ARIN-consult Digest, Vol 96, Issue 8

[arin-consult-request]

Send ARIN-consult mailing list submissions to
        arin-consult@arin.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
        arin-consult-requ...@arin.net

You can reach the person managing the list at
        arin-consult-ow...@arin.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."


Today's Topics:

   1. Re: Consultation on Expanding 2FA Options for ARIN Online
      (John Sweeting)


----------------------------------------------------------------------

Message: 1
Date: Tue, 24 Jan 2023 20:09:05 +0000
From: John Sweeting <jsweet...@arin.net>
To: Heather Schiller <h...@google.com>, Ross Tajvar <r...@tajvar.io>
Cc: Adam Thompson <athom...@athompso.net>, "arin-consult@arin.net"
        <arin-consult@arin.net>
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for
        ARIN Online
Message-ID: <e88fc534-35e2-458a-9b56-d31132192...@arin.net>
Content-Type: text/plain; charset="utf-8"



From: Heather Schiller <h...@google.com>
Date: Tuesday, January 24, 2023 at 3:06 PM
To: Ross Tajvar <r...@tajvar.io>
Cc: Adam Thompson <athom...@athompso.net>, John Sweeting <jsweet...@arin.net>, 
"arin-consult@arin.net" <arin-consult@arin.net>
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for ARIN 
Online

My inquiry about the number of human pocs, was to better understand the volume 
of risk due to a single user needing to recover their access in some way.  80% 
is not reassuring. eek.

Ok that is not what was provided, what was provided is the number of user 
accounts linked to a single POC and not a role POC. Let me get the information 
that you are actually asking for.

--h

On Tue, Jan 24, 2023 at 3:00 PM Ross Tajvar 
<r...@tajvar.io<mailto:r...@tajvar.io>> wrote:
Each account does its own 2FA. You don't need multiple hardware tokens on the 
same account unless you're sharing that account, which is unnecessary, because 
you can associate multiple accounts with one POC. I don't think limiting the 
number of tokens will cause an issue for orgs with multiple human POCs.

Maybe I'm misunderstanding your concern?

On Tue, Jan 24, 2023 at 2:58 PM Adam Thompson 
<athom...@athompso.net<mailto:athom...@athompso.net>> wrote:
I *don?t* think we can nonchalantly apply the Pareto principle to 
authentication:  how are those ~20% of accounts going to do 2FA with ARIN next 
month?  The only way I can see is to register multiple TOTP authenticators.  
Have I missed something?
-Adam

From: ARIN-consult 
<arin-consult-boun...@arin.net<mailto:arin-consult-boun...@arin.net>> On Behalf 
Of John Sweeting
Sent: Tuesday, January 24, 2023 1:56 PM
To: Heather Schiller <h...@google.com<mailto:h...@google.com>>; ARIN 
<i...@arin.net<mailto:i...@arin.net>>
Cc: arin-consult@arin.net<mailto:arin-consult@arin.net>
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for ARIN 
Online

Thanks for your input Heather.

Tangentially related, what percentage of accounts do you think have a single 
human poc?

Approximately 80% appear to have a single human poc


From: ARIN-consult 
<arin-consult-boun...@arin.net<mailto:arin-consult-boun...@arin.net>> on behalf 
of Heather Schiller via ARIN-consult 
<arin-consult@arin.net<mailto:arin-consult@arin.net>>
Reply-To: Heather Schiller <h...@google.com<mailto:h...@google.com>>
Date: Tuesday, January 24, 2023 at 2:16 PM
To: ARIN <i...@arin.net<mailto:i...@arin.net>>
Cc: "arin-consult@arin.net<mailto:arin-consult@arin.net>" 
<arin-consult@arin.net<mailto:arin-consult@arin.net>>
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for ARIN 
Online

Can we add, authorization should expire in <24hrs?  Per markk@ it expires in a 
week, which means anyone that gains access to that browser session will be able 
to effect changes.  Given that we've added more, not less, critical 
infrastructure impacting functionality to ARIN online, the security 
requirements should be stricter.

Historically, NIST explicitly recommended AGAINST using SMS as 2FA, going all 
the way back to 2016.
 "Due to the risk that SMS messages or voice calls may be intercepted or 
redirected, implementers of new systems SHOULD carefully consider alternative 
authenticators. If the out-of-band verification is to be made using the public 
switched telephone network (PSTN), the verifier SHALL verify that the 
pre-registered telephone number being used is not associated with a VoIP (or 
other software-based) service. It then sends the SMS or voice message to the 
pre-registered telephone number. Changing the pre-registered telephone number 
SHALL NOT be possible without two-factor authentication at the time of the 
change."

SMS based 2FA hasn't really gotten any better over the years.  I would not be 
in support of expanding the functionality of SMS 2FA.   Similarly, I would not 
support the use of email as 2FA either.

Tangentially related, what percentage of accounts do you think have a single 
human poc?

 --Heather

On Tue, Jan 24, 2023 at 1:54 PM ARIN <i...@arin.net<mailto:i...@arin.net>> 
wrote:
On 1 November 2022, ARIN? announced?that we will require two-factor 
authentication (2FA) on all ARIN Online accounts beginning 1 February 
2023.?ARIN currently has three options for customers to set up 2FA on their 
ARIN Online accounts:

- Time-based One-time Password (TOTP) using an authenticator of your choice
- Short Message Service (SMS) for customers within the ARIN service region
- FIDO2/Passkey-enabled Security Key

Please note: Voice 2FA is not currently available for new 2FA activations; it 
is still available to those customers who already have that method set up on 
their accounts.

Following the announcement of the planned enforcement date of 1 February 2023, 
we received several suggestions for further expansion of our authentication 
offerings, including:

- Allowing email as an authentication method
- Enabling SMS support for customers who reside outside of the ARIN service 
region
- Allowing registration of multiple hardware security keys.

We are seeking community feedback on these suggestions as well as additional 
input on our 2FA options. Specifically:

1. Would you support ARIN offering email as an additional 2FA method?

2. Given that 13% of web user accounts list phone numbers outside the ARIN 
service region, should we widen the availability of SMS, or are the other 
offered 2FA options sufficient to meet the needs of these users?

3. We agree that users should be allowed to register multiple hardware security 
keys. The question is: What is the optimal number of keys that should be 
allowed to be registered?

The feedback you provide during this consultation will help us decide the path 
forward regarding our 2FA options for ARIN Online. Thank you for your 
participation in the ARIN Consultation and Suggestion Process.

Please provide comments to arin-consult@arin.net<mailto:arin-consult@arin.net>. 
You can subscribe to this mailing list at: 
https://lists.arin.net/mailman/listinfo/arin-consult

This consultation will remain open through 5:00 PM ET on 7 February 2023.

Regards,

John Curran
President and CEO
American Registry for Internet Numbers (ARIN)

Helpful Resources:

Consultation: 
https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/
Two-Factor Authentication at ARIN: https://arin.net/2FA


_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult 
Mailing
List (ARIN-consult@arin.net<mailto:ARIN-consult@arin.net>).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN 
Member Services
Help Desk at i...@arin.net<mailto:i...@arin.net> if you experience any issues.
_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult 
Mailing
List (ARIN-consult@arin.net<mailto:ARIN-consult@arin.net>).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN 
Member Services
Help Desk at i...@arin.net<mailto:i...@arin.net> if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/6fd38088/attachment.htm>

------------------------------

Subject: Digest Footer

_______________________________________________
ARIN-consult mailing list
ARIN-consult@arin.net
https://lists.arin.net/mailman/listinfo/arin-consult


------------------------------

End of ARIN-consult Digest, Vol 96, Issue 8
*******************************************