Results of Consultation on Expanding 2FA Options in ARIN Online
Posted: Tuesday, 21 March 2023
On 1 November 2022, ARIN announced that we will require two-factor authentication (2FA) on all ARIN Online accounts beginning 1 February 2023. ARIN currently has three options for customers to set up 2FA on their ARIN Online accounts. Following the announcement of the planned enforcement date of 1 February 2023, we received several suggestions for further expansion of our authentication offerings, including:
- Allowing email as an authentication method
- Enabling SMS support for customers who reside outside of the ARIN service region
- Allowing registration of multiple hardware security keys
In January 2023, ARIN conducted Community Consultation 2023.1 on expanding the available 2FA options in ARIN Online. The consultation was held for two weeks and received a total of 36 comments. After reviewing the feedback received, we have determined a path forward on each of the three topics.
Allowing Email as an Authentication Method
Noting the number of security concerns raised by the community and ARIN’s internal engineering and security departments, ARIN will not be including email as an additional authentication method for ARIN Online.
Enabling SMS Support For Customers Who Reside Outside of the ARIN Service Region
Feedback on this topic was mixed; however, in reviewing staff experience since implementation in January, we have had several out-of-region customers inquire about SMS, and staff successfully redirected them to set up 2FA using Time-based One-time Password (TOTP) authentication methods. There have been no instances where customers have been unable to set up 2FA because SMS was unavailable to them. To this date, ARIN is not aware of any instances where a customer has been unable to fully implement 2FA on their ARIN Online account using another authentication method because SMS was unavailable. We will revisit offering SMS outside the ARIN region if we hear from customers who are unable to use the other 2FA methods.
Allowing Registration of Multiple Hardware Security Keys
The consultation feedback showed clear support from the community for expanding the number of security keys allowed on an account, and it is within scope for our Engineering department to enable that functionality. However, less than two percent of accounts have registered security keys as an authentication option, and we have placed it on our development roadmap where it is pending prioritization.
ARIN thanks those who provided valuable feedback during this consultation. We rely on this input from our members and community to help steer the organization as we continue our mission in support of the operation and growth of the Internet.
President and CEO
American Registry for Internet Numbers (ARIN)
- Volunteer to Serve on the 2024 ARIN Fellowship Selection Committee
- Now Closed — Consultation on Email Template Processor Retirement
- Time is Running Out! The Annual Fee Cap for New LRSA Entrants Expires on 31 December 2023
- ARIN Completes SOC 2 Type 2 Audit and PCI DSS Certification
- ARIN 52 Meeting Report Now Available
- Consultation on Retiring Email Templates
- 2023 ARIN Election Results
- ARIN Board Appoints Kevin Blumberg to NRO NC
- Voting Now Open for the 2023 ARIN Elections
- ARIN 52 Begins Today
- » View Archive