Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ?
------- Original Message ------- On Tuesday, May 24th, 2022 at 19:28, John Curran <jcur...@arin.net> wrote: > NANOGers - > A consultation opened today on potentially requiring use of 2-factor > authentication to login into ARIN Online – this would take place once SMS 2FA > is deployed. If you think that this is: a) a great idea, b) a bad idea, c) > anything else, then feel free to subscribe to the arin-consult mailing list > (open to all at http://lists.arin.net/mailman/listinfo/arin-consult) and > provide your feedback. > Best wishes,/John > John CurranPresident and CEOAmerican Registry for Internet Numbers > > > > Begin forwarded message: > > From: ARIN <i...@arin.net> > > Subject: [arin-announce] Consultation on Requiring Two-Factor > > Authentication (2FA) for ARIN Online Accounts > > Date: 24 May 2022 at 12:45:48 PM EDT > > To: "arin-annou...@arin.net" <arin-annou...@arin.net> > > > > **Background** > > > > In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation > > of Two-Factor Authentication (2FA). Since the time of implementing that > > login security feature, 3.2 percent of ARIN Online users have opted to use > > 2FA with their accounts. > > > > Since October 2020, the ARIN Online system has been subject to a series of > > dictionary-based password guessing attacks. In March of 2021, we conducted > > ACSP Consultation 2021.2: Password Security for ARIN Online Accounts > > (https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/) > > on proposed improvements to increase account security. This consultation > > resulted in an agreement to move forward with several improvements that > > have subsequently been deployed. However, we continue to see frequent > > attacks on our log-in systems, and ARIN staff continues to be heavily > > engaged in mitigating these attacks. Accounts not using 2FA are susceptible > > to these attacks. We recently updated the community on this topic during > > ARIN 49 held in Nashville and online in April. You can review this > > information from the ARIN 49 Meeting Report > > (https://www.arin.net/participate/meetings/ARIN49/) by looking for the > > presentation titled “Brute Force Login Attacks”. > > > > It is our intention to make 2FA mandatory for all existing and new ARIN > > Online accounts going forward. The security of ARIN Online accounts is > > paramount to the success of the registry, and we do not believe it is > > tenable to continue without making 2FA required for all ARIN Online > > accounts. > > > > We are currently developing a second method of 2FA use with ARIN Online to > > add to our long-deployed TOTP implementation. In the coming months, we will > > deploy a Short Message Service (SMS) 2FA implementation, thereby adding a > > second 2FA option for ARIN Online users. At that time, users will be able > > to choose between two types of 2FA – SMS and TOTP. Adoption of TOTP 2FA > > has been limited in part due to perceived complexity, and the addition of > > SMS-based 2FA will provide a second option that is easier to use for many > > customers – and provide much more protection than the simple > > username-password condition of many ARIN Online user accounts today. (ARIN > > also plans on adding support for a third 2FA option in the future – Fast > > Identity Online 2 (FIDO2) – in response to community suggestions, but we do > > not believe it is prudent to delay requiring 2FA on ARIN Online accounts > > until that third option becomes available.) > > > > **Requiring 2FA For ARIN Online Accounts** > > > > By requiring 2FA for ARIN Online accounts that control number resources, > > the ARIN community should see stronger security for the registry, reduced > > risk of account fraud attempts, and increased confidence in the integrity > > of their ARIN resources. > > > > ARIN intends to require 2FA for all ARIN Online accounts shortly after > > SMS-based 2FA authentication is generally available. We are seeking > > confirmation from the ARIN community regarding this plan, and ask the > > following consultation question: > > > > ------------------- > > Once SMS-based two-factor authentication (2FA) is available for ARIN > > Online, do you believe ARIN *should not* proceed with requiring 2FA > > authentication (SMS-based or TOTP) for all ARIN Online accounts? If so, > > why? > > ------------------- > > > > The feedback you provide during this consultation will help form our path > > forward to increasing the security of ARIN Online for all customers. Thank > > you for your participation in the ARIN Consultation and Suggestion Process. > > Please provide comments to arin-cons...@arin.net. You can subscribe to this > > mailing list at: > > > > http://lists.arin.net/mailman/listinfo/arin-consult > > > > This consultation will remain open through 5:00 PM ET on 24 June 2022. > > > > Regards, > > > > John Curran > > President and CEO > > American Registry for Internet Numbers (ARIN) > > > > > > _______________________________________________ > > ARIN-Announce > > You are receiving this message because you are subscribed to > > the ARIN Announce Mailing List (arin-annou...@arin.net). > > Unsubscribe or manage your mailing list subscription at: > > https://lists.arin.net/mailman/listinfo/arin-announce > > Please contact i...@arin.net if you experience any issues.
