FYI - 2FA to be come mandatory for ARIN Online?

John Curran jcurran at
Tue May 24 22:22:33 UTC 2022

> On 24 May 2022, at 4:39 PM, niels=nanog at wrote:
> * nanog at (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:
>> Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ?
> To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to protect critical infrastructure, but apparently ARIN does need a consultation for that

Niels - 

I can think of several reasons why "SMS 2FA isn't necessarily a good way to protect critical infrastructure”…

Of course, there’s also the point that requiring 2FA for everyone – even if just SMS – would still be a superior state of affairs then the present condition (wherein 97% of ARIN Online users rely on just a password, and this despite 2FA via TOTP being available for ARIN Online accounts for years…) 

There could easily be some operational concerns resulting from making 2FA authentication mandatory of which we on the ARIN staff are not aware, so we conduct a consultation.  Your voice can be part of that consultation,  but again it’s taking place on arin-consult mailing list (open to all) – not here.


John Curran
President and CEO
American Registry for Internet Numbers

More information about the NANOG mailing list