[ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online

Glen A. Pearce arin-consult at ve4.ca
Wed Jan 25 06:45:20 EST 2023 

On 24/01/2023 12:53 p.m., ARIN wrote
> We are seeking community feedback on these suggestions as well as additional input on our 2FA options. Specifically:
>
> 1. Would you support ARIN offering email as an additional 2FA method?

Yes, giving people more choices is better.  As I said in the previous 
consultation I would have
preferred if 2FA hadn't been made mandatory but if it is anything that 
makes it easier should
one of the other methods not work the better.

When I had went to add SMS as my 2FA early this month neither of the 
numbers I submitted
(each with different providers) got the test messages initially. When I 
submitted a ticket about
the issue the initial response I got was an obvious boiler plate answer, 
it contained phrasing
like "Please note that ARIN only supports SMS inside our region" but 
both numbers I tried
were Canadian numbers.  (Being that Canada is the largest country in the 
ARIN region we
should be hard to miss. ^_-)

Since it looked like the problem was not going to be fixed based on that 
response, I sent a
reply asking if new activations of the voice call authentication be 
available before the Feb. 1
deadline or if they are not will the deadline be extended until after it 
has been restored.

5 days later I finally got contacted back saying that you had some 
configuration issues at
your end and to try SMS again.  Everything works now but having those 
issues sending
SMS that close to a deadline I have no control of at my end was a bit 
concerning.
Concerning enough that I ordered a Yubikey just in case it wasn't fixed 
(as it would take
time to arrive here in the mail), that got shipped earlier the day ARIN 
replied to me so
it was too late to cancel the order for it.  So now I've got a Yubikey 
that I really didn't
have to order currently sitting in my "mail quarantine" area.

At this point I'm not sure if I should at some point switch to using the 
Yubikey since I
have it now anyway or if it should be put aside in case it's needed for 
something else
at some point or if it should be sold.

As for people hijacking SMS messages, I used a lesser known number out 
of my available
choices so somebody wouldn't even know what number they need to hijack 
or from
which provider.
> 2. Given that 13% of web user accounts list phone numbers outside the ARIN service region, should we widen the availability of SMS, or are the other offered 2FA options sufficient to meet the needs of these users?
If E-mail is allowed to be used for 2FA that might not be needed but if 
it is not I might
encourage SMS coverage to be expanded to anywhere that it is feasible to 
do so.
> 3. We agree that users should be allowed to register multiple hardware security keys. The question is: What is the optimal number of keys that should be allowed to be registered?
Not sure what the hard limit should be but allowing multiple keys for 
those that choose
that option would be a good idea as even very small organizations would 
probably
want to have more that one locked up at more than one location for 
disaster recovery
situations.
> The feedback you provide during this consultation will help us decide the path forward regarding our 2FA options for ARIN Online. Thank you for your participation in the ARIN Consultation and Suggestion Process.
>
> Please provide comments to arin-consult at arin.net. You can subscribe to this mailing list at: https://lists.arin.net/mailman/listinfo/arin-consult
>
> This consultation will remain open through 5:00 PM ET on 7 February 2023.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
> Helpful Resources:
>
> Consultation: https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/
> Two-Factor Authentication at ARIN: https://arin.net/2FA
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.

-- 
Glen A. Pearce
gap at ve4.ca
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
http://www.ve4.ca
ARIN Handle VET-17

More information about the ARIN-consult mailing list