On 2022-05-24 16:22, John Curran wrote:
On 24 May 2022, at 4:39 PM, niels=na...@bakker.net wrote:
* nanog@nanog.org (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:
Its 2022. Do we really still need a consultation on why mandatory 2FA is a good
thing ? Even more so for something like ARIN ?
To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to
protect critical infrastructure, but apparently ARIN does need a consultation
for that
Niels -
I can think of several reasons why "SMS 2FA isn't necessarily a good way to
protect critical infrastructure”…
Of course, there’s also the point that requiring 2FA for everyone – even if
just SMS – would still be a superior state of affairs then the present
condition (wherein 97% of ARIN Online users rely on just a password, and this
despite 2FA via TOTP being available for ARIN Online accounts for years…)
What about optional additional second factor of sending out an email
with digits to enter or a link to confirm login / some other critical
operation?
There could easily be some operational concerns resulting from making 2FA
authentication mandatory of which we on the ARIN staff are not aware, so we
conduct a consultation. Your voice can be part of that consultation, but
again it’s taking place on arin-consult mailing list (open to all) – not here.
