[ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online

[Richard Laager]

On 1/24/23 12:53, ARIN wrote:
> 1. Would you support ARIN offering email as an additional 2FA method?

No. As mentioned, if email can reset the password, then it's really only 
one factor. Even non-technical users should be able to use something 
else, like SMS.

> 2. Given that 13% of web user accounts list phone numbers outside the ARIN service region, should we widen the availability of SMS, or are the other offered 2FA options sufficient to meet the needs of these users?

While I could be persuaded otherwise, my gut feeling is "no". Saying 
"yes" feels like opening a can of worms. Is ARIN going to make some 
determination country-by-country as to whether their SMS security is 
good enough?

I realize this does mean that people outside of the ARIN region are 
forced into using the more complicated methods. I'm guessing (but it is 
just a guess) that organizations with people administering resources 
outside of their local region are likely more sophisticated anyway.

David Farmer mentioned "technology restrictions or embargos on the more 
secure FIDO or TOTP technologies". Is that actually a thing? I don't 
think that should be a consideration if it's only hypothetical.

I would like to see 2FA required. (It's still optional today, I assume.) 
If I'm forced to choose between:
   A) Allow worldwide SMS. Require 2FA for everyone.
   B) Disallow worldwide SMS. Do not require 2FA for everyone.
I might be more inclined to pick A.

> 3. We agree that users should be allowed to register multiple hardware security keys. The question is: What is the optimal number of keys that should be allowed to be registered?

Absolutely not less than two. You need two for rollover and may want two 
for backup. Three or four seems like a more reasonable minimum. Nine or 
ten seems like a reasonable maximum, such that ARIN's developers can at 
least occasionally test that scenario.

-- 
Richard