FYI - 2FA to be come mandatory for ARIN Online?

• Previous message (by thread): FYI - 2FA to be come mandatory for ARIN Online?
• Next message (by thread): FYI - 2FA to be come mandatory for ARIN Online?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On 24 May 2022, at 4:39 PM, niels=nanog at bakker.net wrote:
> 
> * nanog at nanog.org (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:
>> Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ?
> 
> To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to protect critical infrastructure, but apparently ARIN does need a consultation for that

Niels - 

I can think of several reasons why "SMS 2FA isn't necessarily a good way to protect critical infrastructure”…

Of course, there’s also the point that requiring 2FA for everyone – even if just SMS – would still be a superior state of affairs then the present condition (wherein 97% of ARIN Online users rely on just a password, and this despite 2FA via TOTP being available for ARIN Online accounts for years…) 

There could easily be some operational concerns resulting from making 2FA authentication mandatory of which we on the ARIN staff are not aware, so we conduct a consultation.  Your voice can be part of that consultation,  but again it’s taking place on arin-consult mailing list (open to all) – not here.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

• Previous message (by thread): FYI - 2FA to be come mandatory for ARIN Online?
• Next message (by thread): FYI - 2FA to be come mandatory for ARIN Online?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]