Send ARIN-consult mailing list submissions to
arin-consult@arin.net
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
arin-consult-requ...@arin.net
You can reach the person managing the list at
arin-consult-ow...@arin.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: [ARIN-Consult] Consultation on Expanding 2FA Options for
ARIN Online (Richard Laager)
2. Re: [ARIN-Consult] Consultation on Expanding 2FA Options for
ARIN Online (Adam Thompson)
3. Re: [ARIN-Consult] Consultation on Expanding 2FA Options for
ARIN Online (Chris Woodfield)
4. Re: [ARIN-Consult] Consultation on Expanding 2FA Options for
ARIN Online (Richard Laager)
----------------------------------------------------------------------
Message: 1
Date: Tue, 24 Jan 2023 14:22:43 -0600
From: Richard Laager <rlaa...@wiktel.com>
To: arin-consult@arin.net
Subject: Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding
2FA Options for ARIN Online
Message-ID: <7757cfe3-fe04-c0d6-39b8-f52e0d57e...@wiktel.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 1/24/23 12:56, Adam Thompson wrote:
> Why on earth would you set a hard-coded limit? It's not like an additional
> database table is expensive.
While, in general, I understand this sentiment (real world cardinality
is usually: 1, 2, or many), I do see two counterpoints. Even speaking in
general, it is sometimes useful to define a limit for testing purposes.
If you say, "We support 5", then you are hopefully actually testing 5.
In this particular situation, I think the following argument is even
more relevant:
On 1/24/23 14:02, Tim Lyons via ARIN-consult wrote:
> In terms of allowing the registration of multiple hardware security
> keys, I suggest allowing a maximum of 3 keys to be registered. This
> provides backup options in case a user loses or misplaces their
> primary key but encourages users to be cognizant of deleting old keys
> that have been lots or become non-functional.
--
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/7da3209d/attachment-0001.htm>
------------------------------
Message: 2
Date: Tue, 24 Jan 2023 20:36:03 +0000
From: Adam Thompson <athom...@athompso.net>
To: Richard Laager <rlaa...@wiktel.com>, "arin-consult@arin.net"
<arin-consult@arin.net>
Subject: Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding
2FA Options for ARIN Online
Message-ID:
<yt2pr01mb4622ea9df591ad7e1d1cb4daab...@yt2pr01mb4622.canprd01.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
Since I have a nearly magical ability to damage every authentication device
I've ever been issued (including my phone - this one has lasted over a year,
which I think is av record), I'm highly doubtful of any scheme that *assumes*
any authenticator is durable. I would like a *minimum* of 3 active - one in my
pocket, one in a locked drawer at work, one in a secure spot at home or in my
car or somewhere else.
Double + 1 that number to account for rollover, and I'll already want to have
up to 7 registered at times, for any account that's super-critical.
Yes, that's about how many copies of physical keys for locks that I like to get
made, because I lose those, too.
Could I live with a limit of 10? Yeah, probably.
Which is more important: keeping bad actors out, or letting authorized users in?
All I'm hearing during this discussion is protecting accounts against
hypothetical compromise (with IIRC no evidence this has ever happened, or any
negative outcome has occurred previously) with no consideration of people who
have unusual needs.
(Some of those needs, definitely not all, are referred to in American law as
"disabilities", btw. I hope someone at ARIN has thought about how the proposed
2FA scheme complies with the ADA?)
-Adam
Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: ARIN-consult <arin-consult-boun...@arin.net> on behalf of Richard Laager
<rlaa...@wiktel.com>
Sent: Tuesday, January 24, 2023 2:22:43 PM
To: arin-consult@arin.net <arin-consult@arin.net>
Subject: Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding 2FA
Options for ARIN Online
On 1/24/23 12:56, Adam Thompson wrote:
Why on earth would you set a hard-coded limit? It's not like an additional
database table is expensive.
While, in general, I understand this sentiment (real world cardinality is
usually: 1, 2, or many), I do see two counterpoints. Even speaking in general,
it is sometimes useful to define a limit for testing purposes. If you say, "We
support 5", then you are hopefully actually testing 5.
In this particular situation, I think the following argument is even more
relevant:
On 1/24/23 14:02, Tim Lyons via ARIN-consult wrote:
In terms of allowing the registration of multiple hardware security keys, I
suggest allowing a maximum of 3 keys to be registered. This provides backup
options in case a user loses or misplaces their primary key but encourages
users to be cognizant of deleting old keys that have been lots or become
non-functional.
--
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/ebb301ef/attachment-0001.htm>
------------------------------
Message: 3
Date: Tue, 24 Jan 2023 12:48:41 -0800
From: Chris Woodfield <ch...@semihuman.com>
To: Adam Thompson <athom...@athompso.net>
Cc: Richard Laager <rlaa...@wiktel.com>, "arin-consult@arin.net"
<arin-consult@arin.net>
Subject: Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding
2FA Options for ARIN Online
Message-ID: <6e2ee760-9974-4fb7-8de3-3d45e89e6...@semihuman.com>
Content-Type: text/plain; charset="us-ascii"
> On Jan 24, 2023, at 12:36 PM, Adam Thompson <athom...@athompso.net> wrote:
>
>
> Which is more important: keeping bad actors out, or letting authorized users
> in?
>
> All I'm hearing during this discussion is protecting accounts against
> hypothetical compromise (with IIRC no evidence this has ever happened, or any
> negative outcome has occurred previously) with no consideration of people who
> have unusual needs.
>
> (Some of those needs, definitely not all, are referred to in American law as
> "disabilities", btw. I hope someone at ARIN has thought about how the
> proposed 2FA scheme complies with the ADA?)
>
> -Adam
>
Hence my recommendation that if a limit is set, it should not be a hard limit,
and allow for the limit to be raised upon request (presumably after a manual
authentication of the request by ARIN staff).
-C
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/f524c666/attachment-0001.htm>
------------------------------
Message: 4
Date: Tue, 24 Jan 2023 14:50:41 -0600
From: Richard Laager <rlaa...@wiktel.com>
To: Adam Thompson <athom...@athompso.net>
Cc: "arin-consult@arin.net" <arin-consult@arin.net>
Subject: Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding
2FA Options for ARIN Online
Message-ID: <d0e76e36-6709-3eb7-6ff9-dfc6aa3ee...@wiktel.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 1/24/23 14:36, Adam Thompson wrote:
> Double + 1 that number to account for rollover, and I'll already want
> to have up to 7 registered at times, for any account that's
> super-critical.
Where is the doubling coming from?
I follow the + 1 to allow for rollover.
--
Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/bfd81101/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
ARIN-consult@arin.net
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 96, Issue 10
********************************************
