[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
Glen A. Pearce
arin-consult at ve4.ca
Sat May 28 01:22:33 EDT 2022
I would prefer if 2FA is kept optional.
As for why I have chosen to not implement it:
1: It's one more thing that can break.
2: Whatever 2FA is used will be on the same premises as the password so
if someone compromises the premises to obtain the password they would
also gain access to whatever 2FA is being used.
My ARIN password is not a dictionary word, it contains letters and
numbers , it is not used on any other site.
I do not share any password between any sites so credential stuffing
won't work on me. I generate the passwords I use for each site using a
process (that I won't disclose so as to not even give out the slightest
clue). Though now I have a bunch of different password for various
things that I can't possibly remember so I can't log into anything away
from my premises anyways.
To get my passwords for anything someone would have to:
A: Figure out where my premises is (which due to my use of a P.O. Box
and some other measures is harder), break in through 2 doors (with alarm
going off once they get through the first one) on the rare occasions I'm
not here (pandemic keeping me from going out any more than needed and
working from home at my "other" job apparently has a security benefit),
figure out how and where the password is stored once in.
B: Same as above but when I'm here forcing me under threat of violence
to log into my ARIN account.
C: Kidnapping me while I'm elsewhere (picking up snail mail from the
P.O.Box?) at which point they would have to force me to take them back
to the premises to log into my ARIN account. (As mentioned above I
literally can't remember my password so I can't log in from anywhere
else no matter how much they try to make me.)
In situation A intruder traps or situation B or C me acquiring a firearm
would both be effective at further securing my ARIN account (as a side
effect of further securing my person and premises) while any 2FA would
not be. That said although IP space is valuable I don't think we are
anywhere near people being kidnapped over it, especially a /24 that
isn't eligible for a specified transfer for another 3 years.
--
Glen A. Pearce
gap at ve4.ca
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
http://www.ve4.ca
ARIN Handle VET-17
More information about the ARIN-consult
mailing list