<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<br>
<br>
<div class="moz-cite-prefix">On 24/01/2023 1:16 p.m., Ross Tajvar
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+FDdDT=G5c3wNd9asKW1EScBh1TPpX9BQ9sGGR2AaJkMnzJvA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">> 1. Would you support ARIN offering email as an
additional 2FA method?<br>
<div><b>No.</b> Email can be used to reset one's password. If
it's used for one-time login codes as well, that's only one
authentication factor. An email compromise could therefore
easily result in account takeover, which defeats the purpose
of 2FA.</div>
</div>
</blockquote>
<br>
Perhaps allow it with a specification that the E-mail address used
for 2FA be a different<br>
one than the E-mail address used for account recovery and an
explanation so that people <br>
understand why it has to be a separate address. Also include a
suggestion that (like<br>
everything else) for this reason passwords should not be re-used.<br>
<br>
<pre class="moz-signature" cols="72">--
Glen A. Pearce
<a class="moz-txt-link-abbreviated" href="mailto:gap@ve4.ca">gap@ve4.ca</a>
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
<a class="moz-txt-link-freetext" href="http://www.ve4.ca">http://www.ve4.ca</a>
ARIN Handle VET-17</pre>
</body>
</html>