[ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online

Tue Jan 24 20:25:49 EST 2023

On 1/24/23 11:53, ARIN wrote:
> On 1 November 2022, ARIN  announced that we will require two-factor authentication (2FA) on all ARIN Online accounts beginning 1 February 2023. ARIN currently has three options for customers to set up 2FA on their ARIN Online accounts:
>
> - Time-based One-time Password (TOTP) using an authenticator of your choice
> - Short Message Service (SMS) for customers within the ARIN service region
> - FIDO2/Passkey-enabled Security Key
>
> Please note: Voice 2FA is not currently available for new 2FA activations; it is still available to those customers who already have that method set up on their accounts.
>
> Following the announcement of the planned enforcement date of 1 February 2023, we received several suggestions for further expansion of our authentication offerings, including:
>
> - Allowing email as an authentication method
> - Enabling SMS support for customers who reside outside of the ARIN service region
> - Allowing registration of multiple hardware security keys.
>
> We are seeking community feedback on these suggestions as well as additional input on our 2FA options. Specifically:
Flexibility is good.  I may or may not have a phone.  I may have left my 
key ring somewhere.   I may not have access to email.

>
> 1. Would you support ARIN offering email as an additional 2FA method?

It would be my preferred mechanism.  My email is hosted by my org so I 
classify it as rather safe, and less of a risk.  For those with email 
hosted on a public facility of some sort, perhaps the risk is higher.

So... who gets to define the risk for any of the options provided? Is it 
a risk managed by the user on an individual basis, or is it a risk taken 
on by ARIN?  What does ARIN perceive as a risk?  Are they seeing any 
particular method as having more risk for account access than any other?

Credit card companies and banks seem to accept email and SMS as suitable 
propositions.

In addition, some will do a follow up with one or more personally 
identified question/answer exchanges for further verification.

>
> 2. Given that 13% of web user accounts list phone numbers outside the ARIN service region, should we widen the availability of SMS, or are the other offered 2FA options sufficient to meet the needs of these users?

Are there extra costs for the widened availability of SMS?  If I happen 
to be roaming in a country away from my home base, it would be helpful 
to sometimes have SMS as an alternative to my email.  Or even a voice 
call interaction.

>
> 3. We agree that users should be allowed to register multiple hardware security keys. The question is: What is the optimal number of keys that should be allowed to be registered?

maybe start implementation and see how the system is used or abused, and 
then establish from an evidence based scenario?

>
> The feedback you provide during this consultation will help us decide the path forward regarding our 2FA options for ARIN Online. Thank you for your participation in the ARIN Consultation and Suggestion Process.
>
> Please provide comments to arin-consult at arin.net. You can subscribe to this mailing list at: https://lists.arin.net/mailman/listinfo/arin-consult
>
> This consultation will remain open through 5:00 PM ET on 7 February 2023.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
> Helpful Resources:
>
> Consultation: https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/
> Two-Factor Authentication at ARIN: https://arin.net/2FA
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>