[ARIN-consult] ACSP Consultation: Advanced Security Features for ARIN Online

William Herrin bill at herrin.us
Thu Apr 16 15:13:35 EDT 2020


On Thu, Apr 16, 2020 at 7:40 AM ARIN <info at arin.net> wrote:
> Based on this community input as well as suggestions received through
> other channels, we are opening a consultation to solicit feedback on a
> number of potential security improvements that are under consideration.
> We are specifically interested in your thoughts on a number of specific
> suggestions, listed below:
>
>     * ARIN uses challenge questions to verify users who are seeking to
> restore access to their ARIN Online user account and to complete other
> actions. It has been suggested that we eliminate the use of challenge
> questions for customer account verification in favor of other security
> measures.

YES. PLEASE. Challenge questions were a crap idea in the first place.
Lots of folks did it and still do it, but it's a crap idea all the same.
NIST SP 800-63 rev 3 does a fine job explaining why it's a crap
idea so I won't beat a dead horse.


>     * Utilizing a personal passcode and/or SMS push codes to a mobile
> device for password resets and other account actions

Do folks need to urgently reset their password? Fedex has an
interesting process where they send you a code via postal mail. It
takes a couple days but it's not so readily  exploitable as email/sms.

I read a newspaper story recently where some guy lost millions in
bitcoin when someone took over his phone number. The phone company he
sued made it crystal clear in legal filings that they don't promise or consider
their management practices for customer accounts to be secure enough
to be used for single-factor authentication, such as for a password
reset.


>     * Changing password length and entry requirements to better align
> with NIST SP800-63 recommendations

YES. PLEASE. 800-63 rev 3 was a sudden outbreak of common sense
when it came to password selection.


>     * Requiring the use of Two-factor Authentication (2FA) on all
> accounts, or allowing Admin Points of Contact (POCs) to control
> permissions on access to their Organization Records to only allow access
> from associated POCs who have 2FA on their user accounts

NO. Default to this, yes. Encourage it. But ultimately let the
registrant determine the appropriate level of security for their
account.

Many of your registrants go years between contacts more substantial
than paying the annual fee. What will you use for the "what-you-have"
factor that you can reasonably expect to be valid years from now?
SMS push when not everyone keeps the same cell phone number
that long? An SSL client cert that routinely expires?


>     * 2018.22: Align ARIN password policy with current NIST SP800-63
> recommendations:
> https://www.arin.net/participate/community/acsp/suggestions/2018-22/

Rev 3 specifically. Rev 2 was trash.

Within reason, yes. A registrant who wants to secure his account to
the rev3 standard should be able to do so. Someone shouldn't be able
to come in the side and reset his auth in a non-compatible way.


>      * 2019.14: Implement FIDO2 (WebAuthn) for ARIN Online:
> https://www.arin.net/participate/community/acsp/suggestions/2019-14/

This is flavor-of-the-month. There will be something better next year.
And the year after that. Is it a good one? Enough better than what
you're doing now to be worthwhile? I don't know. But it's very
flavor-of-the-month.

Regards,
Bil Herrin

-- 
William Herrin
bill at herrin.us
https://bill.herrin.us/


More information about the ARIN-consult mailing list