ACSP Consultation: Advanced Security Features for ARIN Online
Posted: Thursday, 16 April 2020
ACSP/Surveys
Security for ARIN Online accounts as it exists today is described on our website, and includes optional Two-factor Authentication, API keys, and Pretty Good Privacy (PGP) Authentication. More information about these security features can be found at:
https://www.arin.net/reference/materials/security/
Over the last several years, we have received multiple ARIN Consultation and Suggestion Process (ACSP) requests and fielded many customer suggestions about ways ARIN might improve security for our online customer accounts.
These suggestions include:
- 2017.1: Two-factor functionality improvement: https://www.arin.net/participate/community/acsp/suggestions/2017-1/
- 2018.22: Align ARIN password policy with current NIST SP800-63 recommendations: https://www.arin.net/participate/community/acsp/suggestions/2018-22/
- 2019.14: Implement FIDO2 (WebAuthn) for ARIN Online: https://www.arin.net/participate/community/acsp/suggestions/2019-14/
Based on this community input as well as suggestions received through other channels, we are opening a consultation to solicit feedback on a number of potential security improvements that are under consideration. We are specifically interested in your thoughts on a number of specific suggestions, listed below:
- ARIN uses challenge questions to verify users who are seeking to restore access to their ARIN Online user account and to complete other actions. It has been suggested that we eliminate the use of challenge questions for customer account verification in favor of other security measures.
- Utilizing a personal passcode and/or SMS push codes to a mobile device for password resets and other account actions
- Changing password length and entry requirements to better align with NIST SP800-63 recommendations
- Requiring the use of Two-factor Authentication (2FA) on all accounts, or allowing Admin Points of Contact (POCs) to control permissions on access to their Organization Records to only allow access from associated POCs who have 2FA on their user accounts
The feedback you provide during this consultation will help inform how we move forward with improvements to the security of ARIN Online and customer account access. We also are interested in hearing about other ideas to improve the security of ARIN Online interactions that are not listed above. Thank you for your participation in the ARIN Consultation and Suggestion Process.
Please provide comments to arin-consult@arin.net. You can subscribe to this mailing list at:
http://lists.arin.net/mailman/listinfo/arin-consult
This consultation will remain open through 5:00 PM ET on Friday, 15 May 2020.
Regards,
John Curran
President and CEO
American Registry for Internet Numbers (ARIN)
Recent Announcements
- ARIN Announces the Final Slate of Candidates for the 2021 ARIN Elections
- ARIN 48 Begins Today
- ARIN 48 Hotel Discount Expires Soon
- Rank the Proposed Questions for the 2021 ARIN Election Candidate Forums
- ARIN Has a New Blog
- Congratulations to ARIN 48 Selected Fellows
- Submit Your Questions for Candidates in the 2021 ARIN Elections
- NRO Number Council Candidates Announced for the ARIN Region
- Meet the Initial Slate of Candidates for the 2021 ARIN Elections; Petition Period Open
- Don't Miss the Second Chance to Join Us - Enhance your Routing Security Using ARIN's Hosted RPKI
- » View Archive