Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Owen DeLong)
2. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Owen DeLong)
3. Re: Consultation on Requiring Two-Factor Authentication (2FA)
for ARIN Online Accounts (Ross Tajvar)
----------------------------------------------------------------------
Message: 1
Date: Wed, 25 May 2022 21:48:29 -0700
From: Owen DeLong <[email protected]>
To: Peter Beckman <[email protected]>
Cc: Gary Buhrmaster <[email protected]>,
"<[email protected]>" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8
> On May 25, 2022, at 21:25, Peter Beckman <[email protected]> wrote:
>
> On Wed, 25 May 2022, Owen DeLong via ARIN-consult wrote:
>
>> A good point? Obtaining and comparing against compromised password lists
>> is fairly trivial and provides computational low hanging fruit here.
>>
>>> On May 25, 2022, at 10:15, Gary Buhrmaster <[email protected]>
>>> wrote:
>>> On Wed, May 25, 2022 at 3:41 PM Ross Tajvar <[email protected]> wrote:
>>>> .... And even then, a sufficiently long passphrase using dictionary words
>>>> is pretty secure (vs a short one)
>>> As long as the passphrase is not "correcthorsebatterystaple"
>>> which is now in lists of well known compromised passwords.
>>> (obligatory xkcd ref: https://xkcd.com/936/ )
>
>
> Yet fails to address the future.
>
> Say you change your password today, and it does not match any currently
> disclosed passwords.
>
> And tomorrow there's a huge breach and disclosure, and your email and
> password is in there, and you use the same creds for ARIN (or anywhere).
>
> If the password is properly one-way encrypted, ARIN cannot detect that
> your password is now public (easily), and now your password is known
> to the public, and now your account, and therefore ARIN-managed assets,
> are at risk, UNLESS you have 2FA on your account.
Well? ARIN can?t detect that until your next (successful) login, anyway.
Remember, you present the plain text password to ARIN every time you
Authenticate... It is then one-way encrypted with the same seed and algorithm
As the stored one-way encrypted password and compared to the encrypted
string.
> 2FA eliminates the risk of static data disclosure becoming a security
> liability.
Until the particular seed/algo/etc. for the 2FA is compromised (such as a
Stolen hardware token, or the time when a batch of SecurID tokens were
Compromised, or?
Less frequent than password compromises? Sure. Sufficiently less frequent to be
worth the inconvenience for securing something that isn?t a particularly
attractive target? Not so sure.
Owen
------------------------------
Message: 2
Date: Wed, 25 May 2022 21:53:15 -0700
From: Owen DeLong <[email protected]>
To: Peter Beckman <[email protected]>
Cc: Ross Tajvar <[email protected]>, "<[email protected]>"
<[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8
> On May 25, 2022, at 21:34, Peter Beckman <[email protected]> wrote:
>
> On Wed, 25 May 2022, Owen DeLong via ARIN-consult wrote:
>
>> The added overhead is small if you are in an office with your cell phone
>> handy.
>>
>> It?s less convenient if your cell phone isn?t handy (for a variety of
>> reasons), and you?re trying to do something quickly without having to
>> retrieve said phone.
>
> What exactly are you using then to log into ARIN?!?
In many cases, Lynx on a busy-box based system.
> You do NOT need a mobile phone to use TOTP 2FA.
>
> I use 1Password on my Desktop all day long, and the same TOTP 2FA code
> generated on my desktop is the same TOTP 2FA code that is generated on my
> mobile phone.
I?m not always logging in from my desktop. I?m not even always logging in from
a machine I generally control.
What?s the support for TOTP from a shared system in, say a Library or a Maker
Space? How am I supposed to secure that?
> I am feeling like you aren't hearing that TOTP 2FA has support for
> practically ALL COMPUTERS: Linux, Windows, MacOS, IOS, Android,
> Javascript/Web.
I am hearing it, I?m just saying that one size doesn?t fit all and that mere OS
support isn?t the only issue here.
> There is also a GitHub project code for running TOTP 2FA on a TI-83
> calculator. https://github.com/jshin313/ti-authenticator
So?
I have yet to see a good solution for putting a TOTP capability on a machine I
can?t generally trust.
That?s kind of like installing your SSH private keys on servers at a client
site if you?re a consultant? Not too bright.
>
>
>>> Perhaps requiring better (non-dictionary) passwords on accounts that don?t
>>> have 2FA would be a solution more targeted at the actual problem.
>>> How would ARIN judge the complexity of a password? As far as I'm aware,
>>> checking if it uses dictionary words is non-trivial. And even then, a
>>> sufficiently long passphrase using dictionary words is pretty secure (vs a
>>> short one) - I don't think it makes sense to penalize users for that.
>>
>> Yes, sufficient length if just words (alpha only), or sufficient entropy if
>> not long.
>>
>> Checking for dictionary words isn?t completely trivial, but it?s not
>> particularly computationally difficult, either.
>>
>> Plenty of sites manage to do this.
>
> This does not solve the problem if the account and password are disclosed
> in a breach, and someone is re-using passwords on ARIN and elsewhere. 2FA
> prevents the disclosure of account creds from giving an unauthorized 3rd
> party from gaining access to other/any accounts.
Someone who reuses passwords in this day and age probably deserves whatever
happens to them.
Owen
------------------------------
Message: 3
Date: Thu, 26 May 2022 01:00:54 -0400
From: Ross Tajvar <[email protected]>
To: Owen DeLong <[email protected]>
Cc: Matt Harris <[email protected]>, "<[email protected]>"
<[email protected]>
Subject: Re: [ARIN-consult] Consultation on Requiring Two-Factor
Authentication (2FA) for ARIN Online Accounts
Message-ID:
<ca+fdddqkn5kexv46exqadtcvec6++jxv91w4n3spt8v+-m+...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
>
> The hardware token is even less likely to be at hand in situations where
> the cell isn?t handy, so that?s a laughable answer.
>
Laugh all you want but this could reasonably happen to me. I keep one
hardware token on my keyring, and I always keep my keys in my pocket while
I'm not at home, but sometimes I walk away from my cell phone. Your
experiences are not universal.
> The password manager only works if the particular TOTP mechanisms
> supported by the particular implementor are also supported by your
> particular preferred password manager.
For standard code generation, all you need is the secret. I've never so
much as changed an algorithm and it's worked flawlessly the first time
every time. Yeah maybe there are some edge cases, but for the vast majority
of cases it Just Works.
On Thu, May 26, 2022 at 12:44 AM Owen DeLong <[email protected]> wrote:
>
>
> On May 25, 2022, at 20:39, Ross Tajvar <[email protected]> wrote:
>
> The added overhead is small if you are in an office with your cell phone
>> handy.
>>
>> It?s less convenient if your cell phone isn?t handy (for a variety of
>> reasons), and you?re trying to do something quickly without having to
>> retrieve said phone.
>>
>
> I don't need my cell phone to do 2FA. I normally don't - I just use my
> password manager, or a hardware token depending on what I'm authenticating
> to. I *can* use my cell phone, but I don't have to.
>
>
> Obviously this depends on the 2FA mechanism and other factors.
>
> The hardware token is even less likely to be at hand in situations where
> the cell isn?t handy, so that?s a laughable answer.
>
> The password manager only works if the particular TOTP mechanisms
> supported by the particular implementor are also supported by your
> particular preferred password manager.
>
> I?m not aware of a 2FA integration mechanism for iCloud Keychain, for
> example. Happy to be proven wrong.
>
> Owen
>
>
> On Wed, May 25, 2022 at 11:00 PM Owen DeLong <[email protected]> wrote:
>
>>
>>
>> On May 25, 2022, at 08:41, Ross Tajvar <[email protected]> wrote:
>>
>> I remain unconvinced that inflicting 2FA on me solves a real problem that
>>> actually exists.
>>
>> I'm not sure why you (and others) seem to think 2FA is so incredibly
>> inconvenient. In my experience, it only takes a few extra seconds, or a few
>> extra clicks/taps depending on how it's set up. The added overhead really
>> is very small.
>>
>>
>> The added overhead is small if you are in an office with your cell phone
>> handy.
>>
>> It?s less convenient if your cell phone isn?t handy (for a variety of
>> reasons), and you?re trying to do something quickly without having to
>> retrieve said phone.
>>
>>
>> Perhaps requiring better (non-dictionary) passwords on accounts that
>>> don?t have 2FA would be a solution more targeted at the actual problem.
>>
>> How would ARIN judge the complexity of a password? As far as I'm aware,
>> checking if it uses dictionary words is non-trivial. And even then, a
>> sufficiently long passphrase using dictionary words is pretty secure (vs a
>> short one) - I don't think it makes sense to penalize users for that.
>>
>>
>> Yes, sufficient length if just words (alpha only), or sufficient entropy
>> if not long.
>>
>> Checking for dictionary words isn?t completely trivial, but it?s not
>> particularly computationally difficult, either.
>>
>> Plenty of sites manage to do this.
>>
>> Owen
>>
>>
>>
>> On Wed, May 25, 2022 at 11:35 AM Owen DeLong via ARIN-consult <
>> [email protected]> wrote:
>>
>>>
>>>
>>> On May 25, 2022, at 08:13 , Matt Harris <[email protected]> wrote:
>>>
>>> <image541905.png>
>>> Matt Harris?
>>> | VP of Infrastructure
>>> 816?256?5446
>>> | Direct
>>> Looking for help?
>>> *Helpdesk* <https://help.netfire.net/>
>>> | *Email Support* <[email protected]>
>>>
>>> We build customized end?to?end technology solutions powered by NetFire
>>> Cloud.
>>> On Wed, May 25, 2022 at 2:13 AM Owen DeLong via ARIN-consult <
>>> [email protected]> wrote:
>>>
>>>> I?m not in favor of requiring 2FA. I agree that SMS 2FA is pretty
>>>> awful, but all forms of 2FA come with a variety of inconveniences.
>>>>
>>>> With an account that goes back to the beginnings of ARIN online, I?ve
>>>> never had a security problem with my ARIN online account, so I think that
>>>> 2FA is a solution looking for a problem here.
>>>>
>>>> I know that?s not a popular view among the more security conscious, but
>>>> the reality is that security should be commensurate with what is being
>>>> protected. Let users who think their account warrants such additional
>>>> measures opt in. Let those of use who feel that our passwords are adequate
>>>> continue in that manner.
>>>>
>>>> Owen
>>>>
>>>
>>> Owen,
>>> The problem is that compromised ARIN accounts can result in issues that
>>> don't just impact the owner of the account that held those resources.
>>> Compromised ARIN accounts with resources can potentially adversely impact
>>> us all in terms of upticks in spam and the resulting management burdens, at
>>> the very least, and potentially in other (perhaps even thus far unforeseen)
>>> ways as well.
>>>
>>>
>>> I disagree? If my ARIN account is compromised, I?m going to get notified
>>> of any changes made. (So far, that hasn?t happened). I know exactly where
>>> to go to get those changes reverted quickly.
>>>
>>> My account is associated with resources, but I remain unconvinced that
>>> inflicting 2FA on me solves a real problem that actually exists.
>>>
>>> I do agree with your statement "security should be commensurate with
>>> what is being protected." Thus, I would consider that we perhaps continue
>>> to allow accounts without control of any resources to continue without
>>> requiring 2fa, only requiring it when resources are allocated. An ARIN
>>> account with control of nothing, or perhaps just contact records for SWIP'd
>>> space, etc, is not one that is a huge hazard to the community at large imho
>>> compared to one that controls ASNs or IPv4 and IPv6 resources.
>>>
>>>
>>> Perhaps requiring better (non-dictionary) passwords on accounts that
>>> don?t have 2FA would be a solution more targeted at the actual problem.
>>>
>>> Owen
>>>
>>> _______________________________________________
>>> ARIN-Consult
>>> You are receiving this message because you are subscribed to the ARIN
>>> Consult Mailing
>>> List ([email protected]).
>>> Unsubscribe or manage your mailing list subscription at:
>>> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
>>> ARIN Member Services
>>> Help Desk at [email protected] if you experience any issues.
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20220526/77bdbe6c/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 90, Issue 24
********************************************
