Update on ARIN’s Multifactor Authentication (MFA) Enforcement for ARIN Online

Posted: Wednesday, 17 July 2024

As of 1 February 2023, ARIN requires multifactor authentication (MFA) on all new ARIN Online accounts. Users with accounts created before February 2023 were notified and encouraged to log in at their earliest opportunity, where they would be prompted to set up MFA. This step was taken to provide stronger security for the registry, reduce the risk of fraud, and increase confidence in the integrity of their ARIN resources. As of 15 July 2024, 154,974 of accounts have not completed MFA setup; of these, 135,122 are not associated with any Internet number resources.

On 8 July, ARIN staff detected that several accounts that had not yet set up MFA had been accessed by parties that were not the owners of the accounts. This impacted two accounts with directly allocated resources and 102 accounts with no resources allocated. ARIN staff have taken action to correct the compromised accounts with direct resources and restore them to the rightful resource holders; ARIN disabled the accounts that were not associated with any resources.

ARIN is continuing to take steps to secure the registry by enforcing MFA through the following actions:

  • ARIN has locked all user accounts created prior to February 2023 that are not associated with resources and that have not set up MFA. These users will need to contact Registration Services during ARIN operating hours, 7:00 AM to 7:00 PM ET, Monday through Friday, to unlock and set up MFA and regain access to ARIN Online.
  • We are engaged in direct communications with account holders linked to organizations with direct allocations, detailed reassignments, and reallocations who have not yet enabled MFA on their accounts. These users will be required to set up MFA within 60 days or their accounts will be locked, and they will need to contact Registration Services during ARIN operating hours, 7:00 AM to 7:00 PM, ET Monday through Friday, to unlock and set up MFA and regain access to ARIN Online.
  • Going forward, ARIN will continuously monitor MFA activations for unusual behavior that would indicate potentially compromised accounts and take appropriate actions if needed.

ARIN relies on the support of its customers to ensure the accuracy and security of the registry. We rely on all our customers to follow best practices for account security and to report any suspicious activity to us immediately.

Regards,

John Curran
President and CEO
American Registry for Internet Numbers (ARIN)

Helpful Resources:
Need help setting up your MFA? Visit https://www.arin.net/MFA to get started. You’ll find guides on enabling MFA via an authenticator application, SMS, and security key hardware.

We also provide information on how to receive and save your MFA recovery codes, as well as what to do if you’ve lost access to your authenticator app, SMS phone number, or security key.