ACSP Suggestion 2022.28: Add Email as a Two-Factor Authentication Method

Suggestion

Author: Al Whaley   
Submitted On: 03 November 2022

Description: Allow email for 2FA (two factor authentication) for accessing an ARIN account.

Value to Community: Many of us are not allowed to use personal cell phones for professional work, a restriction that seems appropriate. Limiting authentication to cell phones is not professional. Using work emails is professional. Security is generally better with email than with SMS. At a minimum email should be an option for 2FA for accessing our ARIN accounts.

Timeframe: Not specified

Status: Closed   Updated: 20 March 2024

Tracking Information

ARIN Comment

20 March 2024

Thank you for your suggestion, numbered 2022.28, in which you requested that ARIN allow the use of email for two-factor authentication (2FA). This suggestion was brought forward during a community consultation in January 2023. However, after careful consideration of the concerns expressed by the community, alongside reservations from ARIN’s Engineering Department and Chief Information Security Officer, ARIN has decided against introducing email as an authentication method for ARIN Online.

We understand the importance of providing secure and convenient authentication options for our users. It’s essential to clarify that SMS is not the sole method for 2FA within ARIN Online. We also support hardware or software tokens using Time-based One-time Password authentication as an alternative, which results in a range of choices to accommodate different user preferences and security needs.

Given this decision, we are closing this suggestion. We appreciate your active participation in the ARIN Consultation and Suggestion Process and your commitment to enhancing the security and usability of ARIN Online.

Thank you,

John Curran
President and CEO
American Registry for Internet Numbers

7 November 2022

Thank you for your suggestion, numbered 2022.28 on confirmed receipt, requesting that ARIN allow email for two-factor authentication (2FA).

ARIN will have four options for customers to set up 2FA on their ARIN Online accounts prior to 1 February 2023, when we require accounts to be secured:

• Time-based One-time Password (TOTP) using an authenticator of your choice
• Short Message Service SMS or Voice Call for customers within the ARIN service region
• FIDO2/Passkey (available January 2023)

We continue to receive input from customers for additional options, and plan to conduct a Community Consultation to assess support for continued development related to 2FA for ARIN Online accounts. Your suggestion will remain open pending the outcome of the consultation and any potential related development effort.

Thank you for participating in the ARIN Consultation and Suggestion Process.

Regards,

American Registry for Internet Numbers (ARIN)