Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: Consultation on Expanding 2FA Options for ARIN Online
(Chris Woodfield)
2. Re: [ARIN-Consult] Consultation on Expanding 2FA Options for
ARIN Online (Adam Thompson)
----------------------------------------------------------------------
Message: 1
Date: Tue, 24 Jan 2023 13:39:21 -0800
From: Chris Woodfield <[email protected]>
To: David Farmer <[email protected]>, "<[email protected]>"
<[email protected]>
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for
ARIN Online
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
Would requiring TOTP/FIDO (and not allowing SMS) be more palatable if ARIN were
able/willing to furnish yubikeys (or alternate authenticators) to users free of
charge? I don?t know what these cost in bulk nowadays, but it?s probably right
on the edge of reasonable for this use case.
Thanks,
-Chris
> On Jan 24, 2023, at 1:31 PM, David Farmer via ARIN-consult
> <[email protected]> wrote:
>
>
>
> On Tue, Jan 24, 2023 at 12:53 PM ARIN <[email protected] <mailto:[email protected]>>
> wrote:
>> 1. Would you support ARIN offering email as an additional 2FA method?
> As mentioned, email is used for password changes; also, allowing it for 2FA
> is a bad idea.
>
>> 2. Given that 13% of web user accounts list phone numbers outside the ARIN
>> service region, should we widen the availability of SMS, or are the other
>> offered 2FA options sufficient to meet the needs of these users?
> As SMS has several weaknesses, I prefer SMS was not allowed at all.
> Nevertheless, if SMS is allowed, I don't see the point in restricting it to
> the ARIN service region. Furthermore, it could be more important for those
> outside the ARIN service region in case of technology restrictions or
> embargos on the more secure FIDO or TOTP technologies.
>
>> 3. We agree that users should be allowed to register multiple hardware
>> security keys. The question is: What is the optimal number of keys that
>> should be allowed to be registered?
> 10 is a reasonable limit.
>
> --
> ===============================================
> David Farmer Email:[email protected]
> <mailto:email%[email protected]>
> Networking & Telecommunication Services
> Office of Information Technology
> University of Minnesota
> 2218 University Ave SE Phone: 612-626-0815
> Minneapolis, MN 55414-3029 Cell: 612-812-9952
> ===============================================
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult
> Mailing
> List ([email protected]).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
> Member Services
> Help Desk at [email protected] if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/bad404c9/attachment-0001.htm>
------------------------------
Message: 2
Date: Tue, 24 Jan 2023 21:40:21 +0000
From: Adam Thompson <[email protected]>
To: Ross Tajvar <[email protected]>
Cc: Richard Laager <[email protected]>, "[email protected]"
<[email protected]>
Subject: Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding
2FA Options for ARIN Online
Message-ID:
<yt2pr01mb4622b8c04f010cb399ffa19dab...@yt2pr01mb4622.canprd01.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"
I don?t know myself whether there are any users with disabilities that would
preclude the use of TOTP; my guess is there aren?t, whether because those
people don?t exist or whether TOTP isn?t a problem ? dunno.
I meant only exactly what I said, that I hope someone has put more than a few
seconds? thought about that into this. Legal ramifications COULD occur, albeit
with low likelihood.
The main reason to allow SMS 2FA, despite its known weaknesses, is simply that
the entire world is very much not ready for FIDO/TOTP yet. As Chris said,
requiring only FIDO/TOTP is an excellent way to alienate people, especially the
US and Canada, where non-SMS-based 2FA is still uncommon. I have precisely one
system that requires non-SMS, non-email 2FA, and that was forced upon my org by
external requirements. I really do not want to add more. Even the email-based
2FA systems have a high chance of causing a catch-22 situation.
IMO, the least-bad 2FA system is one that lets me authenticate via whatever
system I can right at the moment. If my AS has been hijacked, will I be able
to receive email? SMS would probably still work, as would TOTP. If my phone
is broken, what options do I have for logging in?
A perfectly secure system is a perfectly unusable system. The balance between
security and usability has been axiomatic in computing since before I was born.
It?s not really up for debate right now.
I DO NOT WANT SECURITY that presents any significant chance of denying me
access to my own accounts and resources. SMS or email-based 2FA schemes are a
giant PITA, but both are fairly easily recoverable when (not if) I lose access
to them. Are they good 2FA? No. Absolutely not. Are they better than
nothing? Yes.
This entire discussion feels like https://xkcd.com/538/ to me. If someone
wants access to my ARIN resources, one of the easier ways in would be to
physically threaten me or my family, and the best 2FA implementations in the
world do nothing (AFAIK) to protect against that. The specific technique or
technology involved won?t make any difference.
The people who insist that SMS shouldn?t be allowed, that email shouldn?t be
allowed, that there should be a maximum of 3 TOTPs or keys registered ? you are
alienating me, a user of ARIN resources. You are driving me away from the
community. And when the pain of logging in to ARIN exceeds the pain of not
having up-to-date SWIPs or contact info, guess what?ll happen? The database is
already riddled with garbage/obsolete information, adding more security is
going to make that situation worse, not better.
The goal should be to add the minimum increment of security that satisfies the
business objective. Unfortunately, the business objective here seems to have
been ?add 2FA? which is a technical objective, not a business objective.
Someone with the technical skills of your grandmother is probably the ARIN
contact of record for some resource or other ? and it?s likely a job they
inherited and have no idea what to do with. Can you imagine getting your
grandparents to deal with 2FA?
Unhappy about the whole process from start to finish, as it?s very clearly (to
me) the tail wagging the dog. A solution in search of a problem, if you prefer
that wording. Just enforcing password length > 20 would have increased
security without needing 2FA. (Obviously not increased *enough* to satisfy
everyone, but my statement stands.)
BTW: having been the technical architect for a cellular telephone company in
Canada, yes, I know exactly how easy it is and isn?t to divert SMS at the
network/carrier level. It?s a non-zero risk, but it?s *still better than
nothing*.
-Adam
From: Ross Tajvar <[email protected]>
Sent: Tuesday, January 24, 2023 2:51 PM
To: Adam Thompson <[email protected]>
Cc: Richard Laager <[email protected]>; [email protected]
Subject: Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding 2FA
Options for ARIN Online
On the topic of hypothetical compromise - my ARIN account hasn't been
compromised, but other accounts protected with SMS 2FA have been. I have had
money stolen via that vector. So it's a real concern for me. Maybe my ARIN
account isn't valuable enough to hack, but my employer's is.
I don't think we should disregard real attack vectors that definitely do happen
in the real world just because they're uncommon and the mitigations are
inconvenient to some people. I also acknowledge the importance of disability
accommodation; however, I doubt that disallowing email (or SMS) 2FA would be an
issue there (though I welcome a correction if I'm wrong).
On Tue, Jan 24, 2023 at 3:36 PM Adam Thompson
<[email protected]<mailto:[email protected]>> wrote:
Since I have a nearly magical ability to damage every authentication device
I've ever been issued (including my phone - this one has lasted over a year,
which I think is av record), I'm highly doubtful of any scheme that *assumes*
any authenticator is durable. I would like a *minimum* of 3 active - one in my
pocket, one in a locked drawer at work, one in a secure spot at home or in my
car or somewhere else.
Double + 1 that number to account for rollover, and I'll already want to have
up to 7 registered at times, for any account that's super-critical.
Yes, that's about how many copies of physical keys for locks that I like to get
made, because I lose those, too.
Could I live with a limit of 10? Yeah, probably.
Which is more important: keeping bad actors out, or letting authorized users in?
All I'm hearing during this discussion is protecting accounts against
hypothetical compromise (with IIRC no evidence this has ever happened, or any
negative outcome has occurred previously) with no consideration of people who
have unusual needs.
(Some of those needs, definitely not all, are referred to in American law as
"disabilities", btw. I hope someone at ARIN has thought about how the proposed
2FA scheme complies with the ADA?)
-Adam
Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: ARIN-consult
<[email protected]<mailto:[email protected]>> on behalf
of Richard Laager <[email protected]<mailto:[email protected]>>
Sent: Tuesday, January 24, 2023 2:22:43 PM
To: [email protected]<mailto:[email protected]>
<[email protected]<mailto:[email protected]>>
Subject: Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding 2FA
Options for ARIN Online
On 1/24/23 12:56, Adam Thompson wrote:
Why on earth would you set a hard-coded limit? It's not like an additional
database table is expensive.
While, in general, I understand this sentiment (real world cardinality is
usually: 1, 2, or many), I do see two counterpoints. Even speaking in general,
it is sometimes useful to define a limit for testing purposes. If you say, "We
support 5", then you are hopefully actually testing 5.
In this particular situation, I think the following argument is even more
relevant:
On 1/24/23 14:02, Tim Lyons via ARIN-consult wrote:
In terms of allowing the registration of multiple hardware security keys, I
suggest allowing a maximum of 3 keys to be registered. This provides backup
options in case a user loses or misplaces their primary key but encourages
users to be cognizant of deleting old keys that have been lots or become
non-functional.
--
Richard
_______________________________________________
ARIN-Consult
You are receiving this message because you are subscribed to the ARIN Consult
Mailing
List ([email protected]<mailto:[email protected]>).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN
Member Services
Help Desk at [email protected]<mailto:[email protected]> if you experience any issues.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/0fc4c123/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 96, Issue 14
********************************************
