Re: FYI - 2FA to be come mandatory for ARIN Online?

[Raymond Burkholder <ray () oneunified net>]

On 2022-05-24 16:22, John Curran wrote:
> > On 24 May 2022, at 4:39 PM, niels=nanog () bakker net wrote:
> >
> > * nanog () nanog org (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:
> > > Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like 
> > > ARIN ?
> > To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to protect critical infrastructure, but 
> > apparently ARIN does need a consultation for that
> Niels -
>
> I can think of several reasons why "SMS 2FA isn't necessarily a good way to protect critical infrastructure”…
>
> Of course, there’s also the point that requiring 2FA for everyone – even if just SMS – would still be a superior state 
> of affairs then the present condition (wherein 97% of ARIN Online users rely on just a password, and this despite 2FA 
> via TOTP being available for ARIN Online accounts for years…)
What about optional additional second factor of sending out an email 
with digits to enter or a link to confirm login / some other critical 
operation?
> There could easily be some operational concerns resulting from making 2FA authentication mandatory of which we on the 
> ARIN staff are not aware, so we conduct a consultation.  Your voice can be part of that consultation,  but again it’s 
> taking place on arin-consult mailing list (open to all) – not here.