[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
Richard Laager
rlaager at wiktel.com
Thu May 26 01:17:45 EDT 2022
On 5/25/22 23:53, Owen DeLong via ARIN-consult wrote:
> I’m not always logging in from my desktop. I’m not even always logging in from a machine I generally control.
>
> What’s the support for TOTP from a shared system in, say a Library or a Maker Space? How am I supposed to secure that?
Ideally, you shouldn't be logging into an ARIN account from such a
machine. What sort of real world scenarios are occurring where you need
to do that, as opposed to just wait until you're back at a device you
control?
If you login from a device you don't control, a password alone (no
matter how strong) is vulnerable to replay. While I don't think you
should login to ARIN at the library, if you do so anyway but use 2FA,
then that replay risk goes away: your account is only exposed while
logged in at that machine. Replay of passwords is _the_ scenario that
2FA is designed to address.
--
Richard
More information about the ARIN-consult
mailing list