[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Glen A. Pearce arin-consult at ve4.ca
Sat May 28 01:22:33 EDT 2022

I would prefer if 2FA is kept optional.

As for why I have chosen to not implement it:

1: It's one more thing that can break.
2: Whatever 2FA is used will be on the same premises as the password so 
if someone compromises the premises to obtain the password they would 
also gain access to whatever 2FA is being used.

My ARIN password is not a dictionary word, it contains letters and 
numbers , it is not used on any other site.

I do not share any password between any sites so credential stuffing 
won't work on me.  I generate the passwords I use for each site using a 
process (that I won't disclose so as to not even give out the slightest 
clue).  Though now I have a bunch of different password for various 
things that I can't possibly remember so I can't log into anything away 
from my premises anyways.

To get my passwords for anything someone would have to:

A: Figure out where my premises is (which due to my use of a P.O. Box 
and some other measures is harder), break in through 2 doors (with alarm 
going off once they get through the first one) on the rare occasions I'm 
not here (pandemic keeping me from going out any more than needed and 
working from home at my "other" job apparently has a security benefit), 
figure out how and where the password is stored once in.
B: Same as above but when I'm here forcing me under threat of violence 
to log into my ARIN account.
C: Kidnapping me while I'm elsewhere (picking up snail mail from the 
P.O.Box?) at which point they would have to force me to take them back 
to the premises to log into my ARIN account. (As mentioned above I 
literally can't remember my password so I can't log in from anywhere 
else no matter how much they try to make me.)

In situation A intruder traps or situation B or C me acquiring a firearm 
would both be effective at further securing my ARIN account (as a side 
effect of further securing my person and premises) while any 2FA would 
not be.  That said although IP space is valuable I don't think we are 
anywhere near people being kidnapped over it, especially a /24 that 
isn't eligible for a specified transfer for another 3 years.

Glen A. Pearce
gap at ve4.ca
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
ARIN Handle VET-17

More information about the ARIN-consult mailing list