[ARIN-consult] [ARIN-Consult] Consultation on Expanding 2FA Options for ARIN Online
Richard Laager
rlaager at wiktel.com
Tue Jan 24 18:00:08 EST 2023
On 1/24/23 15:40, Adam Thompson wrote:
> The goal should be to add the minimum increment of security that
> satisfies the business objective. Unfortunately, the business
> objective here seems to have been “add 2FA” which is a technical
> objective, not a business objective.
2FA is a business objective these days. If you don't use 2FA for email,
VPN, and Domain Admin access, you are basically uninsurable for cyber
risk right now (and have been for a year or more). I can't speak to
exactly what underwriters would require of ARIN for ARIN's own services,
so maybe this isn't a hard requirement today, but it's not unreasonable
to think that it might be now or in the near future.
> Just enforcing password length > 20 would have increased security
> without needing 2FA. (Obviously not increased **enough** to satisfy
> everyone, but my statement stands.)
>
A (the?) major goal of 2FA is to make it so that if your password is
compromised, the attacker still cannot authenticate as you. No amount of
password length or complexity helps with that.
In the typical corporate example... If I get your corporate password,
without 2FA, I can login as you to every server / network device /
whatever. With 2FA required, I can't login to anything (without also
compromising your second factor). In other words, 2FA contains the
initial breach, rather than letting the attacker run wild through the
whole infrastructure. Requiring a unique password for every single
device would accomplish the same thing without 2FA, but 1) that's not
practical to enforce, and 2) that's worse for usability. So 2FA it is.
As to your particular troubles with breaking/losing authenticators...
Get something like 1Password, set it up on multiple devices (which
you're surely going to do anyway: phone, computer, etc.), and store your
ARIN TOTP 2FA in there. You'll improve both security and convenience.
--
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20230124/191db835/attachment-0001.htm>
More information about the ARIN-consult
mailing list