[arin-ppml] ARIN validation of authorized contacts

Jeffrey I. Schiller jis at mit.edu
Thu Mar 31 11:00:44 EDT 2011 

On Thu, Mar 31, 2011 at 09:14:44AM -0400, John Curran wrote:
> Absolutely. If you believe ARIN should add extra protections against
> such an attack (comprised account password), either optionally for
> an account or for everyone, that is definitely something that should
> be discussed.

I know that there are discussions in the SSL community about providing
two-factor authentication. Some DNS registrars (name.com for example)
offer two-factor authentication to customers (I am one of them who
uses two-factor authentication with them).

I am not sure the time is right for requiring POCs to use two-factor
to authentication to ARIN, but it is probably a good time for ARIN to
offer it as an option.

I am particularly in favor of Google's approach. They make use of an
open standard (OATH, RFC4226) and the customer gets to download their
token seed (yes, this is a risk) which you can load into a smart phone
based authenticator (or write your own code, as I have done). Google
also creates a set of "scratch" codes which you are told to print and
keep in a safe place. They can be used in lieu of an OATH code, in the
case where you lose your phone. Of course part of Google's model is to
avoid people having to contact Google's customer service to reset
their account if they lose their tokens.

It is also a low cost solution compared to other token vendors which
charge $$ for the tokens (even a "soft" token loaded into a smart
phone) or require you to validate customers via a web server they
operate and charge $$ for.

                        -Jeff

--
_______________________________________________________________________
Jeffrey I. Schiller
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room N42-283
Cambridge, MA 02139-4307
617.253.0161 - Voice
jis at mit.edu
http://jis.qyv.name
_______________________________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3502 bytes
Desc: not available
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20110331/35700a90/attachment.bin>

More information about the ARIN-PPML mailing list