[ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online

Michael Richardson mcr at sandelman.ca
Tue Jan 24 17:14:09 EST 2023


Ross Tajvar captured all my opinions.
I was going to say "5" keys, but any number O(10) is fine.

top-quoting all his points.

I went through the phone authentication process when my phone suddenly
crapped out.  Very frustrating that this is *not* backed up ever.
I still prefer TOTP over anything else.

At the time, ARIN was my only TOTP 2FA present, so it wasn't too bad.
I have since taken to *printing* every initialization QR code and putting
that in my safe.  I feel confident that my printer is too stupid to retain
the pages, but I'll bet this is a really bad idea in an enterprise
environment, where the printers are likely the weakest link in security.

I've since learnt that the Google Authenticator APP can *share* a QR code
will *all* of your TOTP settings... It's a huge QR image and it's unclear
how/where to save it, but..

Ross Tajvar <ross at tajvar.io> wrote:
    >> 1. Would you support ARIN offering email as an additional 2FA method?

    > *No.* Email can be used to reset one's password. If it's used for one-time
    > login codes as well, that's only one authentication factor. An email
    > compromise could therefore easily result in account takeover, which defeats
    > the purpose of 2FA.

    >> 2. Given that 13% of web user accounts list phone numbers outside the
    >> ARIN service region, should we widen the availability of SMS, or are the
    >> other offered 2FA options sufficient to meet the needs of these users?

    > I am against SMS 2FA being offered as an option at all, so I'm ambivalent
    > about this.

    >> 3. We agree that users should be allowed to register multiple hardware
    >> security keys. The question is: What is the optimal number of keys that
    >> should be allowed to be registered?

    > I can't see someone reasonably needing to register more than a handful, but
    > I also don't think there's a good reason to set a low limit. I think 10 is
    > a reasonable upper bound.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20230124/ecc284f6/attachment.sig>


More information about the ARIN-consult mailing list