NANOGers - A consultation opened today on potentially requiring use of 2-factor authentication to login into ARIN Online – this would take place once SMS 2FA is deployed. If you think that this is: a) a great idea, b) a bad idea, c) anything else, then feel free to subscribe to the arin-consult mailing list (open to all at http://lists.arin.net/mailman/listinfo/arin-consult) and provide your feedback. Best wishes, /John John Curran President and CEO American Registry for Internet Numbers Begin forwarded message: From: ARIN <info@arin.net<mailto:info@arin.net>> Subject: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Date: 24 May 2022 at 12:45:48 PM EDT To: "arin-announce@arin.net<mailto:arin-announce@arin.net>" <arin-announce@arin.net<mailto:arin-announce@arin.net>> **Background** In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation of Two-Factor Authentication (2FA). Since the time of implementing that login security feature, 3.2 percent of ARIN Online users have opted to use 2FA with their accounts. Since October 2020, the ARIN Online system has been subject to a series of dictionary-based password guessing attacks. In March of 2021, we conducted ACSP Consultation 2021.2: Password Security for ARIN Online Accounts (https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/) on proposed improvements to increase account security. This consultation resulted in an agreement to move forward with several improvements that have subsequently been deployed. However, we continue to see frequent attacks on our log-in systems, and ARIN staff continues to be heavily engaged in mitigating these attacks. Accounts not using 2FA are susceptible to these attacks. We recently updated the community on this topic during ARIN 49 held in Nashville and online in April. You can review this information from the ARIN 49 Meeting Report (https://www.arin.net/participate/meetings/ARIN49/) by looking for the presentation titled “Brute Force Login Attacks”. It is our intention to make 2FA mandatory for all existing and new ARIN Online accounts going forward. The security of ARIN Online accounts is paramount to the success of the registry, and we do not believe it is tenable to continue without making 2FA required for all ARIN Online accounts. We are currently developing a second method of 2FA use with ARIN Online to add to our long-deployed TOTP implementation. In the coming months, we will deploy a Short Message Service (SMS) 2FA implementation, thereby adding a second 2FA option for ARIN Online users. At that time, users will be able to choose between two types of 2FA – SMS and TOTP. Adoption of TOTP 2FA has been limited in part due to perceived complexity, and the addition of SMS-based 2FA will provide a second option that is easier to use for many customers – and provide much more protection than the simple username-password condition of many ARIN Online user accounts today. (ARIN also plans on adding support for a third 2FA option in the future – Fast Identity Online 2 (FIDO2) – in response to community suggestions, but we do not believe it is prudent to delay requiring 2FA on ARIN Online accounts until that third option becomes available.) **Requiring 2FA For ARIN Online Accounts** By requiring 2FA for ARIN Online accounts that control number resources, the ARIN community should see stronger security for the registry, reduced risk of account fraud attempts, and increased confidence in the integrity of their ARIN resources. ARIN intends to require 2FA for all ARIN Online accounts shortly after SMS-based 2FA authentication is generally available. We are seeking confirmation from the ARIN community regarding this plan, and ask the following consultation question: ------------------- Once SMS-based two-factor authentication (2FA) is available for ARIN Online, do you believe ARIN *should not* proceed with requiring 2FA authentication (SMS-based or TOTP) for all ARIN Online accounts? If so, why? ------------------- The feedback you provide during this consultation will help form our path forward to increasing the security of ARIN Online for all customers. Thank you for your participation in the ARIN Consultation and Suggestion Process. Please provide comments to arin-consult@arin.net<mailto:arin-consult@arin.net>. You can subscribe to this mailing list at: http://lists.arin.net/mailman/listinfo/arin-consult This consultation will remain open through 5:00 PM ET on 24 June 2022. Regards, John Curran President and CEO American Registry for Internet Numbers (ARIN) _______________________________________________ ARIN-Announce You are receiving this message because you are subscribed to the ARIN Announce Mailing List (ARIN-announce@arin.net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-announce Please contact info@arin.net if you experience any issues.