Send ARIN-consult mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.arin.net/mailman/listinfo/arin-consult
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of ARIN-consult digest..."
Today's Topics:
1. Re: Consultation on Expanding 2FA Options for ARIN Online
(Glen A. Pearce)
2. Re: Consultation on Expanding 2FA Options for ARIN Online
(Glen A. Pearce)
3. Re: [ARIN-Consult] Consultation on Expanding 2FA Options for
ARIN Online (Glen A. Pearce)
4. Re: Consultation on Expanding 2FA Options for ARIN Online
(Glen A. Pearce)
----------------------------------------------------------------------
Message: 1
Date: Wed, 25 Jan 2023 05:55:19 -0600
From: "Glen A. Pearce" <[email protected]>
To: [email protected]
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for
ARIN Online
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 24/01/2023 1:16 p.m., Ross Tajvar wrote:
> > 1. Would you support ARIN offering email as an additional 2FA method?
> *No.*?Email can be used to reset one's password. If it's used for
> one-time login codes as well, that's only one authentication factor.
> An email compromise could therefore easily result in account takeover,
> which defeats the purpose of 2FA.
Perhaps allow it with a specification that the E-mail address used for
2FA be a different
one than the E-mail address used for account recovery and an explanation
so that people
understand why it has to be a separate address.? Also include a
suggestion that (like
everything else) for this reason passwords should not be re-used.
--
Glen A. Pearce
[email protected]
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
http://www.ve4.ca
ARIN Handle VET-17
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230125/6a173d46/attachment-0001.htm>
------------------------------
Message: 2
Date: Wed, 25 Jan 2023 06:14:25 -0600
From: "Glen A. Pearce" <[email protected]>
To: [email protected]
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for
ARIN Online
Message-ID: <[email protected]>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 24/01/2023 3:39 p.m., Chris Woodfield wrote:
> Would requiring TOTP/FIDO (and not allowing SMS) be more palatable if
> ARIN were able/willing to furnish yubikeys (or alternate
> authenticators) to users free of charge? I don?t know what these cost
> in bulk nowadays, but it?s probably right on the edge of reasonable
> for this use case.
When I recently bought a Yubikey the pricing per unit was the same
whether 1 was
purchased or 1000s.? There appears to be no "bulk" price.
Ultimately ARIN providing them would just eventually get reflected in
our fees so
as ARIN members we'd still end up paying for them anyway, no advantage
to even
doing a group purchase.
--
Glen A. Pearce
[email protected]
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
http://www.ve4.ca
ARIN Handle VET-17
------------------------------
Message: 3
Date: Wed, 25 Jan 2023 06:37:30 -0600
From: "Glen A. Pearce" <[email protected]>
To: [email protected]
Subject: Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding
2FA Options for ARIN Online
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 24/01/2023 3:40 p.m., Adam Thompson wrote:
>
> I DO NOT WANT SECURITY that presents any significant chance of denying
> me access to my own accounts and resources.? SMS or email-based 2FA
> schemes are a giant PITA, but both are fairly easily recoverable when
> (not if) I lose access to them.? Are they good 2FA?? No.? Absolutely
> not.? Are they better than nothing?? Yes.
>
> This entire discussion feels like https://xkcd.com/538/ to me.? If
> someone wants access to my ARIN resources, one of the easier ways in
> would be to physically threaten me or my family, and the best 2FA
> implementations in the world do nothing (AFAIK) to protect against
> that.? The specific technique or technology involved won?t make any
> difference.
>
Pretty much my point in the previous consultation:
https://lists.arin.net/pipermail/arin-consult/2022-May/001665.html
Intruder traps or me carrying a firearm would probably do more to secure my
ARIN account (as a side effect of securing myself and my premises) than any
2FA would.? Both of these measures pose...issues...under Canadian law
though...
Even the part from the mouse-over comment on that comic:
>Actual actual reality: nobody cares about his secrets.
Lines up with my comment:
>That said although IP space is valuable I don't think we are anywhere
>near people being kidnapped over it, especially a /24 that isn't eligible
>for a specified transfer for another 3 years.
--
Glen A. Pearce
[email protected]
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
http://www.ve4.ca
ARIN Handle VET-17
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230125/2d3faee1/attachment-0001.htm>
------------------------------
Message: 4
Date: Wed, 25 Jan 2023 07:20:48 -0600
From: "Glen A. Pearce" <[email protected]>
To: [email protected]
Subject: Re: [ARIN-consult] Consultation on Expanding 2FA Options for
ARIN Online
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
On 24/01/2023 2:06 p.m., Adam Thompson wrote:
>
> P.S. Speaking of humans behaving suboptimally, Voicenetwork.ca ?
> please do better.? Mailing lists should never feed directly into your
> ticket system.
>
I suspect what happened there is:
#1: Someone who worked at Voicenetwork.ca subscribed their work E-mail
to this list
?????? thinking that they would be working there forever.
#2: Their employment at Voicenetwork.ca ended on sufficiently short
notice they were
?????? not able to to unsubscribe the work E-mail address from any
lists it was on.? (Or
? ? ?? possibly they forgot to when they left the company.)
#3: Voicenetworks.ca has a default policy of re-directing the E-mails of
any former
? ? ? employees to a general address (that is attached to the ticketing
system) to catch
????? E-mails from any customers that might try contacting said employee.
A good preventative fix for this is for everyone to use a domain that
you yourself
own when subscribing to mailing lists rather than an employer controlled
E-mail
address that you could lose access to on short notice for reasons that
can't be
anticipated in advance.? (Other people's decisions can be unpredictable and
arbitrary.)
Of course this doesn't apply if you _own_ the associated business but
for anyone
else getting your own domain might spare mailing lists you are on from this
problem.
--
Glen A. Pearce
[email protected]
Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk.
Very Eager 4 Tees
http://www.ve4.ca
ARIN Handle VET-17
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://lists.arin.net/pipermail/arin-consult/attachments/20230125/58faab98/attachment.htm>
------------------------------
Subject: Digest Footer
_______________________________________________
ARIN-consult mailing list
[email protected]
https://lists.arin.net/mailman/listinfo/arin-consult
------------------------------
End of ARIN-consult Digest, Vol 96, Issue 18
********************************************
