Results of Consultation on Requiring Two-Factor Authentication for All ARIN Online Accounts

Posted: Thursday, 25 August 2022

Thank you to the ARIN community for the robust discussion on requiring two-factor authentication (2FA) for all ARIN Online accounts. There was spirited input both in favor and in opposition to this change.

ARIN finds itself in a difficult situation, as the evidence of ongoing aggressive attempts to compromise accounts poses risks both to customers and the integrity of the registry. ARIN has offered the option of TOTP (Time-Based One-Time password) 2FA since 2015, but customer adoption of 2FA remains low – in part due to the perceived complexity involved. We have completed the implementation of SMS-based 2FA, and it is now available to all ARIN customers.

The addition of SMS-based 2FA provides a second option that is easier and more familiar to many customers, and allows ARIN to address the ongoing threats to the registry by requiring that two-factor authentication be enabled on all accounts going forward.

Requiring two-factor authentication for all accounts is the responsible course of action for ARIN to appropriately safeguard registry integrity. While it was noted in the consultation that SMS-based authentication is a fairly weak 2FA option, those customers seeking more rigorous authentication will be able to select the 2FA option to use for their accounts, and based on the consultation feedback, we have added a third 2FA option (FIDO2) to our long-term development roadmap.

Thank you for your participation in the consultation and in helping make ARIN’s services more secure!

Regards,

John Curran
President and CEO
American Registry for Internet Numbers (ARIN)