<html><head></head><body><div dir="ltr"><div dir="ltr"><div dir="ltr" style="mso-line-height-rule:exactly;-webkit-text-size-adjust:100%;direction:ltr;"><table cellpadding="0" cellspacing="0" border="0" style="width:100%;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:20px 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;line-height:normal;"><tr style="font-size:0;"><td align="center" style="vertical-align:middle;"><img src="cid:image618101.png@98906676.19540148" height="50" border="0" alt="" style="height:50px;min-height:50px;max-height:50px;font-size:0;" /></td><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:8px 0 0 16px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0 0 2px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">Matt Harris<span style="font-family:remialcxesans;font-size:1px;color:#FFFFFF;line-height:1px;"></span></td><td align="left" style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif;">|</td></tr></table></td><td align="left" style="vertical-align:top;color:#6B33C2;font-family:Calibri,Arial,sans-serif;">VP of Infrastructure</td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:2px 0 0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">816‑256‑5446</td><td align="left" style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif;">|</td></tr></table></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">Direct</td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:700;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0;vertical-align:top;font-family:Calibri,Arial,sans-serif;">Looking for help?</td></tr><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:4px 0 24px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#201C6F;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><span style="text-decoration:underline;"><a href="https://help.netfire.net/" target="_blank" id="LPlnk689713" title="Submit a ticket to our helpdesk!" style="text-decoration:underline;color:#201C6F;"><strong style="font-weight:400;">Helpdesk</strong></a></span></td><td align="left" style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr style="font-size:14.67px;"><td align="left" style="padding:0 6px;vertical-align:top;font-family:Calibri,Arial,sans-serif;">|</td></tr></table></td><td align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><span style="text-decoration:underline;"><a href="mailto:help@netfire.net" target="_blank" id="LPlnk689713" title="Send us an email!" style="text-decoration:underline;color:#201C6F;"><strong style="font-weight:400;">Email Support</strong></a></span></td></tr></table></td></tr></table></td></tr><tr style="font-size:0;"><td align="left" style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="left" style="padding:0 0 16px;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;line-height:normal;"><tr style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><img src="https://netfire.net/Flag-United-States-of-America.jpg" height="24" border="0" alt="" style="height:24px;min-height:24px;max-height:24px;font-size:0;" /></td><td align="center" style="padding:0;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td align="center" style="padding:0 0 0 16px;vertical-align:middle;"><table cellpadding="0" cellspacing="0" border="0" style="white-space:nowrap;color:#000001;font-size:14.67px;font-family:Calibri,Arial,sans-serif;font-weight:400;font-style:normal;text-align:left;"><tr style="font-size:14.67px;"><td style="font-family:Calibri,Arial,sans-serif;">We build customized end‑to‑end technology solutions powered by NetFire Cloud.</td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></div>On Wed, May 25, 2022 at 10:25 AM John Curran <<a href="mailto:jcurran@arin.net">jcurran@arin.net</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div style="overflow-wrap: break-word;">
<br>
<div><br>
<blockquote type="cite">
<div>On 25 May 2022, at 11:13 AM, Matt Harris <<a href="mailto:matt@netfire.net" target="_blank">matt@netfire.net</a>> wrote:</div>
<br>
<div><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;float:none;display:inline">I
do agree with your statement "security should be commensurate with what is being protected." Thus, I would consider that we perhaps continue to allow accounts without control of any resources to continue without requiring 2fa, only requiring it when resources
are allocated. An ARIN account with control of nothing, or perhaps just contact records for SWIP'd space, etc, is not one that is a huge hazard to the community at large imho compared to one that controls ASNs or IPv4 and IPv6 resources. </span></div>
</blockquote>
</div>
<br>
<div>Matt - </div>
<div><br>
</div>
<div>Wouldn’t the “compromise approach” shown above leave ARIN with accounts that are still subject to brute-force login attacks, and therefore not address the other aspect raised in the consultation:</div>
<div><br>
</div>
<blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px">
<div>
<blockquote type="cite"><i>However, we continue to see frequent attacks on our log-in systems, and ARIN staff continues to be heavily engaged in mitigating these attacks. Accounts not using 2FA are susceptible to these attacks. We recently
updated the community on this topic during ARIN 49 held in Nashville and online in April. You can review this information from the ARIN 49 Meeting Report (<a href="https://www.arin.net/participate/meetings/ARIN49/" target="_blank">https://www.arin.net/participate/meetings/ARIN49/</a>)
by looking for the presentation titled “Brute Force Login Attacks”. </i></blockquote>
<br>
</div>
<div><br>
</div>
</blockquote>
Thoughts?
<div>/John</div></div></blockquote><div><br></div><div>Indeed, it's a compromise, just like the proposed use of SMS as a method is a compromise. The ideal is, imho, probably to implement FIDO as a second 2fa measure in addition to the already well-supported TOTP method and leave SMS off the table, and enforce it on all accounts across the board. I don't want to let perfect be the enemy of good, though. </div><div><br></div><div>- mdh</div><div><br></div></div></div>
</body></html>