Send ARIN-consult mailing list submissions to arin-consult@arin.net
To subscribe or unsubscribe via the World Wide Web, visit https://lists.arin.net/mailman/listinfo/arin-consult or, via email, send a message with subject or body 'help' to arin-consult-requ...@arin.net You can reach the person managing the list at arin-consult-ow...@arin.net When replying, please edit your Subject line so it is more specific than "Re: Contents of ARIN-consult digest..." Today's Topics: 1. Consultation on Expanding 2FA Options for ARIN Online (ARIN) 2. Re: [General-members] Consultation on Expanding 2FA Options for ARIN Online (Adam Thompson) 3. Re: Consultation on Expanding 2FA Options for ARIN Online (Ross Tajvar) 4. Re: Consultation on Expanding 2FA Options for ARIN Online (Heather Schiller) ---------------------------------------------------------------------- Message: 1 Date: Tue, 24 Jan 2023 13:53:23 -0500 From: ARIN <i...@arin.net> To: <arin-consult@arin.net> Subject: [ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online Message-ID: <348341ba-2812-466e-ab94-b59fb9d04...@arin.net> Content-Type: text/plain; charset="UTF-8" On 1 November 2022, ARIN? announced?that we will require two-factor authentication (2FA) on all ARIN Online accounts beginning 1 February 2023.?ARIN currently has three options for customers to set up 2FA on their ARIN Online accounts: - Time-based One-time Password (TOTP) using an authenticator of your choice - Short Message Service (SMS) for customers within the ARIN service region - FIDO2/Passkey-enabled Security Key Please note: Voice 2FA is not currently available for new 2FA activations; it is still available to those customers who already have that method set up on their accounts. Following the announcement of the planned enforcement date of 1 February 2023, we received several suggestions for further expansion of our authentication offerings, including: - Allowing email as an authentication method - Enabling SMS support for customers who reside outside of the ARIN service region - Allowing registration of multiple hardware security keys. We are seeking community feedback on these suggestions as well as additional input on our 2FA options. Specifically: 1. Would you support ARIN offering email as an additional 2FA method? 2. Given that 13% of web user accounts list phone numbers outside the ARIN service region, should we widen the availability of SMS, or are the other offered 2FA options sufficient to meet the needs of these users? 3. We agree that users should be allowed to register multiple hardware security keys. The question is: What is the optimal number of keys that should be allowed to be registered? The feedback you provide during this consultation will help us decide the path forward regarding our 2FA options for ARIN Online. Thank you for your participation in the ARIN Consultation and Suggestion Process. Please provide comments to arin-consult@arin.net. You can subscribe to this mailing list at: https://lists.arin.net/mailman/listinfo/arin-consult This consultation will remain open through 5:00 PM ET on 7 February 2023. Regards, John Curran President and CEO American Registry for Internet Numbers (ARIN) Helpful Resources: Consultation: https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/ Two-Factor Authentication at ARIN: https://arin.net/2FA ------------------------------ Message: 2 Date: Tue, 24 Jan 2023 18:56:07 +0000 From: Adam Thompson <athom...@athompso.net> To: "arin-consult@arin.net" <arin-consult@arin.net> Subject: Re: [ARIN-consult] [General-members] Consultation on Expanding 2FA Options for ARIN Online Message-ID: <yt2pr01mb46227a0e337fcd09bc295060ab...@yt2pr01mb4622.canprd01.prod.outlook.com> Content-Type: text/plain; charset="utf-8" > 1. Would you support ARIN offering email as an additional 2FA method? Yes. > 2. Given that 13% of web user accounts list phone numbers outside the ARIN > service region, should we widen the availability of SMS, or are the other > offered 2FA options sufficient to meet the needs of these users? You should not limit SMS to the "ARIN Service Region" since by ARIN's own bylaws, people outside that geographic region can be ARIN customers. > 3. We agree that users should be allowed to register multiple hardware > security keys. The question is: What is the optimal number of keys that > should be allowed to be registered? Functionally infinite. Why on earth would you set a hard-coded limit? It's not like an additional database table is expensive. If you have to set a limit, it should be something large like 2^32. -Adam ------------------------------ Message: 3 Date: Tue, 24 Jan 2023 14:16:07 -0500 From: Ross Tajvar <r...@tajvar.io> To: ARIN <i...@arin.net> Cc: arin-consult@arin.net Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online Message-ID: <CA+FDdDT=g5c3wnd9askw1escbh1tppx9bq9sggr2aajkmnz...@mail.gmail.com> Content-Type: text/plain; charset="utf-8" > 1. Would you support ARIN offering email as an additional 2FA method? *No.* Email can be used to reset one's password. If it's used for one-time login codes as well, that's only one authentication factor. An email compromise could therefore easily result in account takeover, which defeats the purpose of 2FA. > 2. Given that 13% of web user accounts list phone numbers outside the ARIN service region, should we widen the availability of SMS, or are the other offered 2FA options sufficient to meet the needs of these users? I am against SMS 2FA being offered as an option at all, so I'm ambivalent about this. > 3. We agree that users should be allowed to register multiple hardware security keys. The question is: What is the optimal number of keys that should be allowed to be registered? I can't see someone reasonably needing to register more than a handful, but I also don't think there's a good reason to set a low limit. I think 10 is a reasonable upper bound. On Tue, Jan 24, 2023 at 1:53 PM ARIN <i...@arin.net> wrote: > On 1 November 2022, ARIN? announced?that we will require two-factor > authentication (2FA) on all ARIN Online accounts beginning 1 February > 2023.?ARIN currently has three options for customers to set up 2FA on their > ARIN Online accounts: > > - Time-based One-time Password (TOTP) using an authenticator of your choice > - Short Message Service (SMS) for customers within the ARIN service region > - FIDO2/Passkey-enabled Security Key > > Please note: Voice 2FA is not currently available for new 2FA activations; > it is still available to those customers who already have that method set > up on their accounts. > > Following the announcement of the planned enforcement date of 1 February > 2023, we received several suggestions for further expansion of our > authentication offerings, including: > > - Allowing email as an authentication method > - Enabling SMS support for customers who reside outside of the ARIN > service region > - Allowing registration of multiple hardware security keys. > > We are seeking community feedback on these suggestions as well as > additional input on our 2FA options. Specifically: > > 1. Would you support ARIN offering email as an additional 2FA method? > > 2. Given that 13% of web user accounts list phone numbers outside the ARIN > service region, should we widen the availability of SMS, or are the other > offered 2FA options sufficient to meet the needs of these users? > > 3. We agree that users should be allowed to register multiple hardware > security keys. The question is: What is the optimal number of keys that > should be allowed to be registered? > > The feedback you provide during this consultation will help us decide the > path forward regarding our 2FA options for ARIN Online. Thank you for your > participation in the ARIN Consultation and Suggestion Process. > > Please provide comments to arin-consult@arin.net. You can subscribe to > this mailing list at: https://lists.arin.net/mailman/listinfo/arin-consult > > This consultation will remain open through 5:00 PM ET on 7 February 2023. > > Regards, > > John Curran > President and CEO > American Registry for Internet Numbers (ARIN) > > Helpful Resources: > > Consultation: > https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/ > Two-Factor > <https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/Two-Factor> > Authentication at ARIN: https://arin.net/2FA > > > _______________________________________________ > ARIN-Consult > You are receiving this message because you are subscribed to the ARIN > Consult Mailing > List (ARIN-consult@arin.net). > Unsubscribe or manage your mailing list subscription at: > https://lists.arin.net/mailman/listinfo/arin-consult Please contact the > ARIN Member Services > Help Desk at i...@arin.net if you experience any issues. > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20230124/de6b8d51/attachment-0001.htm> ------------------------------ Message: 4 Date: Tue, 24 Jan 2023 14:16:32 -0500 From: Heather Schiller <h...@google.com> To: ARIN <i...@arin.net> Cc: arin-consult@arin.net Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online Message-ID: <caeabp57xkarhr3fqf8pj-e3hjinh+ujari9ycrzcs2q538q...@mail.gmail.com> Content-Type: text/plain; charset="utf-8" Can we add, authorization should expire in <24hrs? Per markk@ it expires in a week, which means anyone that gains access to that browser session will be able to effect changes. Given that we've added more, not less, critical infrastructure impacting functionality to ARIN online, the security requirements should be stricter. Historically, NIST explicitly recommended AGAINST using SMS as 2FA, going all the way back to 2016. "*Due to the risk that SMS messages or voice calls may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators. If the out-of-band verification is to be made using the public switched telephone network (PSTN), the verifier SHALL verify that the pre-registered telephone number being used is not associated with a VoIP (or other software-based) service. It then sends the SMS or voice message to the pre-registered telephone number. Changing the pre-registered telephone number SHALL NOT be possible without two-factor authentication at the time of the change." * SMS based 2FA hasn't really gotten any better over the years. I would not be in support of expanding the functionality of SMS 2FA. Similarly, I would not support the use of email as 2FA either. Tangentially related, what percentage of accounts do you think have a single human poc? --Heather On Tue, Jan 24, 2023 at 1:54 PM ARIN <i...@arin.net> wrote: > On 1 November 2022, ARIN? announced?that we will require two-factor > authentication (2FA) on all ARIN Online accounts beginning 1 February > 2023.?ARIN currently has three options for customers to set up 2FA on their > ARIN Online accounts: > > - Time-based One-time Password (TOTP) using an authenticator of your choice > - Short Message Service (SMS) for customers within the ARIN service region > - FIDO2/Passkey-enabled Security Key > > Please note: Voice 2FA is not currently available for new 2FA activations; > it is still available to those customers who already have that method set > up on their accounts. > > Following the announcement of the planned enforcement date of 1 February > 2023, we received several suggestions for further expansion of our > authentication offerings, including: > > - Allowing email as an authentication method > - Enabling SMS support for customers who reside outside of the ARIN > service region > - Allowing registration of multiple hardware security keys. > > We are seeking community feedback on these suggestions as well as > additional input on our 2FA options. Specifically: > > 1. Would you support ARIN offering email as an additional 2FA method? > > 2. Given that 13% of web user accounts list phone numbers outside the ARIN > service region, should we widen the availability of SMS, or are the other > offered 2FA options sufficient to meet the needs of these users? > > 3. We agree that users should be allowed to register multiple hardware > security keys. The question is: What is the optimal number of keys that > should be allowed to be registered? > > The feedback you provide during this consultation will help us decide the > path forward regarding our 2FA options for ARIN Online. Thank you for your > participation in the ARIN Consultation and Suggestion Process. > > Please provide comments to arin-consult@arin.net. You can subscribe to > this mailing list at: https://lists.arin.net/mailman/listinfo/arin-consult > > This consultation will remain open through 5:00 PM ET on 7 February 2023. > > Regards, > > John Curran > President and CEO > American Registry for Internet Numbers (ARIN) > > Helpful Resources: > > Consultation: > https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/ > Two-Factor > <https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/Two-Factor> > Authentication at ARIN: https://arin.net/2FA > > > _______________________________________________ > ARIN-Consult > You are receiving this message because you are subscribed to the ARIN > Consult Mailing > List (ARIN-consult@arin.net). > Unsubscribe or manage your mailing list subscription at: > https://lists.arin.net/mailman/listinfo/arin-consult Please contact the > ARIN Member Services > Help Desk at i...@arin.net if you experience any issues. > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20230124/75ccfb1f/attachment.htm> ------------------------------ Subject: Digest Footer _______________________________________________ ARIN-consult mailing list ARIN-consult@arin.net https://lists.arin.net/mailman/listinfo/arin-consult ------------------------------ End of ARIN-consult Digest, Vol 96, Issue 1 *******************************************