Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. 2FA TOTP Required: I support (Peter Beckman)
2. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Chris Woodfield)
3. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Max Krivanek)
----------------------------------------------------------------------
Message: 1
Date: Tue, 24 May 2022 18:49:21 -0400
From: Peter Beckman <[email protected]>
To: [email protected]
Subject: [ARIN-consult] 2FA TOTP Required: I support
Message-ID: <[email protected]>
Content-Type: text/plain; format=flowed; charset=US-ASCII
I'm writing in support of moving away from Two-Factor Authentication by SMS
to Two-Factor Authentication by TOTP (application-based).
I run a phone company and changing SMS routing without changing the Voice
routing is far to easy and lacking enough controls and notifications about
such changes, which puts SMS OTP at risk for abuse and theft.
While TOTP may not be as secure as a physical token, it is harder to steal,
only good for 30 seconds, and does not transit any 3rd party network (such
as with SMS) that can be externally intercepted.
I strongly believe that TFA should be required, for ARIN as well as most
any web service that authenticates users.
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
[email protected] https://www.angryox.com/
---------------------------------------------------------------------------
------------------------------
Message: 2
Date: Tue, 24 May 2022 17:25:07 -0700
From: Chris Woodfield <[email protected]>
To: "<[email protected]>" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
<speaking_for_myself.disclaimer>
If given the choice between and SMS-based second factor and no second factor at
all, which would you choose?
I agree that SMS is the weakest form of 2FA of the options being considered,
and I would not be happy with a system that only supported it and did not
support TOTP or FIDO2. I would find it highly unlikely, however, that requiring
2FA for logins and *not* allowing SMS as an option will prove a successful
approach, however - it?s Just Complex Enough that I can see a far-too-large
segment of ARIN?s user base requiring quite a bit of support to enable it.
-C
> On May 24, 2022, at 12:23 PM, Max Krivanek via ARIN-consult
> <[email protected]> wrote:
>
> Hi,
>
> I find SMS highly insecure since it can be intercepted (it goes across the
> system in plain text, similar to HTTP) and there is also SIM hijacking. This
> article by Krebs goes into more detail of why it's insecure.
> https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
> <https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/>
>
> The fact that major financial institutions use it is a detriment to them. As
> TOTP or FIDO2 are way more secure. But this is where reality hits the road.
> Most people will not want to set up TOTP or FIDO2, but as long as those of us
> who are more security minded can make sure SMS or the phone number in general
> cannot be used for authentication purposes I would be fine with including it
> as a stop gap.
>
> On Tue, May 24, 2022 at 1:59 PM Richard Laager <[email protected]
> <mailto:[email protected]>> wrote:
> I believe ARIN absolutely should require 2FA. Your actual experience with
> dictionary attacks confirms that.
>
> SMS 2FA seems like a pragmatic compromise. I?m aware that SMS is generally
> considered a less secure 2nd factor, but: 1) I?m not sure how much less
> secure it really is. It obviously cannot be worse than a password alone. 2)
> Major financial institutions seem okay with it. 3) It might be necessary in
> practice to get people to turn on / accept 2FA.
>
> You will have to think hard about recovery procedures. They will become the
> weak link in the security.
>
> --
> Richard
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult
> Mailing
> List ([email protected] <mailto:[email protected]>).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult
> <https://lists.arin.net/mailman/listinfo/arin-consult> Please contact the
> ARIN Member Services
> Help Desk at [email protected] <mailto:[email protected]> if you experience any
> issues.
>
>
> --
> Max Krivanek
> Managing Member
> CodingDirect <http://www.codingdirect.com/>
>
> Phone: (682) 232-4867 <>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult
> Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
> Member Services
> Help Desk at [email protected] if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220524/e9afc5d2/attachment-0001.htm>
------------------------------
Message: 3
Date: Tue, 24 May 2022 23:40:29 -0500
From: Max Krivanek <[email protected]>
To: "<[email protected]>" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID:
<cal-p6dyf_ye3znaok2pd5gydxgf5-7b1zf9ubc6s0_vj-pr...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
The problem that I'm concerned about is that a lot of organizations that
add SMS 2FA often end up resorting to it as a crutch. So let's say that
person A did set up TOTP. But then person B finds enough information about
person A to do a social engineering attack. Person B still doesn't have
access to person A's TOTP application, but they know person A's phone
number (this is generally easy to find, I wouldn't be surprised if many
WHOIS phone numbers are associated with accounts on ARIN, or white/yellow
pages). So they contact ARIN pretending to be person A, claiming to have
lost their TOTP. So because SMS is now an option for authentication ARIN
reverts the 2FA to SMS because it's easy. SIM hijack or interception is
easy enough. Well, now person B's only hurdle is going to be the password
anyway. They could have tried to brute force earlier and gotten the
correct password. Or also attempt a password reset when resetting the 2FA.
So the biggest thing I would impart to ARIN is do not trust SMS at all. I
understand it's a stop gap that has high appeal for its ease of deployment.
But do not trust it when doing account recoveries, or 2FA resets, etc.
On Tue, May 24, 2022 at 7:25 PM Chris Woodfield <[email protected]> wrote:
> <speaking_for_myself.disclaimer>
>
> If given the choice between and SMS-based second factor and no second
> factor at all, which would you choose?
>
> I agree that SMS is the weakest form of 2FA of the options being
> considered, and I would not be happy with a system that only supported it
> and did not support TOTP or FIDO2. I would find it highly unlikely,
> however, that requiring 2FA for logins and *not* allowing SMS as an option
> will prove a successful approach, however - it?s Just Complex Enough that I
> can see a far-too-large segment of ARIN?s user base requiring quite a bit
> of support to enable it.
>
> -C
>
> On May 24, 2022, at 12:23 PM, Max Krivanek via ARIN-consult <
> [email protected]> wrote:
>
> Hi,
>
> I find SMS highly insecure since it can be intercepted (it goes across the
> system in plain text, similar to HTTP) and there is also SIM hijacking.
> This article by Krebs goes into more detail of why it's insecure.
>
> https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/
>
> The fact that major financial institutions use it is a detriment to them.
> As TOTP or FIDO2 are way more secure. But this is where reality hits the
> road. Most people will not want to set up TOTP or FIDO2, but as long as
> those of us who are more security minded can make sure SMS or the phone
> number in general cannot be used for authentication purposes I would be
> fine with including it as a stop gap.
>
> On Tue, May 24, 2022 at 1:59 PM Richard Laager <[email protected]> wrote:
>
>> I believe ARIN absolutely should require 2FA. Your actual experience with
>> dictionary attacks confirms that.
>>
>> SMS 2FA seems like a pragmatic compromise. I?m aware that SMS is
>> generally considered a less secure 2nd factor, but: 1) I?m not sure how
>> much less secure it really is. It obviously cannot be worse than a password
>> alone. 2) Major financial institutions seem okay with it. 3) It might be
>> necessary in practice to get people to turn on / accept 2FA.
>>
>> You will have to think hard about recovery procedures. They will become
>> the weak link in the security.
>>
>> --
>> Richard
>> _______________________________________________
>> ARIN-Consult
>> You are receiving this message because you are subscribed to the ARIN
>> Consult Mailing
>> List ([email protected]).
>> Unsubscribe or manage your mailing list subscription at:
>> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
>> ARIN Member Services
>> Help Desk at [email protected] if you experience any issues.
>>
>
>
> --
> Max Krivanek
> Managing Member
> Coding*Direct* <http://www.codingdirect.com/>
>
> Phone: (682) 232-4867
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at [email protected] if you experience any issues.
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at [email protected] if you experience any issues.
>
--
Max Krivanek
Managing Member
Coding*Direct* <http://www.codingdirect.com/>
Phone: (682) 232-4867
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220524/7d2fd69b/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 90, Issue 4
*******************************************
