[ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online
Richard Laager
rlaager at wiktel.com
Tue Jan 24 20:15:55 EST 2023
On 1/24/23 12:53, ARIN wrote:
> 1. Would you support ARIN offering email as an additional 2FA method?
No. As mentioned, if email can reset the password, then it's really only
one factor. Even non-technical users should be able to use something
else, like SMS.
> 2. Given that 13% of web user accounts list phone numbers outside the ARIN service region, should we widen the availability of SMS, or are the other offered 2FA options sufficient to meet the needs of these users?
While I could be persuaded otherwise, my gut feeling is "no". Saying
"yes" feels like opening a can of worms. Is ARIN going to make some
determination country-by-country as to whether their SMS security is
good enough?
I realize this does mean that people outside of the ARIN region are
forced into using the more complicated methods. I'm guessing (but it is
just a guess) that organizations with people administering resources
outside of their local region are likely more sophisticated anyway.
David Farmer mentioned "technology restrictions or embargos on the more
secure FIDO or TOTP technologies". Is that actually a thing? I don't
think that should be a consideration if it's only hypothetical.
I would like to see 2FA required. (It's still optional today, I assume.)
If I'm forced to choose between:
A) Allow worldwide SMS. Require 2FA for everyone.
B) Disallow worldwide SMS. Do not require 2FA for everyone.
I might be more inclined to pick A.
> 3. We agree that users should be allowed to register multiple hardware security keys. The question is: What is the optimal number of keys that should be allowed to be registered?
Absolutely not less than two. You need two for rollover and may want two
for backup. Three or four seems like a more reasonable minimum. Nine or
ten seems like a reasonable maximum, such that ARIN's developers can at
least occasionally test that scenario.
--
Richard
More information about the ARIN-consult
mailing list