Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

[Alejandro Acosta <alejandroacostaalamo () gmail com>]

Hello,
  I am not in the ARIN region but I have attended few Arin meetings.
  As a comment, I live a country were mobile roaming does not exists,
therefore, when 2FA only works with SMS I can not use the service. Having
said that, please consider at least one more way to perform 2FA, maybe send
a code to the email address or something else.

My two cents,

Alejandro,
PS If you have already thought about this sorry for the noise.

On Tue, May 24, 2022, 2:29 PM John Curran <jcurran () arin net> wrote:

> NANOGers -
>
> A consultation opened today on potentially requiring use of 2-factor
> authentication to login into ARIN Online – this would take place once SMS
> 2FA is deployed.   If you think that this is: a) a great idea, b) a bad
> idea, c) anything else, then feel free to subscribe to the arin-consult
> mailing list (open to all at
> http://lists.arin.net/mailman/listinfo/arin-consult) and provide your
> feedback.
>
> Best wishes,
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
>
> Begin forwarded message:
>
> *From: *ARIN <info () arin net>
> *Subject: **[arin-announce] Consultation on Requiring Two-Factor
> Authentication (2FA) for ARIN Online Accounts*
> *Date: *24 May 2022 at 12:45:48 PM EDT
> *To: *"arin-announce () arin net" <arin-announce () arin net>
>
> **Background**
>
> In 2015, ARIN deployed a Time-Based One-Time password (TOTP)
> implementation of Two-Factor Authentication (2FA). Since the time of
> implementing that login security feature, 3.2 percent of ARIN Online users
> have opted to use 2FA with their accounts.
>
> Since October 2020, the ARIN Online system has been subject to a series of
> dictionary-based password guessing attacks. In March of 2021, we conducted
> ACSP Consultation 2021.2: Password Security for ARIN Online Accounts (
> https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/)
> on proposed improvements to increase account security. This consultation
> resulted in an agreement to move forward with several improvements that
> have subsequently been deployed. However, we continue to see frequent
> attacks on our log-in systems, and ARIN staff continues to be heavily
> engaged in mitigating these attacks. Accounts not using 2FA are susceptible
> to these attacks. We recently updated the community on this topic during
> ARIN 49 held in Nashville and online in April. You can review this
> information from the ARIN 49 Meeting Report (
> https://www.arin.net/participate/meetings/ARIN49/) by looking for the
> presentation titled “Brute Force Login Attacks”.
>
> It is our intention to make 2FA mandatory for all existing and new ARIN
> Online accounts going forward. The security of ARIN Online accounts is
> paramount to the success of the registry, and we do not believe it is
> tenable to continue without making 2FA required for all ARIN Online
> accounts.
>
> We are currently developing a second method of 2FA use with ARIN Online to
> add to our long-deployed TOTP implementation. In the coming months, we will
> deploy a Short Message Service (SMS) 2FA implementation, thereby adding a
> second 2FA option for ARIN Online users. At that time, users will be able
> to choose between two types of 2FA – SMS and TOTP.   Adoption of TOTP 2FA
> has been limited in part due to perceived complexity, and the addition of
> SMS-based 2FA will provide a second option that is easier to use for many
> customers – and provide much more protection than the simple
> username-password condition of many ARIN Online user accounts today.  (ARIN
> also plans on adding support for a third 2FA option in the future – Fast
> Identity Online 2 (FIDO2) – in response to community suggestions, but we do
> not believe it is prudent to delay requiring 2FA on ARIN Online accounts
> until that third option becomes available.)
>
> **Requiring 2FA For ARIN Online Accounts**
>
> By requiring 2FA for ARIN Online accounts that control number resources,
> the ARIN community should see stronger security for the registry, reduced
> risk of account fraud attempts, and increased confidence in the integrity
> of their ARIN resources.
>
> ARIN intends to require 2FA for all ARIN Online accounts shortly after
> SMS-based 2FA authentication is generally available.  We are seeking
> confirmation from the ARIN community regarding this plan, and ask the
> following consultation question:
>
> -------------------
> Once SMS-based two-factor authentication (2FA) is available for ARIN
> Online, do you believe ARIN *should not* proceed with requiring 2FA
> authentication (SMS-based or TOTP) for all ARIN Online accounts?  If so,
> why?
> -------------------
>
> The feedback you provide during this consultation will help form our path
> forward to increasing the security of ARIN Online for all customers. Thank
> you for your participation in the ARIN Consultation and Suggestion Process.
> Please provide comments to arin-consult () arin net. You can subscribe to
> this mailing list at:
>
> http://lists.arin.net/mailman/listinfo/arin-consult
>
> This consultation will remain open through 5:00 PM ET on 24 June 2022.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
>
> _______________________________________________
> ARIN-Announce
> You are receiving this message because you are subscribed to
> the ARIN Announce Mailing List (ARIN-announce () arin net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-announce
> Please contact info () arin net if you experience any issues.