Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Owen DeLong)
2. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Mark Elkins)
----------------------------------------------------------------------
Message: 1
Date: Wed, 25 May 2022 00:12:55 -0700
From: Owen DeLong <[email protected]>
To: ARIN <[email protected]>
Cc: [email protected]
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8
I?m not in favor of requiring 2FA. I agree that SMS 2FA is pretty awful, but
all forms of 2FA come with a variety of inconveniences.
With an account that goes back to the beginnings of ARIN online, I?ve never had
a security problem with my ARIN online account, so I think that 2FA is a
solution looking for a problem here.
I know that?s not a popular view among the more security conscious, but the
reality is that security should be commensurate with what is being protected.
Let users who think their account warrants such additional measures opt in. Let
those of use who feel that our passwords are adequate continue in that manner.
Owen
> On May 24, 2022, at 09:46, ARIN <[email protected]> wrote:
>
> **Background**
>
> In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation
> of Two-Factor Authentication (2FA). Since the time of implementing that login
> security feature, 3.2 percent of ARIN Online users have opted to use 2FA with
> their accounts.
>
> Since October 2020, the ARIN Online system has been subject to a series of
> dictionary-based password guessing attacks. In March of 2021, we conducted
> ACSP Consultation 2021.2: Password Security for ARIN Online Accounts
> (https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/)
> on proposed improvements to increase account security. This consultation
> resulted in an agreement to move forward with several improvements that have
> subsequently been deployed. However, we continue to see frequent attacks on
> our log-in systems, and ARIN staff continues to be heavily engaged in
> mitigating these attacks. Accounts not using 2FA are susceptible to these
> attacks. We recently updated the community on this topic during ARIN 49 held
> in Nashville and online in April. You can review this information from the
> ARIN 49 Meeting Report (https://www.arin.net/participate/meetings/ARIN49/) by
> looking for the presentation titled ?Brute Force Login Attacks?.
>
> It is our intention to make 2FA mandatory for all existing and new ARIN
> Online accounts going forward. The security of ARIN Online accounts is
> paramount to the success of the registry, and we do not believe it is tenable
> to continue without making 2FA required for all ARIN Online accounts.
>
> We are currently developing a second method of 2FA use with ARIN Online to
> add to our long-deployed TOTP implementation. In the coming months, we will
> deploy a Short Message Service (SMS) 2FA implementation, thereby adding a
> second 2FA option for ARIN Online users. At that time, users will be able to
> choose between two types of 2FA ? SMS and TOTP. Adoption of TOTP 2FA has
> been limited in part due to perceived complexity, and the addition of
> SMS-based 2FA will provide a second option that is easier to use for many
> customers ? and provide much more protection than the simple
> username-password condition of many ARIN Online user accounts today. (ARIN
> also plans on adding support for a third 2FA option in the future ? Fast
> Identity Online 2 (FIDO2) ? in response to community suggestions, but we do
> not believe it is prudent to delay requiring 2FA on ARIN Online accounts
> until that third option becomes available.)
>
> **Requiring 2FA For ARIN Online Accounts**
>
> By requiring 2FA for ARIN Online accounts that control number resources, the
> ARIN community should see stronger security for the registry, reduced risk of
> account fraud attempts, and increased confidence in the integrity of their
> ARIN resources.
>
> ARIN intends to require 2FA for all ARIN Online accounts shortly after
> SMS-based 2FA authentication is generally available. We are seeking
> confirmation from the ARIN community regarding this plan, and ask the
> following consultation question:
>
> -------------------
> Once SMS-based two-factor authentication (2FA) is available for ARIN Online,
> do you believe ARIN *should not* proceed with requiring 2FA authentication
> (SMS-based or TOTP) for all ARIN Online accounts? If so, why?
> -------------------
>
> The feedback you provide during this consultation will help form our path
> forward to increasing the security of ARIN Online for all customers. Thank
> you for your participation in the ARIN Consultation and Suggestion Process.
> Please provide comments to [email protected]. You can subscribe to this
> mailing list at:
>
> http://lists.arin.net/mailman/listinfo/arin-consult
>
> This consultation will remain open through 5:00 PM ET on 24 June 2022.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
> Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online
> Accounts
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult
> Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
> Member Services
> Help Desk at [email protected] if you experience any issues.
------------------------------
Message: 2
Date: Wed, 25 May 2022 10:06:20 +0200
From: Mark Elkins <[email protected]>
To: ARIN <[email protected]>, [email protected]
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 5/24/22 6:46 PM, ARIN wrote:
> **Background**
>
> In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation
> of Two-Factor Authentication (2FA). Since the time of implementing that login
> security feature, 3.2 percent of ARIN Online users have opted to use 2FA with
> their accounts.
Years back, I added TOTP (Time based one time password) to the front end
of my "Virtual Web" management system (I sell domains - etc). The TOTP
APP is easy to install on any modern mobile device (I use mOTP). I allow
the customer to configure their TOTP backend "OTP management" codes and
to also test that the TOTP works locally before enforcing it.
(the grey text above are prompts)
This is also combined with the ability to specify an access list made up
of multiple network blocks from where the OTP is not needed, that is
some machines with static IP's on the persons home network. To enforce
OTP - just use an address such as 1.0.0.0/32 (or similar). This access
list is similar to some of the validation that EPP uses. The php code
was not too complicated. Using TOTP is free - no SMS's - etc.
One then has the best of both worlds - some secure locations from where
OTP is not required and the OTP's for other (transient) locations.
TOTP security is optional - so of course very few customers use it (1%
or so) - but it is there!
Education would be necessary. I provide the following...
--
Mark James ELKINS? -? Posix Systems - (South) Africa
[email protected]?????? Tel: +27.826010496 <tel:+27826010496>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/31a3836a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kbmdcmhlnngimhca.png
Type: image/png
Size: 10728 bytes
Desc: not available
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/31a3836a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mipgcaboncbcaodl.png
Type: image/png
Size: 82039 bytes
Desc: not available
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/31a3836a/attachment-0001.png>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 90, Issue 5
*******************************************
