ACSP Suggestion 2021.2: Offer Web Authentication (WebAuthn) and FIDO2 Security Key Support
Author: Job Snijders
Submitted On: 25 January 2021
Description: The ARIN Online website should offer Web Authentication (WebAuthn) support in order for ARIN members to be able to secure their accounts using FIDO2 Security Keys.
Value to Community: Given the risk a compromise of one’s ARIN Online account could represent to one’s business, additional measures to prevent unauthorized account access are beneficial. Support for FIDO2 will allow ARIN members to additionally protect their account by requiring a “Security Key” (a physical device). FIDO2 is successor to traditional Multi-Factor Authentication mechanisms such as SMS OTPs or TOTPs. In contrast to TOPT keys (which exist just as a copy-able string), the main advantage of FIDO2 Security Keys is that they cannot be copied, as the keys are stored in a HSM. FIDO2 is an open standard, Security Keys can be obtained from a number of different vendors at low cost.
Timeframe: Not specified
Status: Open Updated: 03 February 2021
3 February 2021
Thank you for your suggestion, numbered 2021.2 upon receipt, requesting that ARIN offer Web Authentication (WebAuthn) and FIDO2 security key support. This suggestion appears to be a duplicate of ACSP 2019.14: Implement FIDO2 (WebAuthn) for ARIN Online. Both of these suggestions will remain open for consideration alongside other potential improvements to our ARIN Online login functionality for inclusion on our future work plan.