Hello, I am not in the ARIN region but I have attended few Arin meetings. As a comment, I live a country were mobile roaming does not exists, therefore, when 2FA only works with SMS I can not use the service. Having said that, please consider at least one more way to perform 2FA, maybe send a code to the email address or something else.
My two cents, Alejandro, PS If you have already thought about this sorry for the noise. On Tue, May 24, 2022, 2:29 PM John Curran <[email protected]> wrote: > NANOGers - > > A consultation opened today on potentially requiring use of 2-factor > authentication to login into ARIN Online – this would take place once SMS > 2FA is deployed. If you think that this is: a) a great idea, b) a bad > idea, c) anything else, then feel free to subscribe to the arin-consult > mailing list (open to all at > http://lists.arin.net/mailman/listinfo/arin-consult) and provide your > feedback. > > Best wishes, > /John > > John Curran > President and CEO > American Registry for Internet Numbers > > > Begin forwarded message: > > *From: *ARIN <[email protected]> > *Subject: **[arin-announce] Consultation on Requiring Two-Factor > Authentication (2FA) for ARIN Online Accounts* > *Date: *24 May 2022 at 12:45:48 PM EDT > *To: *"[email protected]" <[email protected]> > > **Background** > > In 2015, ARIN deployed a Time-Based One-Time password (TOTP) > implementation of Two-Factor Authentication (2FA). Since the time of > implementing that login security feature, 3.2 percent of ARIN Online users > have opted to use 2FA with their accounts. > > Since October 2020, the ARIN Online system has been subject to a series of > dictionary-based password guessing attacks. In March of 2021, we conducted > ACSP Consultation 2021.2: Password Security for ARIN Online Accounts ( > https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/) > on proposed improvements to increase account security. This consultation > resulted in an agreement to move forward with several improvements that > have subsequently been deployed. However, we continue to see frequent > attacks on our log-in systems, and ARIN staff continues to be heavily > engaged in mitigating these attacks. Accounts not using 2FA are susceptible > to these attacks. We recently updated the community on this topic during > ARIN 49 held in Nashville and online in April. You can review this > information from the ARIN 49 Meeting Report ( > https://www.arin.net/participate/meetings/ARIN49/) by looking for the > presentation titled “Brute Force Login Attacks”. > > It is our intention to make 2FA mandatory for all existing and new ARIN > Online accounts going forward. The security of ARIN Online accounts is > paramount to the success of the registry, and we do not believe it is > tenable to continue without making 2FA required for all ARIN Online > accounts. > > We are currently developing a second method of 2FA use with ARIN Online to > add to our long-deployed TOTP implementation. In the coming months, we will > deploy a Short Message Service (SMS) 2FA implementation, thereby adding a > second 2FA option for ARIN Online users. At that time, users will be able > to choose between two types of 2FA – SMS and TOTP. Adoption of TOTP 2FA > has been limited in part due to perceived complexity, and the addition of > SMS-based 2FA will provide a second option that is easier to use for many > customers – and provide much more protection than the simple > username-password condition of many ARIN Online user accounts today. (ARIN > also plans on adding support for a third 2FA option in the future – Fast > Identity Online 2 (FIDO2) – in response to community suggestions, but we do > not believe it is prudent to delay requiring 2FA on ARIN Online accounts > until that third option becomes available.) > > **Requiring 2FA For ARIN Online Accounts** > > By requiring 2FA for ARIN Online accounts that control number resources, > the ARIN community should see stronger security for the registry, reduced > risk of account fraud attempts, and increased confidence in the integrity > of their ARIN resources. > > ARIN intends to require 2FA for all ARIN Online accounts shortly after > SMS-based 2FA authentication is generally available. We are seeking > confirmation from the ARIN community regarding this plan, and ask the > following consultation question: > > ------------------- > Once SMS-based two-factor authentication (2FA) is available for ARIN > Online, do you believe ARIN *should not* proceed with requiring 2FA > authentication (SMS-based or TOTP) for all ARIN Online accounts? If so, > why? > ------------------- > > The feedback you provide during this consultation will help form our path > forward to increasing the security of ARIN Online for all customers. Thank > you for your participation in the ARIN Consultation and Suggestion Process. > Please provide comments to [email protected]. You can subscribe to > this mailing list at: > > http://lists.arin.net/mailman/listinfo/arin-consult > > This consultation will remain open through 5:00 PM ET on 24 June 2022. > > Regards, > > John Curran > President and CEO > American Registry for Internet Numbers (ARIN) > > > _______________________________________________ > ARIN-Announce > You are receiving this message because you are subscribed to > the ARIN Announce Mailing List ([email protected]). > Unsubscribe or manage your mailing list subscription at: > https://lists.arin.net/mailman/listinfo/arin-announce > Please contact [email protected] if you experience any issues. > > >
