------
-------------- next part --------------
_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult Mailing
List (ARIN-consult at arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
Help Desk at info at arin.net if you experience any issues.