[ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online
Michael Richardson
mcr at sandelman.ca
Tue Jan 24 17:14:09 EST 2023
Ross Tajvar captured all my opinions.
I was going to say "5" keys, but any number O(10) is fine.
top-quoting all his points.
I went through the phone authentication process when my phone suddenly
crapped out. Very frustrating that this is *not* backed up ever.
I still prefer TOTP over anything else.
At the time, ARIN was my only TOTP 2FA present, so it wasn't too bad.
I have since taken to *printing* every initialization QR code and putting
that in my safe. I feel confident that my printer is too stupid to retain
the pages, but I'll bet this is a really bad idea in an enterprise
environment, where the printers are likely the weakest link in security.
I've since learnt that the Google Authenticator APP can *share* a QR code
will *all* of your TOTP settings... It's a huge QR image and it's unclear
how/where to save it, but..
Ross Tajvar <ross at tajvar.io> wrote:
>> 1. Would you support ARIN offering email as an additional 2FA method?
> *No.* Email can be used to reset one's password. If it's used for one-time
> login codes as well, that's only one authentication factor. An email
> compromise could therefore easily result in account takeover, which defeats
> the purpose of 2FA.
>> 2. Given that 13% of web user accounts list phone numbers outside the
>> ARIN service region, should we widen the availability of SMS, or are the
>> other offered 2FA options sufficient to meet the needs of these users?
> I am against SMS 2FA being offered as an option at all, so I'm ambivalent
> about this.
>> 3. We agree that users should be allowed to register multiple hardware
>> security keys. The question is: What is the optimal number of keys that
>> should be allowed to be registered?
> I can't see someone reasonably needing to register more than a handful, but
> I also don't think there's a good reason to set a low limit. I think 10 is
> a reasonable upper bound.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20230124/ecc284f6/attachment.sig>
More information about the ARIN-consult
mailing list