ARIN-consult Digest, Vol 96, Issue 17

[arin-consult-request]

Send ARIN-consult mailing list submissions to
        arin-consult@arin.net

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
        arin-consult-requ...@arin.net

You can reach the person managing the list at
        arin-consult-ow...@arin.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."


Today's Topics:

   1. Re: Consultation on Expanding 2FA Options for ARIN Online
      (Richard Laager)
   2. Re: Consultation on Expanding 2FA Options for ARIN Online
      (Raymond Burkholder)
   3. Re: Consultation on Expanding 2FA Options for ARIN Online
      (David Farmer)
   4. Re: Consultation on Expanding 2FA Options for ARIN Online
      (Glen A. Pearce)
   5. Re: [General-members] Consultation on Expanding 2FA Options
      for ARIN Online (Glen A. Pearce)


----------------------------------------------------------------------

Message: 1
Date: Tue, 24 Jan 2023 19:15:55 -0600
From: Richard Laager <rlaa...@wiktel.com>
To: "arin-consult@arin.net" <arin-consult@arin.net>
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for
        ARIN Online
Message-ID: <7af788ef-3362-83bf-8a1a-87c8d0223...@wiktel.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 1/24/23 12:53, ARIN wrote:
> 1. Would you support ARIN offering email as an additional 2FA method?

No. As mentioned, if email can reset the password, then it's really only 
one factor. Even non-technical users should be able to use something 
else, like SMS.

> 2. Given that 13% of web user accounts list phone numbers outside the ARIN 
> service region, should we widen the availability of SMS, or are the other 
> offered 2FA options sufficient to meet the needs of these users?

While I could be persuaded otherwise, my gut feeling is "no". Saying 
"yes" feels like opening a can of worms. Is ARIN going to make some 
determination country-by-country as to whether their SMS security is 
good enough?

I realize this does mean that people outside of the ARIN region are 
forced into using the more complicated methods. I'm guessing (but it is 
just a guess) that organizations with people administering resources 
outside of their local region are likely more sophisticated anyway.

David Farmer mentioned "technology restrictions or embargos on the more 
secure FIDO or TOTP technologies". Is that actually a thing? I don't 
think that should be a consideration if it's only hypothetical.

I would like to see 2FA required. (It's still optional today, I assume.) 
If I'm forced to choose between:
   A) Allow worldwide SMS. Require 2FA for everyone.
   B) Disallow worldwide SMS. Do not require 2FA for everyone.
I might be more inclined to pick A.

> 3. We agree that users should be allowed to register multiple hardware 
> security keys. The question is: What is the optimal number of keys that 
> should be allowed to be registered?

Absolutely not less than two. You need two for rollover and may want two 
for backup. Three or four seems like a more reasonable minimum. Nine or 
ten seems like a reasonable maximum, such that ARIN's developers can at 
least occasionally test that scenario.

-- 
Richard



------------------------------

Message: 2
Date: Tue, 24 Jan 2023 18:25:49 -0700
From: Raymond Burkholder <r...@oneunified.net>
To: arin-consult@arin.net
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for
        ARIN Online
Message-ID: <79ebc855-ef69-8696-8fec-aeccf4502...@oneunified.net>
Content-Type: text/plain; charset=UTF-8; format=flowed



On 1/24/23 11:53, ARIN wrote:
> On 1 November 2022, ARIN? announced?that we will require two-factor 
> authentication (2FA) on all ARIN Online accounts beginning 1 February 
> 2023.?ARIN currently has three options for customers to set up 2FA on their 
> ARIN Online accounts:
>
> - Time-based One-time Password (TOTP) using an authenticator of your choice
> - Short Message Service (SMS) for customers within the ARIN service region
> - FIDO2/Passkey-enabled Security Key
>
> Please note: Voice 2FA is not currently available for new 2FA activations; it 
> is still available to those customers who already have that method set up on 
> their accounts.
>
> Following the announcement of the planned enforcement date of 1 February 
> 2023, we received several suggestions for further expansion of our 
> authentication offerings, including:
>
> - Allowing email as an authentication method
> - Enabling SMS support for customers who reside outside of the ARIN service 
> region
> - Allowing registration of multiple hardware security keys.
>
> We are seeking community feedback on these suggestions as well as additional 
> input on our 2FA options. Specifically:
Flexibility is good.? I may or may not have a phone.? I may have left my 
key ring somewhere.?? I may not have access to email.

>
> 1. Would you support ARIN offering email as an additional 2FA method?

It would be my preferred mechanism.? My email is hosted by my org so I 
classify it as rather safe, and less of a risk.? For those with email 
hosted on a public facility of some sort, perhaps the risk is higher.

So... who gets to define the risk for any of the options provided? Is it 
a risk managed by the user on an individual basis, or is it a risk taken 
on by ARIN?? What does ARIN perceive as a risk?? Are they seeing any 
particular method as having more risk for account access than any other?

Credit card companies and banks seem to accept email and SMS as suitable 
propositions.

In addition, some will do a follow up with one or more personally 
identified question/answer exchanges for further verification.

>
> 2. Given that 13% of web user accounts list phone numbers outside the ARIN 
> service region, should we widen the availability of SMS, or are the other 
> offered 2FA options sufficient to meet the needs of these users?

Are there extra costs for the widened availability of SMS?? If I happen 
to be roaming in a country away from my home base, it would be helpful 
to sometimes have SMS as an alternative to my email.? Or even a voice 
call interaction.

>
> 3. We agree that users should be allowed to register multiple hardware 
> security keys. The question is: What is the optimal number of keys that 
> should be allowed to be registered?

maybe start implementation and see how the system is used or abused, and 
then establish from an evidence based scenario?

>
> The feedback you provide during this consultation will help us decide the 
> path forward regarding our 2FA options for ARIN Online. Thank you for your 
> participation in the ARIN Consultation and Suggestion Process.
>
> Please provide comments to arin-consult@arin.net. You can subscribe to this 
> mailing list at: https://lists.arin.net/mailman/listinfo/arin-consult
>
> This consultation will remain open through 5:00 PM ET on 7 February 2023.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
> Helpful Resources:
>
> Consultation: 
> https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/
> Two-Factor Authentication at ARIN: https://arin.net/2FA
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult 
> Mailing
> List (ARIN-consult@arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN 
> Member Services
> Help Desk at i...@arin.net if you experience any issues.
>



------------------------------

Message: 3
Date: Tue, 24 Jan 2023 20:40:54 -0600
From: David Farmer <far...@umn.edu>
To: Richard Laager <rlaa...@wiktel.com>
Cc: "arin-consult@arin.net" <arin-consult@arin.net>
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for
        ARIN Online
Message-ID:
        <can-dau2_5bwacsonbs3jdy2kb1ikjdmpj_wzzfnjcw946q6...@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

On Tue, Jan 24, 2023 at 19:16 Richard Laager <rlaa...@wiktel.com> wrote:

>
> David Farmer mentioned "technology restrictions or embargos on the more
> secure FIDO or TOTP technologies". Is that actually a thing? I don't
> think that should be a consideration if it's only hypothetical.


I don?t know that FIDO or TOTP are controlled technologies, but DUO a
similar authentication technology is, see the following;

https://help.duo.com/s/article/7544?language=en_US

Furthermore, I don?t believe, ARIN can do business with entities from these
countries anyway, so from a practical perspective it could be a non-issue.
But these kinds of issues are more than just hypothetical, whether or not
they apply to the FIDO or TOTP technologies today, they could at some
future date. And I have no idea if some more totalitarian regimes even
allow the use of FIDO or TOTP technologies, it wouldn?t be surprising if
they didn?t.

Thanks.

> --
===============================================
David Farmer               Email:far...@umn.edu
Networking & Telecommunication Services
Office of Information Technology
University of Minnesota
2218 University Ave SE        Phone: 612-626-0815
Minneapolis, MN 55414-3029   Cell: 612-812-9952
===============================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<https://lists.arin.net/pipermail/arin-consult/attachments/20230124/a15cbbfc/attachment-0001.htm>

------------------------------

Message: 4
Date: Wed, 25 Jan 2023 05:45:20 -0600
From: "Glen A. Pearce" <arin-cons...@ve4.ca>
To: arin-consult@arin.net
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for
        ARIN Online
Message-ID: <395901ee-1b0d-4266-7b4e-8349d34fb...@ve4.ca>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 24/01/2023 12:53 p.m., ARIN wrote
> We are seeking community feedback on these suggestions as well as additional 
> input on our 2FA options. Specifically:
>
> 1. Would you support ARIN offering email as an additional 2FA method?

Yes, giving people more choices is better.? As I said in the previous 
consultation I would have
preferred if 2FA hadn't been made mandatory but if it is anything that 
makes it easier should
one of the other methods not work the better.

When I had went to add SMS as my 2FA early this month neither of the 
numbers I submitted
(each with different providers) got the test messages initially. When I 
submitted a ticket about
the issue the initial response I got was an obvious boiler plate answer, 
it contained phrasing
like "Please note that ARIN only supports SMS inside our region" but 
both numbers I tried
were Canadian numbers.? (Being that Canada is the largest country in the 
ARIN region we
should be hard to miss. ^_-)

Since it looked like the problem was not going to be fixed based on that 
response, I sent a
reply asking if new activations of the voice call authentication be 
available before the Feb. 1
deadline or if they are not will the deadline be extended until after it 
has been restored.

5 days later I finally got contacted back saying that you had some 
configuration issues at
your end and to try SMS again.? Everything works now but having those 
issues sending
SMS that close to a deadline I have no control of at my end was a bit 
concerning.
Concerning enough that I ordered a Yubikey just in case it wasn't fixed 
(as it would take
time to arrive here in the mail), that got shipped earlier the day ARIN 
replied to me so
it was too late to cancel the order for it.? So now I've got a Yubikey 
that I really didn't
have to order currently sitting in my "mail quarantine" area.

At this point I'm not sure if I should at some point switch to using the 
Yubikey since I
have it now anyway or if it should be put aside in case it's needed for 
something else
at some point or if it should be sold.

As for people hijacking SMS messages, I used a lesser known number out 
of my available
choices so somebody wouldn't even know what number they need to hijack 
or from
which provider.
> 2. Given that 13% of web user accounts list phone numbers outside the ARIN 
> service region, should we widen the availability of SMS, or are the other 
> offered 2FA options sufficient to meet the needs of these users?
If E-mail is allowed to be used for 2FA that might not be needed but if 
it is not I might
encourage SMS coverage to be expanded to anywhere that it is feasible to 
do so.
> 3. We agree that users should be allowed to register multiple hardware 
> security keys. The question is: What is the optimal number of keys that 
> should be allowed to be registered?
Not sure what the hard limit should be but allowing multiple keys for 
those that choose
that option would be a good idea as even very small organizations would 
probably
want to have more that one locked up at more than one location for 
disaster recovery
situations.
> The feedback you provide during this consultation will help us decide the 
> path forward regarding our 2FA options for ARIN Online. Thank you for your 
> participation in the ARIN Consultation and Suggestion Process.
>
> Please provide comments to arin-consult@arin.net. You can subscribe to this 
> mailing list at: https://lists.arin.net/mailman/listinfo/arin-consult
>
> This consultation will remain open through 5:00 PM ET on 7 February 2023.
>
> Regards,
>
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
>
> Helpful Resources:
>
> Consultation: 
> https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/
> Two-Factor Authentication at ARIN: https://arin.net/2FA
>
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult 
> Mailing
> List (ARIN-consult@arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN 
> Member Services
> Help Desk at i...@arin.net if you experience any issues.

-- 
Glen A. Pearce
g...@ve4.ca
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
http://www.ve4.ca
ARIN Handle VET-17



------------------------------

Message: 5
Date: Wed, 25 Jan 2023 05:48:44 -0600
From: "Glen A. Pearce" <arin-cons...@ve4.ca>
To: arin-consult@arin.net
Subject: Re: [ARIN-consult] [General-members] Consultation on
        Expanding 2FA Options for ARIN Online
Message-ID: <8991f67d-8384-d3b0-0606-ecc5c67a5...@ve4.ca>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 24/01/2023 12:56 p.m., Adam Thompson wrote:
>
>> 3. We agree that users should be allowed to register multiple hardware 
>> security keys. The question is: What is the optimal number of keys that 
>> should be allowed to be registered?
> Functionally infinite.  Why on earth would you set a hard-coded limit?  It's 
> not like an additional database table is expensive.  If you have to set a 
> limit, it should be something large like 2^32.
I'm pretty sure budgetary limitations would kick in well before that 
point, even for fairly large organizations. ^_-

-- 
Glen A. Pearce
g...@ve4.ca
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
http://www.ve4.ca
ARIN Handle VET-17



------------------------------

Subject: Digest Footer

_______________________________________________
ARIN-consult mailing list
ARIN-consult@arin.net
https://lists.arin.net/mailman/listinfo/arin-consult


------------------------------

End of ARIN-consult Digest, Vol 96, Issue 17
********************************************