NANOGers -
A consultation opened today on potentially requiring use of 2-factor authentication to login into ARIN Online – this would take place once SMS 2FA is deployed. If you think that this is: a) a great idea, b) a bad idea, c) anything else, then feel free to subscribe to the arin-consult mailing list (open to all at http://lists.arin.net/mailman/listinfo/arin-consult) and provide your feedback.
Best wishes,
/John
John Curran
President and CEO
American Registry for Internet Numbers
Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ?
Matt Harris
VP of Infrastructure
816‑256‑5446
Direct
Looking for help?
We build customized end‑to‑end technology solutions powered by NetFire Cloud.
* nanog@nanog.org (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:
Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ?
To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to protect critical infrastructure, but apparently ARIN does need a consultation for that
-- Niels.
Niels -
I can think of several reasons why "SMS 2FA isn't necessarily a good way to protect critical infrastructure”…
Of course, there’s also the point that requiring 2FA for everyone – even if just SMS – would still be a superior state of affairs then the present condition (wherein 97% of ARIN Online users rely on just a password, and this despite 2FA via TOTP being available for ARIN Online accounts for years…)
There could easily be some operational concerns resulting from making 2FA authentication mandatory of which we on the ARIN staff are not aware, so we conduct a consultation. Your voice can be part of that consultation, but again it’s taking place on arin-consult mailing list (open to all) – not here.
Thanks!
/John
John Curran
President and CEO
American Registry for Internet Numbers
* nanog@nanog.org (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:
Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ?
To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to protect critical infrastructure, but apparently ARIN does need a consultation for that
Niels -
I can think of several reasons why "SMS 2FA isn't necessarily a good way to protect critical infrastructure”…
Of course, there’s also the point that requiring 2FA for everyone – even if just SMS – would still be a superior state of affairs then the present condition (wherein 97% of ARIN Online users rely on just a password, and this despite 2FA via TOTP being available for ARIN Online accounts for years…)
What about optional additional second factor of sending out an email with digits to enter or a link to confirm login / some other critical operation?
FIDO2.
Most services that implement 2FA using SMS and/or Email have been
compromised multiple times.
Services that implement 2FA using TOTP or even App-based Push Notifications
have not.
If someone has your ARIN login, and you use the same passwords on ARIN as
you do with your email provider, then they have access to your email
account. And they can impersonate you to ARIN using the emailed code.
Beckman
I'm in full support of ARIN implementing FIDO2 IN ADDITION TO TOTP 2FA.
For the uninitiated -- FIDO2 requires you to have one of the following in
order for you to log into your ARIN account:
- A security key (like Yubikey): USB, NFC, Bluetooth
- A mobile device capable of biometric confirmation (FaceID, TouchID,
etc)
FIDO2 does NOT support older browsers, text-based browsers, and generally
non-mainstream modern devices.
Not to be confused with FIDO U2F, which is basically what TOTP 2FA is,
just implemented differently.
Beckman
FIDO U2F is materially different from TOTP 2FA.
With TOTP, there is no cryptographic validation of the requester / server. A user can be fooled into providing a TOTP code to the wrong site, or via phishing, or by an attacker simply making repeated authentication requests in the middle of the night until the user gets exasperated and provides the code.
By contrast, even the original FIDO U2F spec authenticates the ‘origin’ - the server being authenticated to. I’m glossing over the details, but in essence, the browser compares the cryptographic signature, and if it doesn’t match the expected origin, it won’t complete the authentication.
It is this property that virtually eliminated an entire class of phishing at Google:
https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
TOTP does not have equivalent phishing resistance.
As a reminder -
There could easily be some operational concerns resulting from making 2FA authentication mandatory of which we on the ARIN staff are not aware, so we conduct a consultation. Your voice can be part of that consultation, but again it’s taking place on arin-consult mailing list (open to all) – not here.
Thanks,/John
John Curran
President and CEO
American Registry for Internet Numbers
Hello,
I am not in the ARIN region but I have attended few Arin meetings.
As a comment, I live a country were mobile roaming does not exists, therefore, when 2FA only works with SMS I can not use the service. Having said that, please consider at least one more way to perform 2FA, maybe send a code to the email address or something else.
My two cents,
Alejandro,
PS If you have already thought about this sorry for the noise.
I am not in the ARIN region but I have attended few Arin meetings.
As a comment, I live a country were mobile roaming does not exists,
therefore, when 2FA only works with SMS I can not use the service. Having
said that, please consider at least one more way to perform 2FA, maybe send
a code to the email address or something else.
i use google authenticator with arin.net
randy
There's also the RedHat supported app FreeOTP.
-Jim P.