nanog mailing list archives

Re: FYI - 2FA to be come mandatory for ARIN Online?

From: John Curran <jcurran () arin net>
Date: Tue, 24 May 2022 22:22:33 +0000

On 24 May 2022, at 4:39 PM, niels=nanog () bakker net wrote:

* nanog () nanog org (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:

Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something 
like ARIN ?


To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to protect critical infrastructure, but 
apparently ARIN does need a consultation for that


Niels - 

I can think of several reasons why "SMS 2FA isn't necessarily a good way to protect critical infrastructure”…

Of course, there’s also the point that requiring 2FA for everyone – even if just SMS – would still be a superior state 
of affairs then the present condition (wherein 97% of ARIN Online users rely on just a password, and this despite 2FA 
via TOTP being available for ARIN Online accounts for years…) 

There could easily be some operational concerns resulting from making 2FA authentication mandatory of which we on the 
ARIN staff are not aware, so we conduct a consultation.  Your voice can be part of that consultation,  but again it’s 
taking place on arin-consult mailing list (open to all) – not here.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Current thread:

FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts John Curran (May 24)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Laura Smith via NANOG (May 24)
  - Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Matt Harris (May 24)
  - Re: FYI - 2FA to be come mandatory for ARIN Online? niels=nanog (May 24)
    - Re: FYI - 2FA to be come mandatory for ARIN Online? John Curran (May 24)
    - Re: FYI - 2FA to be come mandatory for ARIN Online? Raymond Burkholder (May 24)
    - Re: FYI - 2FA to be come mandatory for ARIN Online? Peter Beckman (May 27)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Alejandro Acosta (May 28)
  - Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Randy Bush (May 28)
    - Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Jim Popovitch via NANOG (May 28)
    - Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts goemon--- via NANOG (May 28)
    - Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Owen DeLong via NANOG (May 28)
    - Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts tim () pelican org (May 30)
    - Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Robert Kisteleki (May 30)
    - Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Randy Bush (May 30)