[ARIN-consult] increasing 2FA take-up

Owen DeLong owen at delong.com
Thu May 26 00:39:13 EDT 2022 

Reading the status of a ticket can never be harmful. Since ARIN won’t send full-text ticket updates via email, 2FA for that can be rather tedious.

Responding to a ticket can’t be any more harmful than the original intent of the ticket.

Initiating a ticket is a valid target for protection. Other ticket operations should be 2FA optional.

Owen


> On May 25, 2022, at 21:20, Peter Beckman <beckman at angryox.com> wrote:
> 
> Agreed. 2FA should be required when the account protects important assets.
> 
> 2FA should be optional but available for those who wish to further secure
> their account for less important assets.
> 
> This begs the question though -- could opening a ticket with ARIN and
> responding to it cause resource control to change? If so, tickets should
> also be protected.
> 
> Always consider your threat matrix -- if someone could log into the ARIN
> Ticketing System and pretend to be you, could that have huge negative
> impacts on assignments and resources? If so, then 2FA should be mandatory
> there as well.
> 
> Beckman
> 
> On Wed, 25 May 2022, Owen DeLong via ARIN-consult wrote:
> 
>>> We could also make 2FA only mandatory for activities that change resource control (outbound transfers, reassignments, etc.)...
>> 
>> I would support this.
>> 
>> I’m fine if I have to 2FA to do something potentially harmful, but to have to 2FA every time I log in to check the status of a ticket would be less than ideal.
> 
> ---------------------------------------------------------------------------
> Peter Beckman                                                  Internet Guy
> beckman at angryox.com                                https://www.angryox.com/
> ---------------------------------------------------------------------------_______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.

More information about the ARIN-consult mailing list