On 2022-05-24 16:22, John Curran wrote:
On 24 May 2022, at 4:39 PM, niels=nanog@bakker.net wrote:
* nanog@nanog.org (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:
Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ? To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to protect critical infrastructure, but apparently ARIN does need a consultation for that Niels -
I can think of several reasons why "SMS 2FA isn't necessarily a good way to protect critical infrastructure”…
Of course, there’s also the point that requiring 2FA for everyone – even if just SMS – would still be a superior state of affairs then the present condition (wherein 97% of ARIN Online users rely on just a password, and this despite 2FA via TOTP being available for ARIN Online accounts for years…) What about optional additional second factor of sending out an email with digits to enter or a link to confirm login / some other critical operation? There could easily be some operational concerns resulting from making 2FA authentication mandatory of which we on the ARIN staff are not aware, so we conduct a consultation. Your voice can be part of that consultation, but again it’s taking place on arin-consult mailing list (open to all) – not here.