[ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online
Joey White
Joey.White at bcbsks.com
Wed Jan 25 13:46:13 EST 2023
1. Would you support ARIN offering email as an additional 2FA method?
No. Email is an account you enable with 2FA, not the method of accomplishing 2FA.
https://www.cisa.gov/mfa
https://www.hsph.harvard.edu/information-technology/2022/10/03/october-is-cybersecurity-month-week-1/
2. Given that 13% of web user accounts list phone numbers outside the ARIN service region, should we widen the availability of SMS, or are the other offered 2FA options sufficient to meet the needs of these users?
No, do not widen the availability of SMS. SMS is on a downward trend in the industry.
https://www.cisa.gov/blog/2022/10/18/next-level-mfa-fido-authentication
3. We agree that users should be allowed to register multiple hardware security keys. The question is: What is the optimal number of keys that should be allowed to be registered?
Anything more than one. Two is sufficient, but do not set that as the max value. The expectation is the identity provider (IdP) product will define the max value. https://www.yubico.com/spare/
Thank you,
Joey White
Security Architect
Blue Cross and Blue Shield of Kansas
p: 785-291-6471 | w: bcbsks.com
_______________________________________________
CONFIDENTIALITY NOTICE: This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret or privileged information. Any unauthorized review use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient or a person responsible for delivering this message to an intended recipient, please contact the sender by reply email and destroy all copies of the original message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20230125/94fea082/attachment.htm>
More information about the ARIN-consult
mailing list