Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

[Laura Smith via NANOG <nanog () nanog org>]

Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like 
ARIN ?

------- Original Message -------
On Tuesday, May 24th, 2022 at 19:28, John Curran <jcurran () arin net> wrote:


> NANOGers - 
> A consultation opened today on potentially requiring use of 2-factor authentication to login into ARIN Online – this 
> would take place once SMS 2FA is deployed.   If you think that this is: a) a great idea, b) a bad idea, c) anything 
> else, then feel free to subscribe to the arin-consult mailing list (open to all at 
> http://lists.arin.net/mailman/listinfo/arin-consult) and provide your feedback.
> Best wishes,/John
> John CurranPresident and CEOAmerican Registry for Internet Numbers
>
>
> > Begin forwarded message:
> > From: ARIN <info () arin net>
> > Subject: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
> > Date: 24 May 2022 at 12:45:48 PM EDT
> > To: "arin-announce () arin net" <arin-announce () arin net>
> >
> > **Background**
> >
> > In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation of Two-Factor Authentication (2FA). 
> > Since the time of implementing that login security feature, 3.2 percent of ARIN Online users have opted to use 2FA 
> > with their accounts.
> >
> > Since October 2020, the ARIN Online system has been subject to a series of dictionary-based password guessing 
> > attacks. In March of 2021, we conducted ACSP Consultation 2021.2: Password Security for ARIN Online Accounts 
> > (https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/) on proposed improvements to increase 
> > account security. This consultation resulted in an agreement to move forward with several improvements that have 
> > subsequently been deployed. However, we continue to see frequent attacks on our log-in systems, and ARIN staff 
> > continues to be heavily engaged in mitigating these attacks. Accounts not using 2FA are susceptible to these 
> > attacks. We recently updated the community on this topic during ARIN 49 held in Nashville and online in April. You 
> > can review this information from the ARIN 49 Meeting Report (https://www.arin.net/participate/meetings/ARIN49/) by 
> > looking for the presentation titled “Brute Force Login Attacks”.  
> >
> > It is our intention to make 2FA mandatory for all existing and new ARIN Online accounts going forward. The security 
> > of ARIN Online accounts is paramount to the success of the registry, and we do not believe it is tenable to 
> > continue without making 2FA required for all ARIN Online accounts.  
> >
> > We are currently developing a second method of 2FA use with ARIN Online to add to our long-deployed TOTP 
> > implementation. In the coming months, we will deploy a Short Message Service (SMS) 2FA implementation, thereby 
> > adding a second 2FA option for ARIN Online users. At that time, users will be able to choose between two types of 
> > 2FA – SMS and TOTP.   Adoption of TOTP 2FA has been limited in part due to perceived complexity, and the addition 
> > of SMS-based 2FA will provide a second option that is easier to use for many customers – and provide much more 
> > protection than the simple username-password condition of many ARIN Online user accounts today.  (ARIN also plans 
> > on adding support for a third 2FA option in the future – Fast Identity Online 2 (FIDO2) – in response to community 
> > suggestions, but we do not believe it is prudent to delay requiring 2FA on ARIN Online accounts until that third 
> > option becomes available.)
> >
> > **Requiring 2FA For ARIN Online Accounts**
> >
> > By requiring 2FA for ARIN Online accounts that control number resources, the ARIN community should see stronger 
> > security for the registry, reduced risk of account fraud attempts, and increased confidence in the integrity of 
> > their ARIN resources.  
> >
> > ARIN intends to require 2FA for all ARIN Online accounts shortly after SMS-based 2FA authentication is generally 
> > available.  We are seeking confirmation from the ARIN community regarding this plan, and ask the following 
> > consultation question:  
> >
> > -------------------
> > Once SMS-based two-factor authentication (2FA) is available for ARIN Online, do you believe ARIN *should not* 
> > proceed with requiring 2FA authentication (SMS-based or TOTP) for all ARIN Online accounts?  If so, why?
> > -------------------
> >
> > The feedback you provide during this consultation will help form our path forward to increasing the security of 
> > ARIN Online for all customers. Thank you for your participation in the ARIN Consultation and Suggestion Process. 
> > Please provide comments to arin-consult () arin net. You can subscribe to this mailing list at:
> >
> > http://lists.arin.net/mailman/listinfo/arin-consult
> >
> > This consultation will remain open through 5:00 PM ET on 24 June 2022.
> >
> > Regards,
> >
> > John Curran
> > President and CEO
> > American Registry for Internet Numbers (ARIN)
> >
> >
> > _______________________________________________
> > ARIN-Announce
> > You are receiving this message because you are subscribed to
> > the ARIN Announce Mailing List (ARIN-announce () arin net).
> > Unsubscribe or manage your mailing list subscription at:
> > https://lists.arin.net/mailman/listinfo/arin-announce
> > Please contact info () arin net if you experience any issues.