FYI - 2FA to be come mandatory for ARIN Online?

Raymond Burkholder ray at oneunified.net
Tue May 24 23:27:50 UTC 2022


On 2022-05-24 16:22, John Curran wrote:
>> On 24 May 2022, at 4:39 PM, niels=nanog at bakker.net wrote:
>>
>> * nanog at nanog.org (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:
>>> Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ?
>> To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to protect critical infrastructure, but apparently ARIN does need a consultation for that
> Niels -
>
> I can think of several reasons why "SMS 2FA isn't necessarily a good way to protect critical infrastructure”…
>
> Of course, there’s also the point that requiring 2FA for everyone – even if just SMS – would still be a superior state of affairs then the present condition (wherein 97% of ARIN Online users rely on just a password, and this despite 2FA via TOTP being available for ARIN Online accounts for years…)
What about optional additional second factor of sending out an email 
with digits to enter or a link to confirm login / some other critical 
operation?
> There could easily be some operational concerns resulting from making 2FA authentication mandatory of which we on the ARIN staff are not aware, so we conduct a consultation.  Your voice can be part of that consultation,  but again it’s taking place on arin-consult mailing list (open to all) – not here.


More information about the NANOG mailing list