FIDO2/Passkey now supported for 2FA for ARIN Online (was: Fwd: [arin-announce] New Features Added to ARIN Online)

Royce Williams royce at
Tue Jan 3 23:20:16 UTC 2023

On Tue, Jan 3, 2023 at 11:59 AM John Curran <jcurran at> wrote:

> FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor
> authentication (2FA) - this is a noted priority for some organizations.

John - this is a great step forward! Kudos to the tech team who helped make
the leap - it can be daunting.

Some feedback, take or leave as you see fit, based on my scars:

First, thanks specifically for the support for unique key names (you might
be surprised at how many services don't!), and for the FIDO2 support of
on-key PINs.

Second, I'd like to second ;) - but go beyond - Job's feature request for
multiple-key support, both in count and additional UX. Support for *more*
than two keys is recommended, to fit a wider variety of use cases and
threat/risk models (connector availability, shared/role accounts, offsite
key backup, etc etc). From my survey of 50 providers of U2F / FIDO / FIDO2,
key-count support ramps up quickly from one (PayPal - come on, y'all!), two
(Bank of America), and five (AOL/Yahoo and Coinbase), with the rest
supporting *ten or more keys* (and yes, higher key counts have use cases,
though user experience degrades above ten keys). And when multiple key
support is added, please consider some UX around managing the list of keys
(like allowing the user to *modify* key names without having to delete and
re-add them, showing the timestamp, IP, OS family / platform, etc. from
where the key was last used). Great key UX examples to emulate in this
space include Dropbox and Google. (And showing the IP's ASN would be a
uniquely ARIN twist. :D )

Third, please consider allowing a mix of authenticators (instead of the
current exclusive choice among TOTP, FIDO2, and SMS). While it will be
excellent to allow users to *eventually* opt into exclusive use of security
keys (as with Google's Advanced Protection Program) ... doing so with a
*single* key unacceptably shifts the risk model for some users. A mix
allows users to manage their risk model directly, often by voluntarily
using FIDO2 first to get the phishing resistance / origin verification of
FIDO2, but mitigating single-key risk with fallback to TOTP (which may be
more fluidly available than the 2FA recovery codes, etc.).

But the hardest part - going from zero keys to any - is already done.
Really appreciate it!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the NANOG mailing list