Send ARIN-consult mailing list submissions to
arin-consult@arin.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
arin-consult-requ...@arin.net
You can reach the person managing the list at
arin-consult-ow...@arin.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Richard Laager)
2. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Glen A. Pearce)
----------------------------------------------------------------------
Message: 1
Date: Sat, 28 May 2022 00:10:25 -0500
From: Richard Laager <rlaa...@wiktel.com>
To: arin-consult@arin.net
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID: <5cf26031-ae8f-9513-425d-31baaa682...@wiktel.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 5/27/22 21:56, Peter Beckman wrote:
> On Wed, 25 May 2022, Owen DeLong wrote:
>
>> Well? ARIN can?t detect that until your next (successful) login, anyway.
>
> ?Fair, agreed. This also requires ARIN to constantly be updating their
> ?"disclosed password" list, which seems like that could also fall through
> ?the cracks.
https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange
--
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220528/f6ec8f4f/attachment-0001.htm>
------------------------------
Message: 2
Date: Fri, 27 May 2022 23:22:33 -0600
From: "Glen A. Pearce" <arin-cons...@ve4.ca>
To: arin-consult@arin.net
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID: <a9ebf2af-1f84-7bae-be37-14a6d97ee...@ve4.ca>
Content-Type: text/plain; charset=utf-8; format=flowed
I would prefer if 2FA is kept optional.
As for why I have chosen to not implement it:
1: It's one more thing that can break.
2: Whatever 2FA is used will be on the same premises as the password so
if someone compromises the premises to obtain the password they would
also gain access to whatever 2FA is being used.
My ARIN password is not a dictionary word, it contains letters and
numbers , it is not used on any other site.
I do not share any password between any sites so credential stuffing
won't work on me.? I generate the passwords I use for each site using a
process (that I won't disclose so as to not even give out the slightest
clue).? Though now I have a bunch of different password for various
things that I can't possibly remember so I can't log into anything away
from my premises anyways.
To get my passwords for anything someone would have to:
A: Figure out where my premises is (which due to my use of a P.O. Box
and some other measures is harder), break in through 2 doors (with alarm
going off once they get through the first one) on the rare occasions I'm
not here (pandemic keeping me from going out any more than needed and
working from home at my "other" job apparently has a security benefit),
figure out how and where the password is stored once in.
B: Same as above but when I'm here forcing me under threat of violence
to log into my ARIN account.
C: Kidnapping me while I'm elsewhere (picking up snail mail from the
P.O.Box?) at which point they would have to force me to take them back
to the premises to log into my ARIN account. (As mentioned above I
literally can't remember my password so I can't log in from anywhere
else no matter how much they try to make me.)
In situation A intruder traps or situation B or C me acquiring a firearm
would both be effective at further securing my ARIN account (as a side
effect of further securing my person and premises) while any 2FA would
not be.? That said although IP space is valuable I don't think we are
anywhere near people being kidnapped over it, especially a /24 that
isn't eligible for a specified transfer for another 3 years.
--
Glen A. Pearce
g...@ve4.ca
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
http://www.ve4.ca
ARIN Handle VET-17
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
ARIN-consult@arin.net
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 90, Issue 28
********************************************
