[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Owen DeLong owen at delong.com
Sun May 29 19:43:50 EDT 2022

> On May 25, 2022, at 22:17, Richard Laager <rlaager at wiktel.com> wrote:
> On 5/25/22 23:53, Owen DeLong via ARIN-consult wrote:
>> I’m not always logging in from my desktop. I’m not even always logging in from a machine I generally control.
>> What’s the support for TOTP from a shared system in, say a Library or a Maker Space? How am I supposed to secure that?
> Ideally, you shouldn't be logging into an ARIN account from such a machine. What sort of real world scenarios are occurring where you need to do that, as opposed to just wait until you're back at a device you control?

On-call consulting work.

> If you login from a device you don't control, a password alone (no matter how strong) is vulnerable to replay. While I don't think you should login to ARIN at the library, if you do so anyway but use 2FA, then that replay risk goes away: your account is only exposed while logged in at that machine. Replay of passwords is _the_ scenario that 2FA is designed to address.

It’s only vulnerable to replay until it is changed. When I’m faced with such a situation, I’m smart enough to change it once I am able to use a machine I control to do so. The odds of a replay attack in the time that takes are relatively small. The odds of the replay attack causing significant damage given ARIN ticket turnaround times are even smaller.


More information about the ARIN-consult mailing list