[ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online

[Roman Tatarnikov]

On Tue, Jan 24, 2023 at 01:39:21PM -0800, Chris Woodfield wrote:
> Would requiring TOTP/FIDO (and not allowing SMS) be more palatable if ARIN were able/willing to furnish yubikeys (or alternate authenticators) to users free of charge? I don’t know what these cost in bulk nowadays, but it’s probably right on the edge of reasonable for this use case.

TOTP itself does not require hardware. It's always possible to use LastPass or some other password manager ( open source https://keepassxc.org/ is great). So it can be completely free or the organization can cover the cost of hardware keys. No need for ARIN to pick up the bill.


Looking at the emails in this thread, everyone says how insecure SMS and email options are. I agree completely, but what's important to keep in mind is why those options are provided by different providers. Google, MS, banks, etc - they are aimed for a wide audience that may not necessarily be tech-savvy. People who manage important and highly confidential information should have no problem using a password manager. Providing an SMS, email or other insecure options to people who manage such records (aka anyone with an ARIN account), just because they are "not tech savvy" is a poor excuse. Yes, we have to think of community, but holding back said community from advancement is a disservice to the very group we're talking about.

I think TOTP, U2F and FIDO2 are great protocols for support of 2FA. What we need to do as a community is ensure that there are articles, manuals, and guides on how those can be used and why. This way, all members of our community, both those who are and are not familiar with these options, can advance. And we should also ensure to promote and educate those around us.

-- 
Roman V Tatarnikov | https://linkedin.com/in/rtatarnikov