Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: increasing 2FA take-up (Kevin Blumberg)
2. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Gary Buhrmaster)
3. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (David Bass)
----------------------------------------------------------------------
Message: 1
Date: Wed, 25 May 2022 17:13:53 +0000
From: Kevin Blumberg <[email protected]>
To: Bram Abramson <[email protected]>, ARIN-consult <[email protected]>
Subject: Re: [ARIN-consult] increasing 2FA take-up
Message-ID:
<yqxpr01mb53992ec841870d42f33f8425bb...@yqxpr01mb5399.canprd01.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
Bram,
I?ve been using it since Day 1 that the feature came out.
https://www.arin.net/participate/community/acsp/suggestions/2013/2013-8/
My suggestion in 2013 was to allow multiple authentication options. Since
almost a decade has gone by since the ACSP request, my only regret is including
SMS as an option back then. It has to many known vulnerabilities, with many
better options (including TOTP which is being used).
I do find it interesting that people think they will have a say in whether MFA
is mandatory or not.
That ship sailed a long time ago, insurance companies are mandating MFA for
systems, it isn?t a question of IF but WHEN it will be mandatory.
TOTP is a great lowest common denominator, it doesn?t require any external
connectivity for usage, and can be setup on multiple devices, if you have the
private key or scan the QR code to those devices.
I would still like to see a hardware token or other robust MFA solution.
Kevin Blumberg
From: ARIN-consult <[email protected]> On Behalf Of Bram Abramson
Sent: Wednesday, May 25, 2022 10:27 AM
To: ARIN-consult <[email protected]>
Subject: [ARIN-consult] increasing 2FA take-up
All,
The current consultation is about rendering SMS a 2FA option, then making 2FA
mandatory. But it also notes that TOTP 2FA has been available since 2015 with a
3.2 percent take-up.
Optional 2FA is perhaps inevitably doomed to low take-up, but I it?s likely
worth documenting any learnings from the implementation thus far, on the way to
that 3.2 percent take-up:
* Have most folks involved in this discussion already activated 2FA (are we
preaching to the converted)? If not ? why has it made sense for you not to?
* Do we think most of the broader community is aware of the 2FA opportunity
? and are there thoughts, UX or otherwise, on why the crushing majority of
folks haven?t availed themselves of it?
Thanks, and cheers,
________________________________
Bram Abramson
[email protected]<mailto:[email protected]> / @bramabramson
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/5550f9fc/attachment-0001.htm>
------------------------------
Message: 2
Date: Wed, 25 May 2022 17:15:07 +0000
From: Gary Buhrmaster <[email protected]>
To: Ross Tajvar <[email protected]>
Cc: "<[email protected]>" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID:
<CAMfXtQy2nTjFUZNuo1teHQdhN6DPJUZULEwuk-SZDG1ST=k...@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
On Wed, May 25, 2022 at 3:41 PM Ross Tajvar <[email protected]> wrote:
> .... And even then, a sufficiently long passphrase using dictionary words is
> pretty secure (vs a short one)
As long as the passphrase is not "correcthorsebatterystaple"
which is now in lists of well known compromised passwords.
(obligatory xkcd ref: https://xkcd.com/936/ )
------------------------------
Message: 3
Date: Wed, 25 May 2022 13:17:20 -0400
From: David Bass <[email protected]>
To: William Herrin <[email protected]>
Cc: "<[email protected]>" <[email protected]>, Ross Tajvar
<[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID:
<caj7c-orc1xsb1czdbzubwcqye8uezlpbsx-uflzhxkdayyj...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
We are generally *always* reviewing and recommending our customers enable
2fa on everything they use, and look for alternatives (when possible) for
things that don?t. The problem is so much broader than people think. They
don?t necessarily need to take, or change your data?if you are a high value
target, then they may be able to use the data in your account as an attack
vector to gain access to their ultimate target.
Anyone in control of high value resources should be taking additional steps
to protect their accounts.
On Wed, May 25, 2022 at 12:39 PM William Herrin <[email protected]> wrote:
> On Wed, May 25, 2022 at 8:41 AM Ross Tajvar <[email protected]> wrote:
> >> I remain unconvinced that inflicting 2FA on me solves a real problem
> that actually exists.
> >
> > I'm not sure why you (and others) seem to think 2FA is so incredibly
> inconvenient. In my experience, it only takes a few extra seconds, or a few
> extra clicks/taps depending on how it's set up. The added overhead really
> is very small.
>
> It requires orgs which rarely interact with ARIN to keep track of THE
> cell phone which has the 2FA app. Oh, and the phone has to still be
> working. Otherwise, every interaction with ARIN for such orgs starts
> with a painful and likely insecure account recovery procedure.
>
>
> >> Perhaps requiring better (non-dictionary) passwords on accounts that
> don?t have 2FA would be a solution more targeted at the actual problem.
> >
> > How would ARIN judge the complexity of a password? As far as I'm aware,
> checking if it uses dictionary words is non-trivial.
>
> The last time I worked on this problem I followed the NIST guidance:
> check the proposed password against a large list of known compromised
> passwords (e.g.
> https://github.com/danielmiessler/SecLists/tree/master/Passwords,
> https://drive.google.com/drive/folders/14xB93b5YveOzCY7EuDrcL5ElpN-HCNse)
> and reject it if found there. It took me a couple of days to find a
> decent data source and write an app around it. It was rather trivial.
>
> Dictionary attacks are ineffective against a site which rejects the
> overwhelming majority of passwords in the attack dictionary.
>
>
> > And even then, a sufficiently long passphrase using dictionary words is
> pretty secure (vs a short one) - I don't think it makes sense to penalize
> users for that.
>
> Among the reasons I'm against mandatory 2FA.
>
> Regards,
> Bill Herrin
>
> --
> William Herrin
> [email protected]
> https://bill.herrin.us/
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at [email protected] if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/56d48fe4/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 90, Issue 14
********************************************
