[ARIN-consult] SMS 2FA: Not as secure.....

Matt Harris matt at netfire.net
Tue May 24 16:08:44 EDT 2022 

Matt Harris|VP of Infrastructure
816-256-5446|Direct
Looking for help?
Helpdesk|Email Support
We build customized end-to-end technology solutions powered by NetFire Cloud.
On Tue, May 24, 2022 at 2:52 PM Ross Tajvar <ross at tajvar.io> wrote:

> I strongly agree with Larry. I have had money stolen from accounts
> protected with SMS 2FA because it is not secure. I do not support
> enablement of SMS 2FA at all, even as a second option. I *do* support
> mandatory enforcement of TOTP or FIDO 2FA for all users, new or not.
>
> -Ross
>
> In answer to the consult:
>> Once SMS-based two-factor authentication (2FA) is available for ARIN
>> Online, do you believe ARIN *should not* proceed with requiring 2FA
>> authentication (SMS-based or TOTP) for all ARIN Online accounts?  If so,
>> why?
>>
>> SMS 2FA is subject to security flaws, interception, sim-card theft, etc.
>> I don't believe SMS 2FA is appropriate at all.
>>
>> TOTP or FIDO should be the only methods, IMO.
>>
>>
I agree, as well. I believe that any perceived difficulty inherent in
utilizing totp 2fa is simply a mis-perception. Indeed, if you have a device
capable of receiving SMS, you likely have a device capable of running a
totp app. On the other hand, a device capable of running a totp app - or,
alternatively as Ross mentioned, performing FIDO auth - is far less
expensive than a device capable of receiving SMS and the associated
subscriptions required in order to do so. For example, there are a number
of free totp apps (I use google authenticator) for both android and ios. If
you have access to neither, and FIDO were implemented, a simple FIDO device
such as a yubikey can likely be had for $25 USD if not less.

ARIN should proceed with requiring 2fa for at least all accounts which are
holders of resources such as ASNs and address resources. This should not be
dependent on implementing SMS 2fa, and FIDO support should be considered as
a superior secondary option for those who do not wish to utilize totp. This
will offer the greatest added security while additionally providing for the
lowest possible cost of participation, as a FIDO (blue) yubikey is widely
available for $25 USD, a one-time charge unlike the subscription required
to receive SMS at a distinct DID or shortcode.

- mdh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220524/9eac4543/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image444934.png
Type: image/png
Size: 14877 bytes
Desc: image444934.png
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20220524/9eac4543/attachment-0001.png>

More information about the ARIN-consult mailing list