[ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online

Chris Woodfield chris at semihuman.com
Tue Jan 24 16:39:21 EST 2023


Would requiring TOTP/FIDO (and not allowing SMS) be more palatable if ARIN were able/willing to furnish yubikeys (or alternate authenticators) to users free of charge? I don’t know what these cost in bulk nowadays, but it’s probably right on the edge of reasonable for this use case.

Thanks,

-Chris

> On Jan 24, 2023, at 1:31 PM, David Farmer via ARIN-consult <arin-consult at arin.net> wrote:
> 
> 
> 
> On Tue, Jan 24, 2023 at 12:53 PM ARIN <info at arin.net <mailto:info at arin.net>> wrote:
>> 1. Would you support ARIN offering email as an additional 2FA method?
> As mentioned, email is used for password changes; also, allowing it for 2FA is a bad idea.
> 
>> 2. Given that 13% of web user accounts list phone numbers outside the ARIN service region, should we widen the availability of SMS, or are the other offered 2FA options sufficient to meet the needs of these users?
> As SMS has several weaknesses, I prefer SMS was not allowed at all. Nevertheless, if SMS is allowed, I don't see the point in restricting it to the ARIN service region. Furthermore, it could be more important for those outside the ARIN service region in case of technology restrictions or embargos on the more secure FIDO or TOTP technologies.
>  
>> 3. We agree that users should be allowed to register multiple hardware security keys. The question is: What is the optimal number of keys that should be allowed to be registered?
> 10 is a reasonable limit. 
> 
> -- 
> ===============================================
> David Farmer               Email:farmer at umn.edu <mailto:Email%3Afarmer at umn.edu>
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota   
> 2218 University Ave SE        Phone: 612-626-0815
> Minneapolis, MN 55414-3029   Cell: 612-812-9952
> ===============================================
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20230124/bad404c9/attachment-0002.htm>


More information about the ARIN-consult mailing list