Send ARIN-consult mailing list submissions to arin-consult@arin.net
To subscribe or unsubscribe via the World Wide Web, visit https://lists.arin.net/mailman/listinfo/arin-consult or, via email, send a message with subject or body 'help' to arin-consult-requ...@arin.net You can reach the person managing the list at arin-consult-ow...@arin.net When replying, please edit your Subject line so it is more specific than "Re: Contents of ARIN-consult digest..." Today's Topics: 1. Re: Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts (Richard Laager) 2. Re: Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts (Glen A. Pearce) ---------------------------------------------------------------------- Message: 1 Date: Sat, 28 May 2022 00:10:25 -0500 From: Richard Laager <rlaa...@wiktel.com> To: arin-consult@arin.net Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Message-ID: <5cf26031-ae8f-9513-425d-31baaa682...@wiktel.com> Content-Type: text/plain; charset="utf-8"; Format="flowed" On 5/27/22 21:56, Peter Beckman wrote: > On Wed, 25 May 2022, Owen DeLong wrote: > >> Well? ARIN can?t detect that until your next (successful) login, anyway. > > ?Fair, agreed. This also requires ARIN to constantly be updating their > ?"disclosed password" list, which seems like that could also fall through > ?the cracks. https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange -- Richard -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220528/f6ec8f4f/attachment-0001.htm> ------------------------------ Message: 2 Date: Fri, 27 May 2022 23:22:33 -0600 From: "Glen A. Pearce" <arin-cons...@ve4.ca> To: arin-consult@arin.net Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Message-ID: <a9ebf2af-1f84-7bae-be37-14a6d97ee...@ve4.ca> Content-Type: text/plain; charset=utf-8; format=flowed I would prefer if 2FA is kept optional. As for why I have chosen to not implement it: 1: It's one more thing that can break. 2: Whatever 2FA is used will be on the same premises as the password so if someone compromises the premises to obtain the password they would also gain access to whatever 2FA is being used. My ARIN password is not a dictionary word, it contains letters and numbers , it is not used on any other site. I do not share any password between any sites so credential stuffing won't work on me.? I generate the passwords I use for each site using a process (that I won't disclose so as to not even give out the slightest clue).? Though now I have a bunch of different password for various things that I can't possibly remember so I can't log into anything away from my premises anyways. To get my passwords for anything someone would have to: A: Figure out where my premises is (which due to my use of a P.O. Box and some other measures is harder), break in through 2 doors (with alarm going off once they get through the first one) on the rare occasions I'm not here (pandemic keeping me from going out any more than needed and working from home at my "other" job apparently has a security benefit), figure out how and where the password is stored once in. B: Same as above but when I'm here forcing me under threat of violence to log into my ARIN account. C: Kidnapping me while I'm elsewhere (picking up snail mail from the P.O.Box?) at which point they would have to force me to take them back to the premises to log into my ARIN account. (As mentioned above I literally can't remember my password so I can't log in from anywhere else no matter how much they try to make me.) In situation A intruder traps or situation B or C me acquiring a firearm would both be effective at further securing my ARIN account (as a side effect of further securing my person and premises) while any 2FA would not be.? That said although IP space is valuable I don't think we are anywhere near people being kidnapped over it, especially a /24 that isn't eligible for a specified transfer for another 3 years. -- Glen A. Pearce g...@ve4.ca Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk. Very Eager 4 Tees http://www.ve4.ca ARIN Handle VET-17 ------------------------------ Subject: Digest Footer _______________________________________________ ARIN-consult mailing list ARIN-consult@arin.net https://lists.arin.net/mailman/listinfo/arin-consult ------------------------------ End of ARIN-consult Digest, Vol 90, Issue 28 ********************************************