[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

[Richard Laager]

On 5/25/22 23:53, Owen DeLong via ARIN-consult wrote:
> I’m not always logging in from my desktop. I’m not even always logging in from a machine I generally control.
> 
> What’s the support for TOTP from a shared system in, say a Library or a Maker Space? How am I supposed to secure that?

Ideally, you shouldn't be logging into an ARIN account from such a 
machine. What sort of real world scenarios are occurring where you need 
to do that, as opposed to just wait until you're back at a device you 
control?

If you login from a device you don't control, a password alone (no 
matter how strong) is vulnerable to replay. While I don't think you 
should login to ARIN at the library, if you do so anyway but use 2FA, 
then that replay risk goes away: your account is only exposed while 
logged in at that machine. Replay of passwords is _the_ scenario that 
2FA is designed to address.

-- 
Richard