[ARIN-consult] ACSP Consultation: Advanced Security Features for ARIN Online

[Rob Seastrom]

> On Apr 16, 2020, at 3:13 PM, William Herrin <bill at herrin.us> wrote:
> 
>>     * 2019.14: Implement FIDO2 (WebAuthn) for ARIN Online:
>> https://www.arin.net/participate/community/acsp/suggestions/2019-14/
> 
> This is flavor-of-the-month. There will be something better next year.
> And the year after that. Is it a good one? Enough better than what
> you're doing now to be worthwhile? I don't know. But it's very
> flavor-of-the-month.

Respectfully disagree on all counts.  FIDO has been around since 2013.

The reason it feels like “flavor of the month” to you is the recent mindset tipping point which has resulted in more or less universal browser support (made it into Safari including mobile with iOS 13.3; Chrome and Firefox have supported it for much longer) and OpenSSH 8.2.  At least two of the big public clouds support it.  login.gov <http://login.gov/> has been supporting it since September 2018 - https://fidoalliance.org/webinar-deployment-case-study-login-gov-fido2/ <https://fidoalliance.org/webinar-deployment-case-study-login-gov-fido2/>

As was noted elsewhere in this thread, ARIN already supports RFC 6238 (TOTP) MFA.  which is coming up 9 years since its informational RFC was published.  Not to take away from TOTP, which is far better than no second factor, but there are multiple technological advantages to FIDO2 by comparison, chief among them being hard token reusability across multiple services.

Expanding the supported list of supported MFA schemes to include FIDO2, and sunsetting the creation of new SMS-as-second-factor accounts (while continuing to support it and perhaps laying in an EOL date) is precisely the kind of evolution-to-suit-the-times thing that we should do periodically.

-r


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20200416/8af47eba/attachment.htm>