<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><br class=""></div>TOTP is "OK but not ascendant". The RFC is 10 years old; the technology has roots that are much older (HOTP). There are better things now.<div class=""><br class=""></div><div class="">It is still way way way better than "no 2FA", but if we are going to go from optional to required, we might want to consider a recalibration. Job submitted this through the ACSP process less than a month ago:</div><div class=""><a href="https://www.arin.net/participate/community/acsp/suggestions/2021/2021-2/" class="">https://www.arin.net/participate/community/acsp/suggestions/2021/2021-2/</a></div><div class=""><br class=""></div><div class="">-r</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Feb 16, 2021, at 4:30 PM, Heather Schiller via ARIN-consult <<a href="mailto:arin-consult@arin.net" class="">arin-consult@arin.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div style="caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;" class="">2FA like this? <a href="https://www.arin.net/reference/materials/security/twofactor/" class="">https://www.arin.net/reference/materials/security/twofactor/</a></div><br class="Apple-interchange-newline"></div></blockquote></div><br class=""></div></body></html>