Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: increasing 2FA take-up (John Curran)
2. Re: increasing 2FA take-up (Ross Tajvar)
3. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Scott Leibrand)
----------------------------------------------------------------------
Message: 1
Date: Wed, 25 May 2022 15:44:39 +0000
From: John Curran <[email protected]>
To: Scott Leibrand <[email protected]>
Cc: ARIN-consult <[email protected]>
Subject: Re: [ARIN-consult] increasing 2FA take-up
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
On 25 May 2022, at 11:40 AM, Scott Leibrand
<[email protected]<mailto:[email protected]>> wrote:
Putting TOTP in 1Password makes login far more convenient than SMS 2FA, and
almost as convenient as password-only, even for shared accounts.
ARIN should probably provide instructions for how to add your TOTP to 1Password
(and any other password managers that support that workflow), because it's not
a very intuitive enrollment experience.
Scott -
Instructions for adding 2FA via TOTP are available here (this is what all of
the ARIN 2FA documentation points to) ?
https://www.arin.net/reference/materials/security/twofactor/
Do you have any suggestions for improvement?
Thanks!
/John
John Curran
President and CEO
American Registry for Internet Numbers
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/caad734d/attachment-0001.htm>
------------------------------
Message: 2
Date: Wed, 25 May 2022 11:45:35 -0400
From: Ross Tajvar <[email protected]>
To: Scott Leibrand <[email protected]>
Cc: Richard Laager <[email protected]>, ARIN-consult
<[email protected]>
Subject: Re: [ARIN-consult] increasing 2FA take-up
Message-ID:
<CA+FDdDRRSBkDFd2JA40dd8OdtEKugds16VR7M+tTLBD-S6=u...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Just to add to this, I use BitWarden and it supports TOTP as well. It's a
single extra click (or ctrl+V) to get the OTP.
[image: image.png]
On Wed, May 25, 2022 at 11:41 AM Scott Leibrand <[email protected]>
wrote:
> Putting TOTP in 1Password makes login far more convenient than SMS 2FA,
> and almost as convenient as password-only, even for shared accounts.
>
> ARIN should probably provide instructions for how to add your TOTP to
> 1Password (and any other password managers that support that workflow),
> because it's not a very intuitive enrollment experience.
>
> We could also make 2FA only mandatory for activities that change resource
> control (outbound transfers, reassignments, etc.)...
>
> -Scott
>
> On Wed, May 25, 2022 at 8:21 AM Richard Laager <[email protected]> wrote:
>
>> You can put your TOTP in something like 1Password.
>>
>> --
>> Richard
>>
>> On May 25, 2022, at 09:46, Adam Thompson <[email protected]> wrote:
>>
>> ?
>> I have not enabled 2FA.
>>
>> TOTP lies at the unfortunate confluence of vendor misfeatures and
>> organizational policies that render it not durable or resilient in the face
>> of mobile device failure (which seems to happen to me a LOT more often than
>> normal). Possibly I don't know something about our approved
>> authenticator apps that might solve the problem, but last time I checked,
>> it was a no-go for me.
>>
>> I've instead opted to use a long, randomly-generated password that I can
>> store in ways that are both secure and durable/resilient.
>>
>> -Adam
>>
>> Get Outlook for Android <https://aka.ms/AAb9ysg>
>> ------------------------------
>> *From:* ARIN-consult <[email protected]> on behalf of Bram
>> Abramson <[email protected]>
>> *Sent:* Wednesday, May 25, 2022 9:26:59 AM
>> *To:* ARIN-consult <[email protected]>
>> *Subject:* [ARIN-consult] increasing 2FA take-up
>>
>>
>> All,
>>
>> The current consultation is about rendering SMS a 2FA option, then making
>> 2FA mandatory. But it also notes that TOTP 2FA has been available since
>> 2015 with a 3.2 percent take-up.
>>
>> Optional 2FA is perhaps inevitably doomed to low take-up, but I it?s
>> likely worth documenting any learnings from the implementation thus far, on
>> the way to that 3.2 percent take-up:
>>
>> -
>>
>> Have most folks involved in this discussion already activated 2FA
>> (are we preaching to the converted)? If not ? why has it made sense for
>> you
>> not to?
>> -
>>
>> Do we think most of the broader community is aware of the 2FA
>> opportunity ? and are there thoughts, UX or otherwise, on why the crushing
>> majority of folks haven?t availed themselves of it?
>>
>> Thanks, and cheers,
>> ------------------------------
>>
>> Bram Abramson
>> [email protected] / @bramabramson
>> _______________________________________________
>> ARIN-Consult
>> You are receiving this message because you are subscribed to the ARIN
>> Consult Mailing
>> List ([email protected]).
>> Unsubscribe or manage your mailing list subscription at:
>> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
>> ARIN Member Services
>> Help Desk at [email protected] if you experience any issues.
>>
>> _______________________________________________
>> ARIN-Consult
>> You are receiving this message because you are subscribed to the ARIN
>> Consult Mailing
>> List ([email protected]).
>> Unsubscribe or manage your mailing list subscription at:
>> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
>> ARIN Member Services
>> Help Desk at [email protected] if you experience any issues.
>>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at [email protected] if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/a337de53/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 5721 bytes
Desc: not available
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/a337de53/attachment-0001.png>
------------------------------
Message: 3
Date: Wed, 25 May 2022 08:52:04 -0700
From: Scott Leibrand <[email protected]>
To: Ross Tajvar <[email protected]>
Cc: Owen DeLong <[email protected]>, "<[email protected]>"
<[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID:
<CAGkMwz53TX2Nv+J1AroeTYDWAjKvxitRDYeqj0Na10H=5dh...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
On Wed, May 25, 2022 at 8:41 AM Ross Tajvar <[email protected]> wrote:
> I remain unconvinced that inflicting 2FA on me solves a real problem that
>> actually exists.
>
> I'm not sure why you (and others) seem to think 2FA is so incredibly
> inconvenient. In my experience, it only takes a few extra seconds, or a few
> extra clicks/taps depending on how it's set up. The added overhead really
> is very small.
>
When 2FA is set up "properly", you're correct. It's often not, either by
users or system designers. One main challenge is when users make one of the
very common errors in managing 2FA, like losing access to their second
factor (often by only enrolling their phone and then switching phones).
It's also quite common to want to log in but not have immediate access to
your second factor. That can be addressed by allowing multiple types of 2FA
to be set up simultaneously, but many implementations do so poorly.
In ARIN's case, there's the added complexity of ARIN accounts being the
property of an organization, not an individual, and all the
chain-of-custody complications that introduces. Many organizations solve
those by using shared credentials. If they don't have a shared-credential
storage system like 1Password set up, 2FA significantly complicates that
workflow.
Whatever solutions you introduce to all of those problems, you have all the
overhead of resetting people's 2FA credentials when they inevitably lose
access. Such account reset workflows must be secure enough to avoid social
engineering making the problem worse than it is today, while minimizing the
additional burden on users and staff.
This is not an easy problem, so some of the maximalist positions that have
been previously expressed on this thread strike me as poorly-considered.
-Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/c9c8367c/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 90, Issue 11
********************************************
