Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Peter Beckman)
2. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Adam Thompson)
3. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Adam Thompson)
----------------------------------------------------------------------
Message: 1
Date: Wed, 25 May 2022 16:42:33 -0400
From: Peter Beckman <[email protected]>
To: Owen DeLong <[email protected]>
Cc: ARIN <[email protected]>, [email protected]
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
I've read through most of the comments.
tl;dr: I support mandatory TOTP 2FA, and strongly urge ARIN to consider
support for physical tokens such as Yubikey.
Summary
- Bad things can be done when someone gains unauthorized access to an
ARIN account
- While individuals might use 16+ character random passwords that are
never used for other sites, in 2022 most people still don't, and just
have a handful of passwords they memorize
- Password re-use is not detectable by any one organization, and thus
requiring TOTP prevents accounts that re-use passwords from being an
attack vector due to breaches on other websites/systems
- Not enough people use a Password Manager like LastPass, 1Password,
DashLane, etc. But when they do, TOTP 2FA becomes a non-issue. Plus
these PW Managers securely deploy your logins to various devices,
still protected with a passphrase in addition to the OS account
passphrase or biometric, making the argument of a "single device
lost" moot
- Most TOTP 2FA implementations also provide backup codes to use in
case the TOTP 2FA access is lost. These should be stored by the user
in a secure way somewhere
- While Owen and Bill may practice excellent personal security with
random not-used-on-any-other-website-or-login passwords, most people
do not. One Man-in-the-Middle attack because one didn't notice that
the AT&T Hotspot they connected to wasn't really AT&T and they login
into ARIN and poof, their accounts are accessed by a 3rd party for
all lengths of time, whereas TOTP would give the attacker a 90 second
window (implementations usually accept the previous, current, and
next code to account for time drift) to log into the account,
otherwise they'd be locked out.
TOTP 2FA is the most portable and best generally used option currently in
existence.
Physical tokens, such as Yubikeys, are also excellent, and ARIN should
consider providing support for this for those willing to jump through such
hoops for security.
SMS, while better in 2022, still uses an out-of-band over-the-air network
where changing the eSPID/SPID/NNID for SMS or SIM cloning is still a
potential attack vector.
Certificate-based authentication is also a possible path, but it is NOT
implemented yet in an easy way for most people.
Any 2FA puts limits on the ability for an unauthorized 3rd party to access
one's account. TOTP puts a 90-second window in place if someone knows the
code at a certain point of time, and then that window is gone.
Just because one has "never had a security problem" does not mean that one
has never occurred, and that one cannot occur in the future. Breaches occur
with regularity across the internet, and it seems ARIN accounts already
have been.
Password Managers eliminate the "variety of inconveniences" as you hit
"paste" after you tapped the command keyboard shortcut to fill the login,
which starts with verifying the domain matches your Password Manager's
record for your login.
The negative impacts of individual's bad security choices are not limited
to that individual, and thus, I believe ARIN is well within its position to
require 2FA in order to enforce security best practices.
Until a better and more secure way is presented, I support ARIN requiring
TOTP 2FA or a physical token in order to access ARIN accounts and assets.
Beckman
On Wed, 25 May 2022, Owen DeLong via ARIN-consult wrote:
> I?m not in favor of requiring 2FA. I agree that SMS 2FA is pretty awful, but
> all forms of 2FA come with a variety of inconveniences.
>
> With an account that goes back to the beginnings of ARIN online, I?ve never
> had a security problem with my ARIN online account, so I think that 2FA is a
> solution looking for a problem here.
>
> I know that?s not a popular view among the more security conscious, but the
> reality is that security should be commensurate with what is being protected.
> Let users who think their account warrants such additional measures opt in.
> Let those of use who feel that our passwords are adequate continue in that
> manner.
>
> Owen
>
>
>> On May 24, 2022, at 09:46, ARIN <[email protected]> wrote:
>>
>> **Background**
>>
>> In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation
>> of Two-Factor Authentication (2FA). Since the time of implementing that
>> login security feature, 3.2 percent of ARIN Online users have opted to use
>> 2FA with their accounts.
>>
>> Since October 2020, the ARIN Online system has been subject to a series of
>> dictionary-based password guessing attacks. In March of 2021, we conducted
>> ACSP Consultation 2021.2: Password Security for ARIN Online Accounts
>> (https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/)
>> on proposed improvements to increase account security. This consultation
>> resulted in an agreement to move forward with several improvements that have
>> subsequently been deployed. However, we continue to see frequent attacks on
>> our log-in systems, and ARIN staff continues to be heavily engaged in
>> mitigating these attacks. Accounts not using 2FA are susceptible to these
>> attacks. We recently updated the community on this topic during ARIN 49 held
>> in Nashville and online in April. You can review this information from the
>> ARIN 49 Meeting Report (https://www.arin.net/participate/meetings/ARIN49/)
>> by looking for the presentation titled ?Brute Force Login Attacks?.
>>
>> It is our intention to make 2FA mandatory for all existing and new ARIN
>> Online accounts going forward. The security of ARIN Online accounts is
>> paramount to the success of the registry, and we do not believe it is
>> tenable to continue without making 2FA required for all ARIN Online
>> accounts.
>>
>> We are currently developing a second method of 2FA use with ARIN Online to
>> add to our long-deployed TOTP implementation. In the coming months, we will
>> deploy a Short Message Service (SMS) 2FA implementation, thereby adding a
>> second 2FA option for ARIN Online users. At that time, users will be able to
>> choose between two types of 2FA ? SMS and TOTP. Adoption of TOTP 2FA has
>> been limited in part due to perceived complexity, and the addition of
>> SMS-based 2FA will provide a second option that is easier to use for many
>> customers ? and provide much more protection than the simple
>> username-password condition of many ARIN Online user accounts today. (ARIN
>> also plans on adding support for a third 2FA option in the future ? Fast
>> Identity Online 2 (FIDO2) ? in response to community suggestions, but we do
>> not believe it is prudent to delay requiring 2FA on ARIN Online accounts
>> until that third option becomes available.)
>>
>> **Requiring 2FA For ARIN Online Accounts**
>>
>> By requiring 2FA for ARIN Online accounts that control number resources, the
>> ARIN community should see stronger security for the registry, reduced risk
>> of account fraud attempts, and increased confidence in the integrity of
>> their ARIN resources.
>>
>> ARIN intends to require 2FA for all ARIN Online accounts shortly after
>> SMS-based 2FA authentication is generally available. We are seeking
>> confirmation from the ARIN community regarding this plan, and ask the
>> following consultation question:
>>
>> -------------------
>> Once SMS-based two-factor authentication (2FA) is available for ARIN Online,
>> do you believe ARIN *should not* proceed with requiring 2FA authentication
>> (SMS-based or TOTP) for all ARIN Online accounts? If so, why?
>> -------------------
>>
>> The feedback you provide during this consultation will help form our path
>> forward to increasing the security of ARIN Online for all customers. Thank
>> you for your participation in the ARIN Consultation and Suggestion Process.
>> Please provide comments to [email protected]. You can subscribe to this
>> mailing list at:
>>
>> http://lists.arin.net/mailman/listinfo/arin-consult
>>
>> This consultation will remain open through 5:00 PM ET on 24 June 2022.
>>
>> Regards,
>>
>> John Curran
>> President and CEO
>> American Registry for Internet Numbers (ARIN)
>>
>> Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online
>> Accounts
>>
>>
>> _______________________________________________
>> ARIN-Consult
>> You are receiving this message because you are subscribed to the ARIN
>> Consult Mailing
>> List ([email protected]).
>> Unsubscribe or manage your mailing list subscription at:
>> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
>> Member Services
>> Help Desk at [email protected] if you experience any issues.
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult
> Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
> Member Services
> Help Desk at [email protected] if you experience any issues.
---------------------------------------------------------------------------
Peter Beckman Internet Guy
[email protected] https://www.angryox.com/
---------------------------------------------------------------------------
------------------------------
Message: 2
Date: Wed, 25 May 2022 21:08:55 +0000
From: Adam Thompson <[email protected]>
To: John Curran <[email protected]>, Gert Doering <[email protected]>
Cc: "<[email protected]>" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID:
<yqxpr01mb632620fed9d52058a11233499b...@yqxpr01mb6326.canprd01.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
FWIW, I've had both scenarios happen to me within the last 2 years. Many
SMS-based 2FA systems suddenly broke on one of those occasions, for obvious
reasons. Both involved phones and phone numbers not under my direct control,
i.e. corporate.
-Adam
Adam Thompson
Consultant, Infrastructure Services
MERLIN
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
https://www.merlin.mb.ca
Chat with me on Teams: [email protected]
> -----Original Message-----
> From: ARIN-consult <[email protected]> On Behalf Of John
> Curran
> Sent: Wednesday, May 25, 2022 1:30 PM
> To: Gert Doering <[email protected]>
> Cc: <[email protected]> <[email protected]>
> Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
> Authentication (2FA) for ARIN Online Accounts
>
> Gert ?
>
> Just curious - on those occasions where you were now on a new device,
> were you still receiving SMS messages on the same number?
>
> (i.e., if you had been using password and SMS 2FA instead, would you
> have been equally out of luck?)
>
> Thanks,
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
> > On 25 May 2022, at 2:16 PM, Gert Doering <[email protected]> wrote:
> >
> > Hi,
> >
> > On Wed, May 25, 2022 at 11:41:14AM -0400, Ross Tajvar wrote:
> >>> I remain unconvinced that inflicting 2FA on me solves a real
> problem that
> >>> actually exists.
> >>
> >> I'm not sure why you (and others) seem to think 2FA is so
> incredibly
> >> inconvenient. In my experience, it only takes a few extra seconds,
> or a few
> >> extra clicks/taps depending on how it's set up. The added overhead
> really
> >> is very small.
> >
> > I'm generally in favour of 2FA.
> >
> > But then... last week, RIPE meeting in Berlin, with physical
> presence
> > there. Tried to log into the RIPE access system, only to discover
> that
> > The Device that has *this particular* 2FA token was left at home.
> >
> > A few months before, trying to go to Teams for a customer that
> required
> > "set up 2FA initially" for that account - and then turned it on for
> > "must use 2FA once a week". Yeah, no big deal. 2FA token was on an
> > Android device that was decommissioned because "old and half
> broken",
> > and of course, Android-to-Android "new phone!" transfers don't do
> that.
> >
> > Do I have a Yubikey? Yes, of course. Do I not use it for all I
> should?
> > Yes, because I carry around enough stuff with me...
> >
> > Just anecdotes, and me having not enough foresight? Of course.
> >
> > But 2FA is not "just a few moments and then it won't bother you
> > anymore, ever".
> >
> > Gert Doering
> > -- NetMaster
> > --
> > have you enabled IPv6 on something today...?
> >
> > SpaceNet AG Vorstand: Sebastian v. Bomhard,
> Michael Emmer
> > Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-
> Culemann
> > D-80807 Muenchen HRB: 136055 (AG Muenchen)
> > Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
> > _______________________________________________
> > ARIN-Consult
> > You are receiving this message because you are subscribed to the
> ARIN Consult Mailing
> > List ([email protected]).
> > Unsubscribe or manage your mailing list subscription at:
> > https://lists.arin.net/mailman/listinfo/arin-consult Please contact
> the ARIN Member Services
> > Help Desk at [email protected] if you experience any issues.
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact
> the ARIN Member Services
> Help Desk at [email protected] if you experience any issues.
------------------------------
Message: 3
Date: Wed, 25 May 2022 21:33:31 +0000
From: Adam Thompson <[email protected]>
To: "<[email protected]>" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID:
<yqxpr01mb6326453ca7e5d1f14811bcfc9b...@yqxpr01mb6326.canprd01.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
The problem I have with MFA boils down to this:
* Everyone has a reasonably convenient ?forgot my password?
feature/link/process that takes minutes, not hours.
* Almost no-one has a reasonably convenient ?lost my token?
feature/link/process (?yet). Those that do can take many hours or days.
I?ve seen arguments along the lines of ?well, just don?t lose your
authenticator/token/key/thingy?, but I?ve been locked out of MFA-secured
accounts and had to go through onerous, time-consuming processes to regain
access, I think 4 times? within my memory. One of those times was not my fault
in any way, created a very large problem with significant lasting consequences,
and was utterly irresoluble until the token situation was manually resolved by
someone else literally inventing a new process in real-time.
Hardware tokens fail: misplacing it, irretrievable loss (e.g. down a sewer
grate, into a fire, etc.), physical damage (car tire, in one case),
electrostatic damage, premature battery or component failure, clock skew, I?ve
seen them all.
Software authenticators fail: uninstalling the app inadvertently (or
deliberately), corrupting the app (usually inadvertent), new app update causes
it to crash (but only for 2 or 3 people, making diagnosis impossible),
forgetting the master password to the app, losing (or losing access to) the
device containing the app, I?ve seen all of those, too.
Any MFA system that does not permit multiple simultaneous enrolled modes of
authentication ? which today seems to be the vast majority of them ? causes
more problems that it solves.
I do NOT dispute the need to move away from simple userid/password
authentication, but please, please, please, at least let users protect
themselves from themselves. Allow enrolment of multiple keys, multiple TOTP
authenticators, multiple phone#s or emails to receive one-time codes, multiple
FIDO keys, etc.
I?m going to keep harping on this as long as I keep
losing/damaging/destroying/corrupting MFA tokens, both hard and soft. Right
now, my employer applies MFA via a very-large-company?s-authenticator; to
mitigate what I see as an enormous risk, I have the authenticator loaded on a
backup phone that?s reasonably accessible so I?m never 100% dead in the water.
Relatively few authenticators let me do this, in my experience. I can?t share
TOTP keys between phones with this particular software, for some reason, using
a corporate account. I?ve already had to use that backup phone once, while
responding to a customer-down event ? not a time when I want to be locked out
of my systems.
MFA/MFA mitigates one set of risks but introduces another. If those new risks
aren?t managed/addressed/mitigated, we?ll just exchange one set of problems for
a different set of problems. They?re not that difficult to mitigate, as long
as it?s included in the design.
-Adam
Adam Thompson
Consultant, Infrastructure Services
[MERLIN]
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
https://www.merlin.mb.ca<https://www.merlin.mb.ca/>
[cid:[email protected]]Chat with me on
Teams<https://teams.microsoft.com/l/chat/0/[email protected]>
From: ARIN-consult <[email protected]> On Behalf Of Ross Tajvar
Sent: Wednesday, May 25, 2022 10:41 AM
To: Owen DeLong <[email protected]>
Cc: <[email protected]> <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor Authentication
(MFA) for ARIN Online Accounts
I remain unconvinced that inflicting MFA on me solves a real problem that
actually exists.
I'm not sure why you (and others) seem to think MFA is so incredibly
inconvenient. In my experience, it only takes a few extra seconds, or a few
extra clicks/taps depending on how it's set up. The added overhead really is
very small.
Perhaps requiring better (non-dictionary) passwords on accounts that don?t have
MFA would be a solution more targeted at the actual problem.
How would ARIN judge the complexity of a password? As far as I'm aware,
checking if it uses dictionary words is non-trivial. And even then, a
sufficiently long passphrase using dictionary words is pretty secure (vs a
short one) - I don't think it makes sense to penalize users for that.
On Wed, May 25, 2022 at 11:35 AM Owen DeLong via ARIN-consult
<[email protected]<mailto:[email protected]>> wrote:
On May 25, 2022, at 08:13 , Matt Harris
<[email protected]<mailto:[email protected]>> wrote:
<image541905.png>
Matt Harris?
|
VP of Infrastructure
816?256?5446
|
Direct
Looking for help?
Helpdesk<https://help.netfire.net/>
|
Email Support<mailto:[email protected]>
[https://netfire.net/Flag-United-States-of-America.jpg]
We build customized end?to?end technology solutions powered by NetFire Cloud.
On Wed, May 25, 2022 at 2:13 AM Owen DeLong via ARIN-consult
<[email protected]<mailto:[email protected]>> wrote:
I?m not in favor of requiring MFA. I agree that SMS MFA is pretty awful, but
all forms of MFA come with a variety of inconveniences.
With an account that goes back to the beginnings of ARIN online, I?ve never had
a security problem with my ARIN online account, so I think that MFA is a
solution looking for a problem here.
I know that?s not a popular view among the more security conscious, but the
reality is that security should be commensurate with what is being protected.
Let users who think their account warrants such additional measures opt in. Let
those of use who feel that our passwords are adequate continue in that manner.
Owen
Owen,
The problem is that compromised ARIN accounts can result in issues that don't
just impact the owner of the account that held those resources. Compromised
ARIN accounts with resources can potentially adversely impact us all in terms
of upticks in spam and the resulting management burdens, at the very least, and
potentially in other (perhaps even thus far unforeseen) ways as well.
I disagree? If my ARIN account is compromised, I?m going to get notified of any
changes made. (So far, that hasn?t happened). I know exactly where to go to get
those changes reverted quickly.
My account is associated with resources, but I remain unconvinced that
inflicting MFA on me solves a real problem that actually exists.
I do agree with your statement "security should be commensurate with what is
being protected." Thus, I would consider that we perhaps continue to allow
accounts without control of any resources to continue without requiring MFA,
only requiring it when resources are allocated. An ARIN account with control of
nothing, or perhaps just contact records for SWIP'd space, etc, is not one that
is a huge hazard to the community at large imho compared to one that controls
ASNs or IPv4 and IPv6 resources.
Perhaps requiring better (non-dictionary) passwords on accounts that don?t have
MFA would be a solution more targeted at the actual problem.
Owen
_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult
Mailing
List ([email protected]<mailto:[email protected]>).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
Member Services
Help Desk at [email protected]<mailto:[email protected]> if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/822c2579/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 13827 bytes
Desc: image001.png
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/822c2579/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 359 bytes
Desc: image002.png
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220525/822c2579/attachment-0001.png>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 90, Issue 16
********************************************
