<div dir="ltr">Implementation of 2FA/MFA should fully support multiple authenticator manufacturers (Google, MS, RSA, DUO, etc.).<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 16, 2020 at 9:25 AM Michael Richardson <<a href="mailto:mcr@sandelman.ca">mcr@sandelman.ca</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
ARIN <<a href="mailto:info@arin.net" target="_blank">info@arin.net</a>> wrote:<br>
> These suggestions include:<br>
<br>
> * 2017.1: Two-factor functionality improvement:<br>
> <a href="https://www.arin.net/participate/community/acsp/suggestions/2017-1/" rel="noreferrer" target="_blank">https://www.arin.net/participate/community/acsp/suggestions/2017-1/</a><br>
<br>
I would find remember this browser for 30 useful.<br>
I would like to know which browsers have this enabled, and be able to clear it.<br>
<br>
> * 2018.22: Align ARIN password policy with current NIST SP800-63<br>
> recommendations:<br>
> <a href="https://www.arin.net/participate/community/acsp/suggestions/2018-22/" rel="noreferrer" target="_blank">https://www.arin.net/participate/community/acsp/suggestions/2018-22/</a><br>
<br>
YES, YES, YES! PLEASE.<br>
<br>
> * 2019.14: Implement FIDO2 (WebAuthn) for ARIN Online:<br>
> <a href="https://www.arin.net/participate/community/acsp/suggestions/2019-14/" rel="noreferrer" target="_blank">https://www.arin.net/participate/community/acsp/suggestions/2019-14/</a><br>
<br>
This is a very good idea. Please go in this direction.<br>
<br>
> Based on this community input as well as suggestions received through<br>
> other channels, we are opening a consultation to solicit feedback on a<br>
> number of potential security improvements that are under consideration.<br>
> We are specifically interested in your thoughts on a number of specific<br>
> suggestions, listed below:<br>
<br>
> * ARIN uses challenge questions to verify users who are seeking to<br>
> restore access to their ARIN Online user account and to complete other<br>
> actions. It has been suggested that we eliminate the use of challenge<br>
> questions for customer account verification in favor of other security<br>
> measures.<br>
<br>
I'm unclear what the other security measures would be.<br>
<br>
> * Utilizing a personal passcode and/or SMS push codes to a mobile<br>
> device for password resets and other account actions<br>
<br>
I'm unclear if this is intended to be one of them?<br>
I'm unclear if a personal passcode is something that would be in cleartext in<br>
the database, like the idiots at the banks do.<br>
<br>
> * Requiring the use of Two-factor Authentication (2FA) on all<br>
> accounts, or allowing Admin Points of Contact (POCs) to control<br>
> permissions on access to their Organization Records to only allow access<br>
> from associated POCs who have 2FA on their user accounts<br>
<br>
I think start with "allowing", even "encouraging"<br>
Maybe even "encouraging" by eventually charging a premium if you don't have it.<br>
Also, it would be good to mark PoCs that do not have it in a public way, so<br>
that one can know that the POC might not be compromised more easily.<br>
<br>
--<br>
] Never tell me the odds! | ipv6 mesh networks [<br>
] Michael Richardson, Sandelman Software Works | IoT architect [<br>
] <a href="mailto:mcr@sandelman.ca" target="_blank">mcr@sandelman.ca</a> <a href="http://www.sandelman.ca/" rel="noreferrer" target="_blank">http://www.sandelman.ca/</a> | ruby on rails [<br>
<br>
_______________________________________________<br>
ARIN-Consult<br>
You are receiving this message because you are subscribed to the ARIN Consult Mailing<br>
List (<a href="mailto:ARIN-consult@arin.net" target="_blank">ARIN-consult@arin.net</a>).<br>
Unsubscribe or manage your mailing list subscription at:<br>
<a href="https://lists.arin.net/mailman/listinfo/arin-consult" rel="noreferrer" target="_blank">https://lists.arin.net/mailman/listinfo/arin-consult</a> Please contact the ARIN Member Services<br>
Help Desk at <a href="mailto:info@arin.net" target="_blank">info@arin.net</a> if you experience any issues.<br>
</blockquote></div>