[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

[Owen DeLong]

> On May 25, 2022, at 22:17, Richard Laager <rlaager at wiktel.com> wrote:
> 
> On 5/25/22 23:53, Owen DeLong via ARIN-consult wrote:
>> I’m not always logging in from my desktop. I’m not even always logging in from a machine I generally control.
>> What’s the support for TOTP from a shared system in, say a Library or a Maker Space? How am I supposed to secure that?
> 
> Ideally, you shouldn't be logging into an ARIN account from such a machine. What sort of real world scenarios are occurring where you need to do that, as opposed to just wait until you're back at a device you control?

On-call consulting work.

> If you login from a device you don't control, a password alone (no matter how strong) is vulnerable to replay. While I don't think you should login to ARIN at the library, if you do so anyway but use 2FA, then that replay risk goes away: your account is only exposed while logged in at that machine. Replay of passwords is _the_ scenario that 2FA is designed to address.

It’s only vulnerable to replay until it is changed. When I’m faced with such a situation, I’m smart enough to change it once I am able to use a machine I control to do so. The odds of a replay attack in the time that takes are relatively small. The odds of the replay attack causing significant damage given ARIN ticket turnaround times are even smaller.



Owen