<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 1/24/23 15:40, Adam Thompson wrote:<br>
</div>
<blockquote type="cite"
cite="mid:YT2PR01MB4622B8C04F010CB399FFA19DABC99@YT2PR01MB4622.CANPRD01.PROD.OUTLOOK.COM">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<div class="WordSection1"><span>The goal should be to add the
minimum increment of security that satisfies the business
objective. Unfortunately, the business objective here seems
to have been “add 2FA” which is a technical objective, not a
business objective.</span></div>
</blockquote>
<p>2FA is a business objective these days. If you don't use 2FA for
email, VPN, and Domain Admin access, you are basically uninsurable
for cyber risk right now (and have been for a year or more). I
can't speak to exactly what underwriters would require of ARIN for
ARIN's own services, so maybe this isn't a hard requirement today,
but it's not unreasonable to think that it might be now or in the
near future.</p>
<br>
<blockquote type="cite"
cite="mid:YT2PR01MB4622B8C04F010CB399FFA19DABC99@YT2PR01MB4622.CANPRD01.PROD.OUTLOOK.COM">
<div class="WordSection1">
<p class="MsoNormal"><span>Just enforcing password length >
20 would have increased security without needing 2FA.
(Obviously not increased *<b>enough</b>* to satisfy
everyone, but my statement stands.)</span></p>
</div>
</blockquote>
<p>A (the?) major goal of 2FA is to make it so that if your password
is compromised, the attacker still cannot authenticate as you. No
amount of password length or complexity helps with that.<br>
</p>
<p>In the typical corporate example... If I get your corporate
password, without 2FA, I can login as you to every server /
network device / whatever. With 2FA required, I can't login to
anything (without also compromising your second factor). In other
words, 2FA contains the initial breach, rather than letting the
attacker run wild through the whole infrastructure. Requiring a
unique password for every single device would accomplish the same
thing without 2FA, but 1) that's not practical to enforce, and 2)
that's worse for usability. So 2FA it is.<br>
</p>
<p><br>
</p>
<p>As to your particular troubles with breaking/losing
authenticators... Get something like 1Password, set it up on
multiple devices (which you're surely going to do anyway: phone,
computer, etc.), and store your ARIN TOTP 2FA in there. You'll
improve both security and convenience.<br>
</p>
<pre class="moz-signature" cols="72">--
Richard</pre>
</body>
</html>