[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

[Adam Thompson]

SMS-based authentication is fine, as long as:
a) it isn't limited to a maximum of one phone number, 
b) ARIN doesn't mistakenly try to determine what #s are truly cell phones (vs. floating #s, voip systems, etc.) and 
c) choice of 2FA system (SMS vs OTP) isn't an XOR selection, i.e. any supported 2FA system can be used to login at any given time.

I spend a non-negligible amount of time working in areas without cell phone reception, and/or where I need a different SIM card (and thus phone#) to get service - I can have to up 3 valid cell#s at any given time, only 1 or 2 of which might be active/reachable/valid at the moment.

Then, some other websites have determined that one of my cell#s isn't really a cell#, so refuse to send SMS messages there... kind of a problem.  I don't know what database or service they use, and I've found no way around the problem so far.  (For those about to comment, it's an OTT follow-me phone#, not a standard cell#.  I still get and send SMS messages there through a separate app.)

Beyond the sheer usability problems when you aren't in a populated area, and/or aren't working inside accidental faraday cages (e.g. one of the sites I visit), SMS has a whole host of security concerns.  It's still better than **nothing at all**, but IMHO should be considered a stop-gap measure.

I believe TOTP and/or FIDO both require significant user education, even among ARIN users, and AFAIK no user-friendly guides exist today.

-Adam

Adam Thompson
Consultant, Infrastructure Services
MERLIN
100 - 135 Innovation Drive
Winnipeg, MB R3T 6A8
(204) 977-6824 or 1-800-430-6404 (MB only)
https://www.merlin.mb.ca
Chat with me on Teams: athompson at merlin.mb.ca

> -----Original Message-----
> From: ARIN-announce <arin-announce-bounces at arin.net> On Behalf Of ARIN
> Sent: Tuesday, May 24, 2022 11:46 AM
> To: arin-announce at arin.net
> Subject: [arin-announce] Consultation on Requiring Two-Factor
> Authentication (2FA) for ARIN Online Accounts
> 
> **Background**
> 
> In 2015, ARIN deployed a Time-Based One-Time password (TOTP)
> implementation of Two-Factor Authentication (2FA). Since the time of
> implementing that login security feature, 3.2 percent of ARIN Online
> users have opted to use 2FA with their accounts.
> 
> Since October 2020, the ARIN Online system has been subject to a
> series of dictionary-based password guessing attacks. In March of
> 2021, we conducted ACSP Consultation 2021.2: Password Security for
> ARIN Online Accounts
> (https://www.arin.net/participate/community/acsp/consultations/2021/20
> 21-2/) on proposed improvements to increase account security. This
> consultation resulted in an agreement to move forward with several
> improvements that have subsequently been deployed. However, we
> continue to see frequent attacks on our log-in systems, and ARIN staff
> continues to be heavily engaged in mitigating these attacks. Accounts
> not using 2FA are susceptible to these attacks. We recently updated
> the community on this topic during ARIN 49 held in Nashville and
> online in April. You can review this information from the ARIN 49
> Meeting Report (https://www.arin.net/participate/meetings/ARIN49/) by
> looking for the presentation titled “Brute Force Login Attacks”.
> 
> It is our intention to make 2FA mandatory for all existing and new
> ARIN Online accounts going forward. The security of ARIN Online
> accounts is paramount to the success of the registry, and we do not
> believe it is tenable to continue without making 2FA required for all
> ARIN Online accounts.
> 
> We are currently developing a second method of 2FA use with ARIN
> Online to add to our long-deployed TOTP implementation. In the coming
> months, we will deploy a Short Message Service (SMS) 2FA
> implementation, thereby adding a second 2FA option for ARIN Online
> users. At that time, users will be able to choose between two types of
> 2FA – SMS and TOTP.   Adoption of TOTP 2FA has been limited in part
> due to perceived complexity, and the addition of SMS-based 2FA will
> provide a second option that is easier to use for many customers – and
> provide much more protection than the simple username-password
> condition of many ARIN Online user accounts today.  (ARIN also plans
> on adding support for a third 2FA option in the future – Fast Identity
> Online 2 (FIDO2) – in response to community suggestions, but we do not
> believe it is prudent to delay requiring 2FA on ARIN Online accounts
> until that third option becomes available.)
> 
> **Requiring 2FA For ARIN Online Accounts**
> 
> By requiring 2FA for ARIN Online accounts that control number
> resources, the ARIN community should see stronger security for the
> registry, reduced risk of account fraud attempts, and increased
> confidence in the integrity of their ARIN resources.
> 
> ARIN intends to require 2FA for all ARIN Online accounts shortly after
> SMS-based 2FA authentication is generally available.  We are seeking
> confirmation from the ARIN community regarding this plan, and ask the
> following consultation question:
> 
> -------------------
> Once SMS-based two-factor authentication (2FA) is available for ARIN
> Online, do you believe ARIN *should not* proceed with requiring 2FA
> authentication (SMS-based or TOTP) for all ARIN Online accounts?  If
> so, why?
> -------------------
> 
> The feedback you provide during this consultation will help form our
> path forward to increasing the security of ARIN Online for all
> customers. Thank you for your participation in the ARIN Consultation
> and Suggestion Process. Please provide comments to arin-
> consult at arin.net. You can subscribe to this mailing list at:
> 
> http://lists.arin.net/mailman/listinfo/arin-consult
> 
> This consultation will remain open through 5:00 PM ET on 24 June 2022.
> 
> Regards,
> 
> John Curran
> President and CEO
> American Registry for Internet Numbers (ARIN)
> 
> 
> _______________________________________________
> ARIN-Announce
> You are receiving this message because you are subscribed to
> the ARIN Announce Mailing List (ARIN-announce at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-announce
> Please contact info at arin.net if you experience any issues.