Results of Consultation on Expanding 2FA Options in ARIN Online
Posted: Tuesday, 21 March 2023
ACSP/Surveys
On 1 November 2022, ARIN announced that we will require two-factor authentication (2FA) on all ARIN Online accounts beginning 1 February 2023. ARIN currently has three options for customers to set up 2FA on their ARIN Online accounts. Following the announcement of the planned enforcement date of 1 February 2023, we received several suggestions for further expansion of our authentication offerings, including:
- Allowing email as an authentication method
- Enabling SMS support for customers who reside outside of the ARIN service region
- Allowing registration of multiple hardware security keys
In January 2023, ARIN conducted Community Consultation 2023.1 on expanding the available 2FA options in ARIN Online. The consultation was held for two weeks and received a total of 36 comments. After reviewing the feedback received, we have determined a path forward on each of the three topics.
Allowing Email as an Authentication Method
Noting the number of security concerns raised by the community and ARIN’s internal engineering and security departments, ARIN will not be including email as an additional authentication method for ARIN Online.
Enabling SMS Support For Customers Who Reside Outside of the ARIN Service Region
Feedback on this topic was mixed; however, in reviewing staff experience since implementation in January, we have had several out-of-region customers inquire about SMS, and staff successfully redirected them to set up 2FA using Time-based One-time Password (TOTP) authentication methods. There have been no instances where customers have been unable to set up 2FA because SMS was unavailable to them. To this date, ARIN is not aware of any instances where a customer has been unable to fully implement 2FA on their ARIN Online account using another authentication method because SMS was unavailable. We will revisit offering SMS outside the ARIN region if we hear from customers who are unable to use the other 2FA methods.
Allowing Registration of Multiple Hardware Security Keys
The consultation feedback showed clear support from the community for expanding the number of security keys allowed on an account, and it is within scope for our Engineering department to enable that functionality. However, less than two percent of accounts have registered security keys as an authentication option, and we have placed it on our development roadmap where it is pending prioritization.
ARIN thanks those who provided valuable feedback during this consultation. We rely on this input from our members and community to help steer the organization as we continue our mission in support of the operation and growth of the Internet.
Regards,
John Curran
President and CEO
American Registry for Internet Numbers (ARIN)
Recent Announcements
- Apply Now for an ARIN Community Grant
- Consultation on Approaches for Adjusting the ARIN Registration Services Plan Fee Schedule
- Nomination Committee Volunteers Needed
- ARIN 53 Begins Today
- IPv4 Waiting List Distribution
- 2023 Annual Report Now Available
- REMINDER — Email Template Retirement Scheduled for 3 June 2024
- ARIN on the Road is heading to Reno and Kansas City this spring!
- New Features Added to ARIN Online
- Results of Consultation on RPKI/BGP Intelligence
- » View Archive