[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
Owen DeLong
owen at delong.com
Wed Jun 1 14:04:18 EDT 2022
> On May 30, 2022, at 21:35 , Peter Beckman <beckman at angryox.com> wrote:
>
> On Sun, 29 May 2022, Owen DeLong via ARIN-consult wrote:
>
>>> Ideally, you shouldn't be logging into an ARIN account from such a machine. What sort of real world scenarios are occurring where you need to do that, as opposed to just wait until you're back at a device you control?
>>
>> On-call consulting work.
>
> And you are unable to bring your own laptop or other personal device to
> this on-call consulting work, where you can use their computers and their
> Internet access but you cannot use your own?
In some cases, yes.
>>> If you login from a device you don't control, a password alone (no
>>> matter how strong) is vulnerable to replay. While I don't think you
>>> should login to ARIN at the library, if you do so anyway but use 2FA,
>>> then that replay risk goes away: your account is only exposed while
>>> logged in at that machine. Replay of passwords is _the_ scenario that
>>> 2FA is designed to address.
>>
>> It’s only vulnerable to replay until it is changed. When I’m faced with
>> such a situation, I’m smart enough to change it once I am able to use a
>> machine I control to do so. The odds of a replay attack in the time that
>> takes are relatively small. The odds of the replay attack causing
>> significant damage given ARIN ticket turnaround times are even smaller.
>
> Sure, the odds are pretty low that ARIN members wouldn't understand good
> security practices or get phished, yet it happens, often enough for ARIN
> to consider taking steps to reduce those odds further.
Whether ARIN members in general do or not, I do and you were making allegations
about my particular behavior.
> It's all theoretical to someone until it happens to them. At that point,
> the odds are no longer too small to make no changes.
Well… I’ve got more than 20 years of it not happening to me, so I think that’s a reasonably good track record.
Owen
More information about the ARIN-consult
mailing list