Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: increasing 2FA take-up (Scott Leibrand)
2. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Ross Tajvar)
----------------------------------------------------------------------
Message: 1
Date: Wed, 25 May 2022 08:40:45 -0700
From: Scott Leibrand <[email protected]>
To: Richard Laager <[email protected]>
Cc: Adam Thompson <[email protected]>, ARIN-consult
<[email protected]>
Subject: Re: [ARIN-consult] increasing 2FA take-up
Message-ID:
<cagkmwz7qhhbrnacy_bnl_sytjgspjz8xdnsjsqjtrhdv8is...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Putting TOTP in 1Password makes login far more convenient than SMS 2FA, and
almost as convenient as password-only, even for shared accounts.
ARIN should probably provide instructions for how to add your TOTP to
1Password (and any other password managers that support that workflow),
because it's not a very intuitive enrollment experience.
We could also make 2FA only mandatory for activities that change resource
control (outbound transfers, reassignments, etc.)...
-Scott
On Wed, May 25, 2022 at 8:21 AM Richard Laager <[email protected]> wrote:
> You can put your TOTP in something like 1Password.
>
> --
> Richard
>
> On May 25, 2022, at 09:46, Adam Thompson <[email protected]> wrote:
>
> ?
> I have not enabled 2FA.
>
> TOTP lies at the unfortunate confluence of vendor misfeatures and
> organizational policies that render it not durable or resilient in the face
> of mobile device failure (which seems to happen to me a LOT more often than
> normal). Possibly I don't know something about our approved
> authenticator apps that might solve the problem, but last time I checked,
> it was a no-go for me.
>
> I've instead opted to use a long, randomly-generated password that I can
> store in ways that are both secure and durable/resilient.
>
> -Adam
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> ------------------------------
> *From:* ARIN-consult <[email protected]> on behalf of Bram
> Abramson <[email protected]>
> *Sent:* Wednesday, May 25, 2022 9:26:59 AM
> *To:* ARIN-consult <[email protected]>
> *Subject:* [ARIN-consult] increasing 2FA take-up
>
>
> All,
>
> The current consultation is about rendering SMS a 2FA option, then making
> 2FA mandatory. But it also notes that TOTP 2FA has been available since
> 2015 with a 3.2 percent take-up.
>
> Optional 2FA is perhaps inevitably doomed to low take-up, but I it?s
> likely worth documenting any learnings from the implementation thus far, on
> the way to that 3.2 percent take-up:
>
> -
>
> Have most folks involved in this discussion already activated 2FA (are
> we preaching to the converted)? If not ? why has it made sense for you not
> to?
> -
>
> Do we think most of the broader community is aware of the 2FA
> opportunity ? and are there thoughts, UX or otherwise, on why the crushing
> majority of folks haven?t availed themselves of it?
>
> Thanks, and cheers,
> ------------------------------
>
> Bram Abramson
> [email protected] / @bramabramson
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at [email protected] if you experience any issues.
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at [email protected] if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/293b0d7b/attachment-0001.htm>
------------------------------
Message: 2
Date: Wed, 25 May 2022 11:41:14 -0400
From: Ross Tajvar <[email protected]>
To: Owen DeLong <[email protected]>
Cc: Matt Harris <[email protected]>, "<[email protected]>"
<[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID:
<CA+FDdDRn7AC42fxJXOb5Y=atzpvhsymy9ols_xnspdqr2uy...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
>
> I remain unconvinced that inflicting 2FA on me solves a real problem that
> actually exists.
I'm not sure why you (and others) seem to think 2FA is so incredibly
inconvenient. In my experience, it only takes a few extra seconds, or a few
extra clicks/taps depending on how it's set up. The added overhead really
is very small.
Perhaps requiring better (non-dictionary) passwords on accounts that don?t
> have 2FA would be a solution more targeted at the actual problem.
How would ARIN judge the complexity of a password? As far as I'm aware,
checking if it uses dictionary words is non-trivial. And even then, a
sufficiently long passphrase using dictionary words is pretty secure (vs a
short one) - I don't think it makes sense to penalize users for that.
On Wed, May 25, 2022 at 11:35 AM Owen DeLong via ARIN-consult <
[email protected]> wrote:
>
>
> On May 25, 2022, at 08:13 , Matt Harris <[email protected]> wrote:
>
> <image541905.png>
> Matt Harris?
> | VP of Infrastructure
> 816?256?5446
> | Direct
> Looking for help?
> *Helpdesk* <https://help.netfire.net/>
> | *Email Support* <[email protected]>
>
> We build customized end?to?end technology solutions powered by NetFire Cloud.
> On Wed, May 25, 2022 at 2:13 AM Owen DeLong via ARIN-consult <
> [email protected]> wrote:
>
>> I?m not in favor of requiring 2FA. I agree that SMS 2FA is pretty awful,
>> but all forms of 2FA come with a variety of inconveniences.
>>
>> With an account that goes back to the beginnings of ARIN online, I?ve
>> never had a security problem with my ARIN online account, so I think that
>> 2FA is a solution looking for a problem here.
>>
>> I know that?s not a popular view among the more security conscious, but
>> the reality is that security should be commensurate with what is being
>> protected. Let users who think their account warrants such additional
>> measures opt in. Let those of use who feel that our passwords are adequate
>> continue in that manner.
>>
>> Owen
>>
>
> Owen,
> The problem is that compromised ARIN accounts can result in issues that
> don't just impact the owner of the account that held those resources.
> Compromised ARIN accounts with resources can potentially adversely impact
> us all in terms of upticks in spam and the resulting management burdens, at
> the very least, and potentially in other (perhaps even thus far unforeseen)
> ways as well.
>
>
> I disagree? If my ARIN account is compromised, I?m going to get notified
> of any changes made. (So far, that hasn?t happened). I know exactly where
> to go to get those changes reverted quickly.
>
> My account is associated with resources, but I remain unconvinced that
> inflicting 2FA on me solves a real problem that actually exists.
>
> I do agree with your statement "security should be commensurate with what
> is being protected." Thus, I would consider that we perhaps continue to
> allow accounts without control of any resources to continue without
> requiring 2fa, only requiring it when resources are allocated. An ARIN
> account with control of nothing, or perhaps just contact records for SWIP'd
> space, etc, is not one that is a huge hazard to the community at large imho
> compared to one that controls ASNs or IPv4 and IPv6 resources.
>
>
> Perhaps requiring better (non-dictionary) passwords on accounts that don?t
> have 2FA would be a solution more targeted at the actual problem.
>
> Owen
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at [email protected] if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/9d500c2e/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 90, Issue 10
********************************************
