Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: Consultation on Expanding 2FA Options for ARIN Online
(Ross Tajvar)
2. Re: [ARIN-Consult] Consultation on Expanding 2FA Options for
ARIN Online (Tim Lyons)
----------------------------------------------------------------------
Message: 1
Date: Tue, 24 Jan 2023 15:00:38 -0500
From: Ross Tajvar <[email protected]>
To: Adam Thompson <[email protected]>
Cc: John Sweeting <[email protected]>, Heather Schiller
<[email protected]>, ARIN <[email protected]>, "[email protected]"
<[email protected]>
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for
ARIN Online
Message-ID:
<CA+FDdDRogHmOLrupkEoPpmZ-M8jyFAQXCRu+RxYxq+NHfK=f...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Each account does its own 2FA. You don't need multiple hardware tokens on
the same account unless you're sharing that account, which is unnecessary,
because you can associate multiple accounts with one POC. I don't think
limiting the number of tokens will cause an issue for orgs with multiple
human POCs.
Maybe I'm misunderstanding your concern?
On Tue, Jan 24, 2023 at 2:58 PM Adam Thompson <[email protected]> wrote:
> I **don?t** think we can nonchalantly apply the Pareto principle to
> authentication: how are those ~20% of accounts going to do 2FA with ARIN
> next month? The only way I can see is to register multiple TOTP
> authenticators. Have I missed something?
>
> -Adam
>
>
>
> *From:* ARIN-consult <[email protected]> *On Behalf Of *John
> Sweeting
> *Sent:* Tuesday, January 24, 2023 1:56 PM
> *To:* Heather Schiller <[email protected]>; ARIN <[email protected]>
> *Cc:* [email protected]
> *Subject:* Re: [ARIN-consult] Consultation on Expanding 2FA Options for
> ARIN Online
>
>
>
> Thanks for your input Heather.
>
>
>
> Tangentially related, what percentage of accounts do you think have a
> single human poc?
>
>
>
> Approximately 80% appear to have a single human poc
>
>
>
>
>
> *From: *ARIN-consult <[email protected]> on behalf of Heather
> Schiller via ARIN-consult <[email protected]>
> *Reply-To: *Heather Schiller <[email protected]>
> *Date: *Tuesday, January 24, 2023 at 2:16 PM
> *To: *ARIN <[email protected]>
> *Cc: *"[email protected]" <[email protected]>
> *Subject: *Re: [ARIN-consult] Consultation on Expanding 2FA Options for
> ARIN Online
>
>
>
> Can we add, authorization should expire in <24hrs? Per markk@ it expires
> in a week, which means anyone that gains access to that browser session
> will be able to effect changes. Given that we've added more, not less,
> critical infrastructure impacting functionality to ARIN online, the
> security requirements should be stricter.
>
>
>
> Historically, NIST explicitly recommended AGAINST using SMS as 2FA, going
> all the way back to 2016.
>
> "*Due to the risk that SMS messages or voice calls may be intercepted or
> redirected, implementers of new systems SHOULD carefully consider
> alternative authenticators. If the out-of-band verification is to be made
> using the public switched telephone network (PSTN), the verifier SHALL
> verify that the pre-registered telephone number being used is not
> associated with a VoIP (or other software-based) service. It then sends the
> SMS or voice message to the pre-registered telephone number. Changing the
> pre-registered telephone number SHALL NOT be possible without two-factor
> authentication at the time of the change." *
>
>
>
> SMS based 2FA hasn't really gotten any better over the years. I would not
> be in support of expanding the functionality of SMS 2FA. Similarly, I
> would not support the use of email as 2FA either.
>
>
>
> Tangentially related, what percentage of accounts do you think have a
> single human poc?
>
>
>
> --Heather
>
>
>
> On Tue, Jan 24, 2023 at 1:54 PM ARIN <[email protected]> wrote:
>
> On 1 November 2022, ARIN? announced?that we will require two-factor
> authentication (2FA) on all ARIN Online accounts beginning 1 February
> 2023.?ARIN currently has three options for customers to set up 2FA on their
> ARIN Online accounts:
>
> - Time-based One-time Password (TOTP) using an authenticator of your choice
> - Short Message Service (SMS) for customers within the ARIN service region
> - FIDO2/Passkey-enabled Security Key
>
> Please note: Voice 2FA is not currently available for new 2FA activations;
> it is still available to those customers who already have that method set
> up on their accounts.
>
> Following the announcement of the planned enforcement date of 1 February
> 2023, we received several suggestions for further expansion of our
> authentication offerings, including:
>
> - Allowing email as an authentication method
> - Enabling SMS support for customers who reside outside of the ARIN
> service region
> - Allowing registration of multiple hardware security keys.
>
> We are seeking community feedback on these suggestions as well as
> additional input on our 2FA options. Specifically:
>
> 1. Would you support ARIN offering email as an additional 2FA method?
>
> 2. Given that 13% of web user accounts list phone numbers outside the ARIN
> service region, should we widen the availability of SMS, or are the other
> offered 2FA options sufficient to meet the needs of these users?
>
> 3. We agree that users should be allowed to register multiple hardware
> security keys. The question is: What is the optimal number of keys that
> should be allowed to be registered?
>
> The feedback you provide during this consultation will help us decide the
> path forward regarding our 2FA options for ARIN Online. Thank you for your
> participation in the ARIN Consultation and Suggestion Process.
>
> Please provide comments to [email protected]. You can subscribe to
> this mailing list at: https://lists.arin.net/mailman/listinfo/arin-consult
>
> This consultation will remain open through 5:00 PM ET on 7 February 2023.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
> Helpful Resources:
>
> Consultation:
> https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/
> Two-Factor
> <https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/Two-Factor>
> Authentication at ARIN: https://arin.net/2FA
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at [email protected] if you experience any issues.
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at [email protected] if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/0a7e22e0/attachment-0001.htm>
------------------------------
Message: 2
Date: Tue, 24 Jan 2023 20:02:59 +0000
From: Tim Lyons <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding
2FA Options for ARIN Online
Message-ID:
<mn2pr08mb63504e5f20d7e34b4677c6e4cc...@mn2pr08mb6350.namprd08.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
I don't recommend expanding the use of SMS for 2FA as it poses a significant
security risk. SMS messages can be intercepted or redirected by attackers,
potentially giving them access to a user's account. Therefore, I propose
removing SMS as a factor altogether and focusing on more secure options such as
Time-based One-time Password (TOTP) using an authenticator of your choice or
FIDO2/Passkey-enabled Security Key.
E-mail as an additional 2FA method is also not ideal as email accounts can be
compromised if not properly secured, but it is still a somewhat better option
than SMS.
In terms of allowing the registration of multiple hardware security keys, I
suggest allowing a maximum of 3 keys to be registered. This provides backup
options in case a user loses or misplaces their primary key but encourages
users to be cognizant of deleting old keys that have been lots or become
non-functional.
Regards,
Tim
________________________________
From: ARIN-announce <[email protected]> on behalf of ARIN
<[email protected]>
Sent: Tuesday, January 24, 2023 13:52
To: [email protected] <[email protected]>
Subject: [arin-announce] Consultation on Expanding 2FA Options for ARIN Online
Caution: EXTERNAL EMAIL
Caution: This is an external email and has a suspicious subject or content.
Please take care when clicking links or opening attachments. When in doubt,
DON'T CLICK!
On 1 November 2022, ARIN? announced?that we will require two-factor
authentication (2FA) on all ARIN Online accounts beginning 1 February
2023.?ARIN currently has three options for customers to set up 2FA on their
ARIN Online accounts:
- Time-based One-time Password (TOTP) using an authenticator of your choice
- Short Message Service (SMS) for customers within the ARIN service region
- FIDO2/Passkey-enabled Security Key
Please note: Voice 2FA is not currently available for new 2FA activations; it
is still available to those customers who already have that method set up on
their accounts.
Following the announcement of the planned enforcement date of 1 February 2023,
we received several suggestions for further expansion of our authentication
offerings, including:
- Allowing email as an authentication method
- Enabling SMS support for customers who reside outside of the ARIN service
region
- Allowing registration of multiple hardware security keys.
We are seeking community feedback on these suggestions as well as additional
input on our 2FA options. Specifically:
1. Would you support ARIN offering email as an additional 2FA method?
2. Given that 13% of web user accounts list phone numbers outside the ARIN
service region, should we widen the availability of SMS, or are the other
offered 2FA options sufficient to meet the needs of these users?
3. We agree that users should be allowed to register multiple hardware security
keys. The question is: What is the optimal number of keys that should be
allowed to be registered?
The feedback you provide during this consultation will help us decide the path
forward regarding our 2FA options for ARIN Online. Thank you for your
participation in the ARIN Consultation and Suggestion Process.
Please provide comments to [email protected]. You can subscribe to this
mailing list at: https://lists.arin.net/mailman/listinfo/arin-consult
This consultation will remain open through 5:00 PM ET on 7 February 2023.
Regards,
John Curran
President and CEO
American Registry for Internet Numbers (ARIN)
Helpful Resources:
Consultation:
https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/
Two-Factor Authentication at ARIN: https://arin.net/2FA
_______________________________________________
ARIN-Announce
You are receiving this message because you are subscribed to
the ARIN Announce Mailing List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-announce
Please contact [email protected] if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/b73a4a12/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 96, Issue 4
*******************************************
