Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: increasing 2FA take-up (Richard Laager)
2. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (John Curran)
3. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Owen DeLong)
----------------------------------------------------------------------
Message: 1
Date: Wed, 25 May 2022 10:20:56 -0500
From: Richard Laager <[email protected]>
To: Adam Thompson <[email protected]>
Cc: ARIN-consult <[email protected]>
Subject: Re: [ARIN-consult] increasing 2FA take-up
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
You can put your TOTP in something like 1Password.
--
Richard
> On May 25, 2022, at 09:46, Adam Thompson <[email protected]> wrote:
>
> ?
> I have not enabled 2FA.
>
> TOTP lies at the unfortunate confluence of vendor misfeatures and
> organizational policies that render it not durable or resilient in the face
> of mobile device failure (which seems to happen to me a LOT more often than
> normal). Possibly I don't know something about our approved authenticator
> apps that might solve the problem, but last time I checked, it was a no-go
> for me.
>
> I've instead opted to use a long, randomly-generated password that I can
> store in ways that are both secure and durable/resilient.
>
> -Adam
>
> Get Outlook for Android
> From: ARIN-consult <[email protected]> on behalf of Bram Abramson
> <[email protected]>
> Sent: Wednesday, May 25, 2022 9:26:59 AM
> To: ARIN-consult <[email protected]>
> Subject: [ARIN-consult] increasing 2FA take-up
>
> All,
>
> The current consultation is about rendering SMS a 2FA option, then making 2FA
> mandatory. But it also notes that TOTP 2FA has been available since 2015 with
> a 3.2 percent take-up.
>
> Optional 2FA is perhaps inevitably doomed to low take-up, but I it?s likely
> worth documenting any learnings from the implementation thus far, on the way
> to that 3.2 percent take-up:
>
> Have most folks involved in this discussion already activated 2FA (are we
> preaching to the converted)? If not ? why has it made sense for you not to?
>
> Do we think most of the broader community is aware of the 2FA opportunity ?
> and are there thoughts, UX or otherwise, on why the crushing majority of
> folks haven?t availed themselves of it?
>
> Thanks, and cheers,
>
> Bram Abramson
> [email protected] / @bramabramson
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult
> Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
> Member Services
> Help Desk at [email protected] if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/4d6c8f60/attachment-0001.htm>
------------------------------
Message: 2
Date: Wed, 25 May 2022 15:24:59 +0000
From: John Curran <[email protected]>
To: Matt Harris <[email protected]>
Cc: "<[email protected]>" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
On 25 May 2022, at 11:13 AM, Matt Harris
<[email protected]<mailto:[email protected]>> wrote:
I do agree with your statement "security should be commensurate with what is
being protected." Thus, I would consider that we perhaps continue to allow
accounts without control of any resources to continue without requiring 2fa,
only requiring it when resources are allocated. An ARIN account with control of
nothing, or perhaps just contact records for SWIP'd space, etc, is not one that
is a huge hazard to the community at large imho compared to one that controls
ASNs or IPv4 and IPv6 resources.
Matt -
Wouldn?t the ?compromise approach? shown above leave ARIN with accounts that
are still subject to brute-force login attacks, and therefore not address the
other aspect raised in the consultation:
However, we continue to see frequent attacks on our log-in systems, and ARIN
staff continues to be heavily engaged in mitigating these attacks. Accounts not
using 2FA are susceptible to these attacks. We recently updated the community
on this topic during ARIN 49 held in Nashville and online in April. You can
review this information from the ARIN 49 Meeting Report
(https://www.arin.net/participate/meetings/ARIN49/) by looking for the
presentation titled ?Brute Force Login Attacks?.
Thoughts?
/John
John Curran
President and CEO
American Registry for Internet Numbers
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/77bb3004/attachment-0001.htm>
------------------------------
Message: 3
Date: Wed, 25 May 2022 08:35:34 -0700
From: Owen DeLong <[email protected]>
To: Matt Harris <[email protected]>
Cc: ARIN <[email protected]>, "<[email protected]>"
<[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
> On May 25, 2022, at 08:13 , Matt Harris <[email protected]> wrote:
>
> <image541905.png>
> Matt Harris?
> |
> VP of Infrastructure
> 816?256?5446
> |
> Direct
> Looking for help?
> Helpdesk <https://help.netfire.net/>
> |
> Email?Support <mailto:[email protected]>
>
> We build customized end?to?end technology solutions powered by NetFire Cloud.
> On Wed, May 25, 2022 at 2:13 AM Owen DeLong via ARIN-consult
> <[email protected] <mailto:[email protected]>> wrote:
> I?m not in favor of requiring 2FA. I agree that SMS 2FA is pretty awful, but
> all forms of 2FA come with a variety of inconveniences.
>
> With an account that goes back to the beginnings of ARIN online, I?ve never
> had a security problem with my ARIN online account, so I think that 2FA is a
> solution looking for a problem here.
>
> I know that?s not a popular view among the more security conscious, but the
> reality is that security should be commensurate with what is being protected.
> Let users who think their account warrants such additional measures opt in.
> Let those of use who feel that our passwords are adequate continue in that
> manner.
>
> Owen
>
> Owen,
> The problem is that compromised ARIN accounts can result in issues that don't
> just impact the owner of the account that held those resources. Compromised
> ARIN accounts with resources can potentially adversely impact us all in terms
> of upticks in spam and the resulting management burdens, at the very least,
> and potentially in other (perhaps even thus far unforeseen) ways as well.
I disagree? If my ARIN account is compromised, I?m going to get notified of any
changes made. (So far, that hasn?t happened). I know exactly where to go to get
those changes reverted quickly.
My account is associated with resources, but I remain unconvinced that
inflicting 2FA on me solves a real problem that actually exists.
> I do agree with your statement "security should be commensurate with what is
> being protected." Thus, I would consider that we perhaps continue to allow
> accounts without control of any resources to continue without requiring 2fa,
> only requiring it when resources are allocated. An ARIN account with control
> of nothing, or perhaps just contact records for SWIP'd space, etc, is not one
> that is a huge hazard to the community at large imho compared to one that
> controls ASNs or IPv4 and IPv6 resources.
Perhaps requiring better (non-dictionary) passwords on accounts that don?t have
2FA would be a solution more targeted at the actual problem.
Owen
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/ddc2a84b/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 90, Issue 8
*******************************************
