Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: [ARIN-Consult] Consultation on Expanding 2FA Options for
ARIN Online (Ross Tajvar)
2. Re: Consultation on Expanding 2FA Options for ARIN Online
(John Sweeting)
----------------------------------------------------------------------
Message: 1
Date: Tue, 24 Jan 2023 15:51:11 -0500
From: Ross Tajvar <[email protected]>
To: Adam Thompson <[email protected]>
Cc: Richard Laager <[email protected]>, "[email protected]"
<[email protected]>
Subject: Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding
2FA Options for ARIN Online
Message-ID:
<CA+FDdDTefRyotmrHa1Qz-NLYLcK7=z9dy_wpmwo1tmt8wbh...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
On the topic of hypothetical compromise - my ARIN account hasn't been
compromised, but other accounts protected with SMS 2FA have been. I have
had money stolen via that vector. So it's a real concern for me. Maybe
*my* ARIN
account isn't valuable enough to hack, but my employer's is.
I don't think we should disregard real attack vectors that definitely do
happen in the real world just because they're uncommon and the mitigations
are inconvenient to some people. I also acknowledge the importance of
disability accommodation; however, I doubt that disallowing email (or SMS)
2FA would be an issue there (though I welcome a correction if I'm wrong).
On Tue, Jan 24, 2023 at 3:36 PM Adam Thompson <[email protected]> wrote:
> Since I have a nearly magical ability to damage every authentication
> device I've ever been issued (including my phone - this one has lasted over
> a year, which I think is av record), I'm highly doubtful of any scheme that
> *assumes* any authenticator is durable. I would like a *minimum* of 3
> active - one in my pocket, one in a locked drawer at work, one in a secure
> spot at home or in my car or somewhere else.
>
> Double + 1 that number to account for rollover, and I'll already want to
> have up to 7 registered at times, for any account that's super-critical.
>
> Yes, that's about how many copies of physical keys for locks that I like
> to get made, because I lose those, too.
>
> Could I live with a limit of 10? Yeah, probably.
>
> Which is more important: keeping bad actors out, or letting authorized
> users in?
>
> All I'm hearing during this discussion is protecting accounts against
> hypothetical compromise (with IIRC no evidence this has ever happened, or
> any negative outcome has occurred previously) with no consideration of
> people who have unusual needs.
>
> (Some of those needs, definitely not all, are referred to in American law
> as "disabilities", btw. I hope someone at ARIN has thought about how the
> proposed 2FA scheme complies with the ADA?)
>
> -Adam
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> ------------------------------
> *From:* ARIN-consult <[email protected]> on behalf of Richard
> Laager <[email protected]>
> *Sent:* Tuesday, January 24, 2023 2:22:43 PM
> *To:* [email protected] <[email protected]>
> *Subject:* Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding
> 2FA Options for ARIN Online
>
> On 1/24/23 12:56, Adam Thompson wrote:
>
> Why on earth would you set a hard-coded limit? It's not like an additional
> database table is expensive.
>
> While, in general, I understand this sentiment (real world cardinality is
> usually: 1, 2, or many), I do see two counterpoints. Even speaking in
> general, it is sometimes useful to define a limit for testing purposes. If
> you say, "We support 5", then you are hopefully actually testing 5.
>
> In this particular situation, I think the following argument is even more
> relevant:
>
> On 1/24/23 14:02, Tim Lyons via ARIN-consult wrote:
>
> In terms of allowing the registration of multiple hardware security keys,
> I suggest allowing a maximum of 3 keys to be registered. This provides
> backup options in case a user loses or misplaces their primary key but
> encourages users to be cognizant of deleting old keys that have been lots
> or become non-functional.
>
> --
> Richard
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at [email protected] if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/e338c2ea/attachment-0001.htm>
------------------------------
Message: 2
Date: Tue, 24 Jan 2023 21:16:23 +0000
From: John Sweeting <[email protected]>
To: Chris Woodfield <[email protected]>, ARIN <[email protected]>
Cc: "<[email protected]>" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for
ARIN Online
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
From: ARIN-consult <[email protected]> on behalf of Chris Woodfield
<[email protected]>
Date: Tuesday, January 24, 2023 at 2:30 PM
To: ARIN <[email protected]>
Cc: "<[email protected]>" <[email protected]>
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for ARIN
Online
On Jan 24, 2023, at 11:16 AM, Ross Tajvar <[email protected]> wrote:
> 1. Would you support ARIN offering email as an additional 2FA method?
No. Email can be used to reset one's password. If it's used for one-time login
codes as well, that's only one authentication factor. An email compromise could
therefore easily result in account takeover, which defeats the purpose of 2FA.
Agreed. The password-reset mechanism and standard 2FA login process should not
both use the same auth path.
> 2. Given that 13% of web user accounts list phone numbers outside the ARIN
> service region, should we widen the availability of SMS, or are the other
> offered 2FA options sufficient to meet the needs of these users?
I am against SMS 2FA being offered as an option at all, so I'm ambivalent about
this.
I?m not a fan of SMS as a 2FA for all the obvious reasons, but also recognize
that requiring FIDO/TOTP as the *only* supported 2FA is a sure path to tepid
adoption. I believe that we should highly encourage users to prefer those
mechanisms over SMS but not prohibit SMS as an option.
> 3. We agree that users should be allowed to register multiple hardware
> security keys. The question is: What is the optimal number of keys that
> should be allowed to be registered?
I can't see someone reasonably needing to register more than a handful, but I
also don't think there's a good reason to set a low limit. I think 10 is a
reasonable upper bound.
The only reason I can see to limit the number of keys is to discourage the use
of a single account by multiple employees in an organization. I think a good
approach is to have a soft limit (say, 8) that can be increased on request to
help combat this. There should also be a mechanism to delete no-longer-used 2FA
keys instead of simply disabling them (Seems obvious, but I have accounts on
sites that don?t allow this, leading to a ever-growing list of registered auth
apps on various phones shown in my account)
Separate question - is there a workflow for manually resettting/removing user
2FA when users lose their tokens/auth apps/phone numbers/etc? How would ARIN
staff authenticate those requests? Please, please don?t make that process
involve a notary (I?m looking at you, AWS).
(JS) There are set procedures today to call into the ARIN RSD and go through
the verification process in order to recover passwords or reset 2FA options.
One of those processes is providing the answers to your challenge questions but
there are other processes that RSD will use. There are no notaries involved
with the process.
Thanks,
-Chris
On Tue, Jan 24, 2023 at 1:53 PM ARIN <[email protected]<mailto:[email protected]>>
wrote:
On 1 November 2022, ARIN? announced?that we will require two-factor
authentication (2FA) on all ARIN Online accounts beginning 1 February
2023.?ARIN currently has three options for customers to set up 2FA on their
ARIN Online accounts:
- Time-based One-time Password (TOTP) using an authenticator of your choice
- Short Message Service (SMS) for customers within the ARIN service region
- FIDO2/Passkey-enabled Security Key
Please note: Voice 2FA is not currently available for new 2FA activations; it
is still available to those customers who already have that method set up on
their accounts.
Following the announcement of the planned enforcement date of 1 February 2023,
we received several suggestions for further expansion of our authentication
offerings, including:
- Allowing email as an authentication method
- Enabling SMS support for customers who reside outside of the ARIN service
region
- Allowing registration of multiple hardware security keys.
We are seeking community feedback on these suggestions as well as additional
input on our 2FA options. Specifically:
1. Would you support ARIN offering email as an additional 2FA method?
2. Given that 13% of web user accounts list phone numbers outside the ARIN
service region, should we widen the availability of SMS, or are the other
offered 2FA options sufficient to meet the needs of these users?
3. We agree that users should be allowed to register multiple hardware security
keys. The question is: What is the optimal number of keys that should be
allowed to be registered?
The feedback you provide during this consultation will help us decide the path
forward regarding our 2FA options for ARIN Online. Thank you for your
participation in the ARIN Consultation and Suggestion Process.
Please provide comments to [email protected]<mailto:[email protected]>.
You can subscribe to this mailing list at:
https://lists.arin.net/mailman/listinfo/arin-consult
This consultation will remain open through 5:00 PM ET on 7 February 2023.
Regards,
John Curran
President and CEO
American Registry for Internet Numbers (ARIN)
Helpful Resources:
Consultation:
https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/
Two-Factor Authentication at ARIN: https://arin.net/2FA
_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult
Mailing
List ([email protected]<mailto:[email protected]>).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
Member Services
Help Desk at [email protected]<mailto:[email protected]> if you experience any issues.
_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult
Mailing
List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
Member Services
Help Desk at [email protected] if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/fa9cce7c/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 96, Issue 11
********************************************
