Hi Benedikt,
this must be solved simultaneously. It's better to have multiple
authentication element for one account. Currently, you have only one
method (TOTP) and only single authenticator linked to your account. And
you have recovery code, which you must have noted somewhere in case the
only authenticator fails - and such recovery code can be used to bypass
MFA in current implementation. It's necessary to have the possibility of
having multiple elements (primary, backup) and remove recovery codes
completely.
Otherwise it won't be safe in terms of what MFA has to offer. If the
organization has a shared account (which is also failure) and the
recovery code leaks just like the password, you have similar problem
again...
- Daniel
On 1/4/24 12:21, Benedikt Neuffer wrote:
Hi Daniel,
I agree that in the long term, support for FIDO2/WebAuthn would be
beneficial. However, as long as a LIR is unable to mandate 2FA or audit
whether all accounts have enabled 2FA, methods other than TOTP do not
help preventing accounts from disabling 2FA again.
RIPE NCC should begin by addressing the basic requirements, and then
gradually introduce additional functionalities.
Regards,
Benedikt
On 04.01.24 12:10, Daniel Suchy via ncc-services-wg wrote:
Hello,
I agree with MFA requirement in general, but but also RIPE should
implement more methods here and don't rely only on TOTP. It's
necessary to admit that the development hasn't progressed here too
much...
There're modern MFA methods like FIDO2/WebAuthn already, unfortunately
RIPE access doesn't implement them. There also should opportunity to
have multiple methods actived concurrently (to have choice between
multiple tokens, for example) - similary to implementations on
Google/GitHube etc.
- Daniel
On 1/4/24 11:04, Benedikt Neuffer wrote:
Happy New Year, everyone!
However, the year begins with some concerning news: RIPE NCC has
announced a Security Breach Investigation[0]. It likely relates to
the incident where Orange Spain lost credentials[1][2]. This topic
has been discussed in the unofficial RIPE Telegram chat[3] and the
German network community on Telegram[4], on the discussion mailing
list[5][6] and a lot of more places.
The primary issue in this case was the lack of 2FA usage. We must not
allow ourselves to be distracted by the debate over weak passwords.
Even strong passwords can be compromised.
A while ago, I raised a concern with RIPE NCC about the inability to
check if 2FA is activated for an account linked to a LIR. It’s also
not possible to enforce 2FA for accounts associated with a maintainer
object in RIPE DB. Unfortunately, there has been no progress or
action taken on this matter yet.
After some thought, I've come to the conclusion that RIPE NCC's
services are so essential to the internet that enforcing 2FA for RIPE
NCC Access accounts globally should be considered.
So, I propose a discussion urging RIPE NCC to either enforce 2FA on
RIPE NCC access accounts globally, allow a LIR to enforce 2FA for
linked RIPE NCC Access accounts, or at the very least, provide
visibility in the LIR portal to identify which linked accounts have
not activated 2FA.
To be honest, I don't get the impression that RIPE NCC takes the
security of RIPE NCC Access accounts very seriously. How can we, as a
community, influence RIPE NCC in this regard? Would it be possible,
for example, to develop a policy in the RIPE NCC Services WG that
enforces 2FA for RIPE NCC Access accounts?
Kind Regards,
Benedikt
[0]
https://www.ripe.net/publications/news/ripe-ncc-access-security-breach-investigation
[1] https://twitter.com/Ms_Snow_OwO/status/1742357282917109928
[2]
https://twitter.com/vxunderground/status/1742704099035160612?t=GkJ0_jiIGI3NEDGcV7021g
[3] https://t.me/ripe_chat
[4] https://t.me/bgpde
[5]
https://www.ripe.net/ripe/mail/archives/ripe-list-unmoderated/2024-January/005920.html
[6]
https://www.ripe.net/ripe/mail/archives/ripe-list-unmoderated/2024-January/005923.html
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/ncc-services-wg
