Send ARIN-consult mailing list submissions to
arin-consult@arin.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
arin-consult-requ...@arin.net
You can reach the person managing the list at
arin-consult-ow...@arin.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Matthew Pounsett)
2. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Adam Thompson)
3. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Matt Harris)
----------------------------------------------------------------------
Message: 1
Date: Tue, 24 May 2022 17:22:05 -0400
From: Matthew Pounsett <m...@conundrum.com>
To: arin-consult@arin.net
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID:
<CAAiTEH_kip45eh+oar6=r_w-kubrz76u2mkjpm9vx9a0bxg...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
I agree with making 2FA required on all accounts. SMS is absolutely less
secure than other 2FA options, but more secure than no 2FA at all. This
would be a marginal security improvement for users, and from the sounds of
things a massive decrease in workload for staff.
However, given the known problems with SMS, I would urge staff to make it
possible for those of us with other 2FA methods configured to be able to
*disable* SMS 2FA on our accounts, to prevent it from ever being used even
as a fallback authentication method. Additionally, if SMS-based password
recovery is ever on the table I would like to be able to indicate that it
should never be available for recovery for my account.
As RS says, I'm happy FIDO is on the roadmap, but I don't see a reason to
wait for it to be ready before making 2FA mandatory.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220524/896b228d/attachment-0001.htm>
------------------------------
Message: 2
Date: Tue, 24 May 2022 21:35:38 +0000
From: Adam Thompson <athomp...@merlin.mb.ca>
To: "arin-consult@arin.net" <arin-consult@arin.net>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID:
<yqxpr01mb63266274b172de47da449ec79b...@yqxpr01mb6326.canprd01.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
SMS-based authentication is fine, as long as:
a) it isn't limited to a maximum of one phone number,
b) ARIN doesn't mistakenly try to determine what #s are truly cell phones (vs.
floating #s, voip systems, etc.) and
c) choice of 2FA system (SMS vs OTP) isn't an XOR selection, i.e. any supported
2FA system can be used to login at any given time.
I spend a non-negligible amount of time working in areas without cell phone
reception, and/or where I need a different SIM card (and thus phone#) to get
service - I can have to up 3 valid cell#s at any given time, only 1 or 2 of
which might be active/reachable/valid at the moment.
Then, some other websites have determined that one of my cell#s isn't really a
cell#, so refuse to send SMS messages there... kind of a problem. I don't know
what database or service they use, and I've found no way around the problem so
far. (For those about to comment, it's an OTT follow-me phone#, not a standard
cell#. I still get and send SMS messages there through a separate app.)
Beyond the sheer usability problems when you aren't in a populated area, and/or
aren't working inside accidental faraday cages (e.g. one of the sites I visit),
SMS has a whole host of security concerns. It's still better than **nothing at
all**, but IMHO should be considered a stop-gap measure.
I believe TOTP and/or FIDO both require significant user education, even among
ARIN users, and AFAIK no user-friendly guides exist today.
-Adam
Adam Thompson
Consultant, Infrastructure Services
MERLIN
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
https://www.merlin.mb.ca
Chat with me on Teams: athomp...@merlin.mb.ca
> -----Original Message-----
> From: ARIN-announce <arin-announce-boun...@arin.net> On Behalf Of ARIN
> Sent: Tuesday, May 24, 2022 11:46 AM
> To: arin-annou...@arin.net
> Subject: [arin-announce] Consultation on Requiring Two-Factor
> Authentication (2FA) for ARIN Online Accounts
>
> **Background**
>
> In 2015, ARIN deployed a Time-Based One-Time password (TOTP)
> implementation of Two-Factor Authentication (2FA). Since the time of
> implementing that login security feature, 3.2 percent of ARIN Online
> users have opted to use 2FA with their accounts.
>
> Since October 2020, the ARIN Online system has been subject to a
> series of dictionary-based password guessing attacks. In March of
> 2021, we conducted ACSP Consultation 2021.2: Password Security for
> ARIN Online Accounts
> (https://www.arin.net/participate/community/acsp/consultations/2021/20
> 21-2/) on proposed improvements to increase account security. This
> consultation resulted in an agreement to move forward with several
> improvements that have subsequently been deployed. However, we
> continue to see frequent attacks on our log-in systems, and ARIN staff
> continues to be heavily engaged in mitigating these attacks. Accounts
> not using 2FA are susceptible to these attacks. We recently updated
> the community on this topic during ARIN 49 held in Nashville and
> online in April. You can review this information from the ARIN 49
> Meeting Report (https://www.arin.net/participate/meetings/ARIN49/) by
> looking for the presentation titled ?Brute Force Login Attacks?.
>
> It is our intention to make 2FA mandatory for all existing and new
> ARIN Online accounts going forward. The security of ARIN Online
> accounts is paramount to the success of the registry, and we do not
> believe it is tenable to continue without making 2FA required for all
> ARIN Online accounts.
>
> We are currently developing a second method of 2FA use with ARIN
> Online to add to our long-deployed TOTP implementation. In the coming
> months, we will deploy a Short Message Service (SMS) 2FA
> implementation, thereby adding a second 2FA option for ARIN Online
> users. At that time, users will be able to choose between two types of
> 2FA ? SMS and TOTP. Adoption of TOTP 2FA has been limited in part
> due to perceived complexity, and the addition of SMS-based 2FA will
> provide a second option that is easier to use for many customers ? and
> provide much more protection than the simple username-password
> condition of many ARIN Online user accounts today. (ARIN also plans
> on adding support for a third 2FA option in the future ? Fast Identity
> Online 2 (FIDO2) ? in response to community suggestions, but we do not
> believe it is prudent to delay requiring 2FA on ARIN Online accounts
> until that third option becomes available.)
>
> **Requiring 2FA For ARIN Online Accounts**
>
> By requiring 2FA for ARIN Online accounts that control number
> resources, the ARIN community should see stronger security for the
> registry, reduced risk of account fraud attempts, and increased
> confidence in the integrity of their ARIN resources.
>
> ARIN intends to require 2FA for all ARIN Online accounts shortly after
> SMS-based 2FA authentication is generally available. We are seeking
> confirmation from the ARIN community regarding this plan, and ask the
> following consultation question:
>
> -------------------
> Once SMS-based two-factor authentication (2FA) is available for ARIN
> Online, do you believe ARIN *should not* proceed with requiring 2FA
> authentication (SMS-based or TOTP) for all ARIN Online accounts? If
> so, why?
> -------------------
>
> The feedback you provide during this consultation will help form our
> path forward to increasing the security of ARIN Online for all
> customers. Thank you for your participation in the ARIN Consultation
> and Suggestion Process. Please provide comments to arin-
> cons...@arin.net. You can subscribe to this mailing list at:
>
> http://lists.arin.net/mailman/listinfo/arin-consult
>
> This consultation will remain open through 5:00 PM ET on 24 June 2022.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
>
> _______________________________________________
> ARIN-Announce
> You are receiving this message because you are subscribed to
> the ARIN Announce Mailing List (arin-annou...@arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-announce
> Please contact i...@arin.net if you experience any issues.
------------------------------
Message: 3
Date: Tue, 24 May 2022 16:45:58 -0500
From: Matt Harris <m...@netfire.net>
To: Adam Thompson <athomp...@merlin.mb.ca>
Cc: "arin-consult@arin.net" <arin-consult@arin.net>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID:
<cahdm835ekr2abd-x2pjpukseulotgv_adw3ynujmg6qoj0o...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
On Tue, May 24, 2022 at 4:35 PM Adam Thompson <athomp...@merlin.mb.ca>
wrote:
> c) choice of 2FA system (SMS vs OTP) isn't an XOR selection, i.e. any
> supported 2FA system can be used to login at any given time.
> I believe TOTP and/or FIDO both require significant user education, even
> among ARIN users, and AFAIK no user-friendly guides exist today.
>
> -Adam
>
A couple of points here:
For one, I would never want SMS 2fa to be allowed on my account. I have had
totp setup for years with no issues. Adding an additional vulnerability to
my existing strong configuration is not acceptable. So indeed, if SMS is an
option that 2fa users can opt into, it must be that, and not something that
those of us with totp configurations currently need to opt out of, or
worse, are forced to accept.
Another is that I disagree that TOTP or FIDO require significant user
education. TOTP apps for android and ios are readily available and easy to
use: in most of them (Google Authenticator is a good example, and if you
don't want to use Google's app, you can also check out Duo (owned by Cisco)
or any number of other apps), the process is simply to click add account,
point your device's camera at the QR code associated with the account which
you'll be presented with during setup, and off you go. FIDO isn't
significantly more difficult when using a yubikey with modern browsers.
- mdh
Matt Harris|VP of Infrastructure
816-256-5446|Direct
Looking for help?
Helpdesk|Email Support
We build customized end-to-end technology solutions powered by NetFire Cloud.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220524/66f23144/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image728475.png
Type: image/png
Size: 14877 bytes
Desc: image728475.png
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220524/66f23144/attachment.png>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
ARIN-consult@arin.net
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 90, Issue 3
*******************************************
