FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Royce Williams royce at
Sat May 28 04:41:03 UTC 2022

On Fri, May 27, 2022, 9:55 PM Peter Beckman <beckman at> wrote:

>   Not to be confused with FIDO U2F, which is basically what TOTP 2FA is,
>   just implemented differently.

FIDO U2F is materially different from TOTP 2FA.

With TOTP, there is no cryptographic validation of the requester / server.
A user can be fooled into providing a TOTP code to the wrong site, or via
phishing, or by an attacker simply making repeated authentication requests
in the middle of the night until the user gets exasperated and provides the

By contrast, even the original FIDO U2F spec authenticates the 'origin' -
the server being authenticated *to*. I'm glossing over the details, but in
essence, the browser compares the cryptographic signature, and if it
doesn't match the expected origin, it won't complete the authentication.

It is this property that virtually eliminated an entire class of phishing
at Google:

TOTP does not have equivalent phishing resistance.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list