[ARIN-consult] [ARIN-Consult] Consultation on Expanding 2FA Options for ARIN Online

Richard Laager rlaager at wiktel.com
Tue Jan 24 18:00:08 EST 2023


On 1/24/23 15:40, Adam Thompson wrote:
> The goal should be to add the minimum increment of security that 
> satisfies the business objective.  Unfortunately, the business 
> objective here seems to have been “add 2FA” which is a technical 
> objective, not a business objective.

2FA is a business objective these days. If you don't use 2FA for email, 
VPN, and Domain Admin access, you are basically uninsurable for cyber 
risk right now (and have been for a year or more). I can't speak to 
exactly what underwriters would require of ARIN for ARIN's own services, 
so maybe this isn't a hard requirement today, but it's not unreasonable 
to think that it might be now or in the near future.


> Just enforcing password length > 20 would have increased security 
> without needing 2FA. (Obviously not increased **enough** to satisfy 
> everyone, but my statement stands.)
>
A (the?) major goal of 2FA is to make it so that if your password is 
compromised, the attacker still cannot authenticate as you. No amount of 
password length or complexity helps with that.

In the typical corporate example... If I get your corporate password, 
without 2FA, I can login as you to every server / network device / 
whatever. With 2FA required, I can't login to anything (without also 
compromising your second factor). In other words, 2FA contains the 
initial breach, rather than letting the attacker run wild through the 
whole infrastructure. Requiring a unique password for every single 
device would accomplish the same thing without 2FA, but 1) that's not 
practical to enforce, and 2) that's worse for usability. So 2FA it is.


As to your particular troubles with breaking/losing authenticators... 
Get something like 1Password, set it up on multiple devices (which 
you're surely going to do anyway: phone, computer, etc.), and store your 
ARIN TOTP 2FA in there. You'll improve both security and convenience.

-- 
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20230124/191db835/attachment-0001.htm>


More information about the ARIN-consult mailing list