Hardware tokens for ARIN Online Accounts 2FA
ARIN, American Registry for Internet Numbers , has recently announced its intention to make 2FA mandatory for all existing and new ARIN Online accounts. In this article, we will show how one of Token2 Programmable TOTP hardware tokens can be used as a second factor for ARIN Online accounts 2FA protection.
Enabling Two-factor Authentication
1. Obtain a compatible programmable TOTP token and be ready to program it
· You can use any Token2 programmable TOTP hardware token with your ARIN Online account, as all of them meet the requirements set forth in RFC 6238 . However, it is not fully clear if ARIN supports the automatic time drift adjustment as mentioned in RFC 6238, part 6. To be on a safe side, we recommend the models with unrestricted time sync.
· In addition, you need an NFC-enabled device and/or the app for the provisioning for the enrollment process only. For USB-programmable tokens, you will need just the USB Config application. Subsequent logins will utilize only the hardware token itself, the burner/config app will not be needed.
2. Log in to your ARIN Online account and select Settings from the menu under your name.
3. In the Security Info section, choose Manage Two-Factor Authentication from the Actions menu.
4. Choose Enable 2FA.
5. Confirm your choice. The next window displays a message that two-factor authentication is enabled, and allows you to set up your authenticator.
To burn the hardware token:
- Launch the NFC burner app on your Android device and hit the "QR" button
- Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear
- Turn on the token and touch it with your phone (make sure it is overlapped by the NFC antenna) and click "Connect" on the app
- Upon successful connection, click the "Burn seed" button. If NFC link is established and the code is correctly scanned, you should see a status window showing "Burning..." and eventually (in a second or two), "burn seed successful.." message in the log window
Follow the steps below to perform setting the seed for your token using Windows App.
1. Launch the exe file, then select the NFC device from the drop-down list and click on "Connect". You should see a message box notifying about a successful operation.
2. Enter or paste the seed in base32 format, or use one of the QR scanning methods to populate this field
3. Place the token onto the NFC module and wait for its serial number to appear.
4. Click on "Burn seed" button. A log entry with the serial number and "Successful operation" text will be logged in the log window.
- Launch the NFC burner app on your iPhone device and hit the "scan QR" button
- Point the camera to the QR code shown on the account page. Upon a successful QR scan, the camera window should disappear and the seed field will be populated with the hex value of the seed
- Touch the Burn button, then turn on the token and touch the top of your iPhone with the token
- Check the results of the process in the Results log field
Turn the hardware token off, then on again. Your hardware token should start providing time-based six-digit codes. To test your authentication, enter the time-based code into the field in ARIN Online and choose Verify Your Code. If successful, the system displays a message that your code was verified.
After two-factor authentication is enabled, ARIN Online will request that you enter a time-based code provided by your hardware token every time you log in to ARIN Online. After entering your username and password into ARIN Online, you’ll need to enter the code from the authenticator and choose Continue.
When you configure two-factor authentication for the first time in ARIN Online, the Setup page will also display an Emergency Reset Code that can be used if you lose access to your authenticator. You can enter this code to remove two-factor authentication from your account and log in to ARIN Online.
Important: Save the Emergency Reset Code in a password management tool, print it out, or write it down and store it in a safe place. This code will only be displayed once.
Refreshing Your Two-factor Authentication Key
To receive a new two-factor authentication key (for example, if you are using a new authenticator):
1. Log in to your ARIN Online account and select Settings from the menu under your name.
2. In the Security Info section, choose Manage Two-Factor Authentication from the Actions menu.
3. Choose Generate New Key/QR Code. Follow the steps in Enabling Two-factor Authentication.
You will not be able to recover your previous two-factor authentication key, and you will need to synchronize your authenticator with the new key.
Disabling Two-factor Authentication
If you can access your third-party authenticator:
1. Log in to your ARIN Online account and select Settings from the menu under your name.
2. In the Security Info section, from the Actions menu, choose Manage Two-Factor Authentication.
3. Choose Disable 2FA.
4. Confirm your choice.
If you cannot access your third-party authenticator, follow the instructions in Lost Access to Your Token section.
Lost Access To Your Token?
If you have lost access to your hardware token and cannot log in to your account, but you do have your 31-character Emergency Reset Code:
1. Enter your username and password to log in to your ARIN Online account.
2. When prompted to enter your two-factor authentication code, choose Lost access to your authenticator?
3. In the Reset Code Field, enter your 31-character Emergency Reset Code.
4. You will be sent an email containing a link to disable two-factor authentication. Click the link or copy and paste it into your web browser.
If you cannot log into your account and you do not have your 31-character reset code:
1. Call ARIN Registration Services at +1 703-227-0660, Monday - Friday, 7:00 AM - 7:00 PM.
2. Provide the answers to your account security questions.
Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!