[ARIN-consult] increasing 2FA take-up
Owen DeLong
owen at delong.com
Thu May 26 00:39:13 EDT 2022
Reading the status of a ticket can never be harmful. Since ARIN won’t send full-text ticket updates via email, 2FA for that can be rather tedious.
Responding to a ticket can’t be any more harmful than the original intent of the ticket.
Initiating a ticket is a valid target for protection. Other ticket operations should be 2FA optional.
Owen
> On May 25, 2022, at 21:20, Peter Beckman <beckman at angryox.com> wrote:
>
> Agreed. 2FA should be required when the account protects important assets.
>
> 2FA should be optional but available for those who wish to further secure
> their account for less important assets.
>
> This begs the question though -- could opening a ticket with ARIN and
> responding to it cause resource control to change? If so, tickets should
> also be protected.
>
> Always consider your threat matrix -- if someone could log into the ARIN
> Ticketing System and pretend to be you, could that have huge negative
> impacts on assignments and resources? If so, then 2FA should be mandatory
> there as well.
>
> Beckman
>
> On Wed, 25 May 2022, Owen DeLong via ARIN-consult wrote:
>
>>> We could also make 2FA only mandatory for activities that change resource control (outbound transfers, reassignments, etc.)...
>>
>> I would support this.
>>
>> I’m fine if I have to 2FA to do something potentially harmful, but to have to 2FA every time I log in to check the status of a ticket would be less than ideal.
>
> ---------------------------------------------------------------------------
> Peter Beckman Internet Guy
> beckman at angryox.com https://www.angryox.com/
> ---------------------------------------------------------------------------_______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
More information about the ARIN-consult
mailing list