[ARIN-consult] Suggestions 2022.28 and 2022.29 (MFA)

[Roman Tatarnikov]

Hi everyone.

> Description: Allow email for 2FA (two factor authentication) for accessing an ARIN account.

This feels unnecessary. If the company does not provide a personal phone, it is still possible to use TOTP. Whether a personal password manager is used (such as Keepass or BitWarden) or whether the company provides an employee with password manager (LastPass comes to mind) they all support TOTP and majority of them can work through a web-browser. So the employee is not obligated to use personal device for company issues.

Also, within the last couple months, I remember reading an interesting story on NANOG or RISKS. Essentially, the police emailed school that their employee was known to have an interest in minors. The school never received an email and that guy worked there for a year and a half after this notification. Bottom line is - email does not guarantee the proper delivery or identity of a person who is supposed to receive the email. And with three different MFA options, adding a fourth one that will likely not be used seems excessive.

> Description: Enable non-ARIN mobile numbers for SMS 2-factor authentication

That is a good one. With how open our world is, it's possible that someone could move out of the ARIN region and work remotely for the company that is still doing business inside that region.

-- 
Roman V Tatarnikov | https://linkedin.com/in/rtatarnikov