[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Peter Beckman beckman at angryox.com
Tue May 31 00:35:08 EDT 2022


On Sun, 29 May 2022, Owen DeLong via ARIN-consult wrote:

>> Ideally, you shouldn't be logging into an ARIN account from such a machine. What sort of real world scenarios are occurring where you need to do that, as opposed to just wait until you're back at a device you control?
>
> On-call consulting work.

  And you are unable to bring your own laptop or other personal device to
  this on-call consulting work, where you can use their computers and their
  Internet access but you cannot use your own?

>> If you login from a device you don't control, a password alone (no
>> matter how strong) is vulnerable to replay. While I don't think you
>> should login to ARIN at the library, if you do so anyway but use 2FA,
>> then that replay risk goes away: your account is only exposed while
>> logged in at that machine. Replay of passwords is _the_ scenario that
>> 2FA is designed to address.
>
> It’s only vulnerable to replay until it is changed. When I’m faced with
> such a situation, I’m smart enough to change it once I am able to use a
> machine I control to do so. The odds of a replay attack in the time that
> takes are relatively small. The odds of the replay attack causing
> significant damage given ARIN ticket turnaround times are even smaller.

  Sure, the odds are pretty low that ARIN members wouldn't understand good
  security practices or get phished, yet it happens, often enough for ARIN
  to consider taking steps to reduce those odds further.

  It's all theoretical to someone until it happens to them. At that point,
  the odds are no longer too small to make no changes.

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                https://www.angryox.com/
---------------------------------------------------------------------------


More information about the ARIN-consult mailing list