[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Peter Beckman beckman at angryox.com
Wed May 25 16:42:33 EDT 2022 

I've read through most of the comments.

tl;dr: I support mandatory TOTP 2FA, and strongly urge ARIN to consider
support for physical tokens such as Yubikey.


Summary

     - Bad things can be done when someone gains unauthorized access to an
       ARIN account

     - While individuals might use 16+ character random passwords that are
       never used for other sites, in 2022 most people still don't, and just
       have a handful of passwords they memorize

     - Password re-use is not detectable by any one organization, and thus
       requiring TOTP prevents accounts that re-use passwords from being an
       attack vector due to breaches on other websites/systems

     - Not enough people use a Password Manager like LastPass, 1Password,
       DashLane, etc. But when they do, TOTP 2FA becomes a non-issue. Plus
       these PW Managers securely deploy your logins to various devices,
       still protected with a passphrase in addition to the OS account
       passphrase or biometric, making the argument of a "single device
       lost" moot

     - Most TOTP 2FA implementations also provide backup codes to use in
       case the TOTP 2FA access is lost. These should be stored by the user
       in a secure way somewhere

     - While Owen and Bill may practice excellent personal security with
       random not-used-on-any-other-website-or-login passwords, most people
       do not. One Man-in-the-Middle attack because one didn't notice that
       the AT&T Hotspot they connected to wasn't really AT&T and they login
       into ARIN and poof, their accounts are accessed by a 3rd party for
       all lengths of time, whereas TOTP would give the attacker a 90 second
       window (implementations usually accept the previous, current, and
       next code to account for time drift) to log into the account,
       otherwise they'd be locked out.


TOTP 2FA is the most portable and best generally used option currently in
existence.

Physical tokens, such as Yubikeys, are also excellent, and ARIN should
consider providing support for this for those willing to jump through such
hoops for security.

SMS, while better in 2022, still uses an out-of-band over-the-air network
where changing the eSPID/SPID/NNID for SMS or SIM cloning is still a
potential attack vector.

Certificate-based authentication is also a possible path, but it is NOT
implemented yet in an easy way for most people.


Any 2FA puts limits on the ability for an unauthorized 3rd party to access
one's account. TOTP puts a 90-second window in place if someone knows the
code at a certain point of time, and then that window is gone.

Just because one has "never had a security problem" does not mean that one
has never occurred, and that one cannot occur in the future. Breaches occur
with regularity across the internet, and it seems ARIN accounts already
have been.

Password Managers eliminate the "variety of inconveniences" as you hit
"paste" after you tapped the command keyboard shortcut to fill the login,
which starts with verifying the domain matches your Password Manager's
record for your login.


The negative impacts of individual's bad security choices are not limited
to that individual, and thus, I believe ARIN is well within its position to
require 2FA in order to enforce security best practices.

Until a better and more secure way is presented, I support ARIN requiring
TOTP 2FA or a physical token in order to access ARIN accounts and assets.

Beckman


On Wed, 25 May 2022, Owen DeLong via ARIN-consult wrote:

> I’m not in favor of requiring 2FA. I agree that SMS 2FA is pretty awful, but all forms of 2FA come with a variety of inconveniences.
>
> With an account that goes back to the beginnings of ARIN online, I’ve never had a security problem with my ARIN online account, so I think that 2FA is a solution looking for a problem here.
>
> I know that’s not a popular view among the more security conscious, but the reality is that security should be commensurate with what is being protected. Let users who think their account warrants such additional measures opt in. Let those of use who feel that our passwords are adequate continue in that manner.
>
> Owen
>
>
>> On May 24, 2022, at 09:46, ARIN <info at arin.net> wrote:
>> 
>> **Background**
>> 
>> In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation of Two-Factor Authentication (2FA). Since the time of implementing that login security feature, 3.2 percent of ARIN Online users have opted to use 2FA with their accounts.
>> 
>> Since October 2020, the ARIN Online system has been subject to a series of dictionary-based password guessing attacks. In March of 2021, we conducted ACSP Consultation 2021.2: Password Security for ARIN Online Accounts (https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/) on proposed improvements to increase account security. This consultation resulted in an agreement to move forward with several improvements that have subsequently been deployed. However, we continue to see frequent attacks on our log-in systems, and ARIN staff continues to be heavily engaged in mitigating these attacks. Accounts not using 2FA are susceptible to these attacks. We recently updated the community on this topic during ARIN 49 held in Nashville and online in April. You can review this information from the ARIN 49 Meeting Report (https://www.arin.net/participate/meetings/ARIN49/) by looking for the presentation titled “Brute Force Login Attacks”. 
>> 
>> It is our intention to make 2FA mandatory for all existing and new ARIN Online accounts going forward. The security of ARIN Online accounts is paramount to the success of the registry, and we do not believe it is tenable to continue without making 2FA required for all ARIN Online accounts. 
>> 
>> We are currently developing a second method of 2FA use with ARIN Online to add to our long-deployed TOTP implementation. In the coming months, we will deploy a Short Message Service (SMS) 2FA implementation, thereby adding a second 2FA option for ARIN Online users. At that time, users will be able to choose between two types of 2FA – SMS and TOTP.   Adoption of TOTP 2FA has been limited in part due to perceived complexity, and the addition of SMS-based 2FA will provide a second option that is easier to use for many customers – and provide much more protection than the simple username-password condition of many ARIN Online user accounts today.  (ARIN also plans on adding support for a third 2FA option in the future – Fast Identity Online 2 (FIDO2) – in response to community suggestions, but we do not believe it is prudent to delay requiring 2FA on ARIN Online accounts until that third option becomes available.)
>> 
>> **Requiring 2FA For ARIN Online Accounts**
>> 
>> By requiring 2FA for ARIN Online accounts that control number resources, the ARIN community should see stronger security for the registry, reduced risk of account fraud attempts, and increased confidence in the integrity of their ARIN resources. 
>> 
>> ARIN intends to require 2FA for all ARIN Online accounts shortly after SMS-based 2FA authentication is generally available.  We are seeking confirmation from the ARIN community regarding this plan, and ask the following consultation question: 
>> 
>> -------------------
>> Once SMS-based two-factor authentication (2FA) is available for ARIN Online, do you believe ARIN *should not* proceed with requiring 2FA authentication (SMS-based or TOTP) for all ARIN Online accounts?  If so, why?
>> -------------------
>> 
>> The feedback you provide during this consultation will help form our path forward to increasing the security of ARIN Online for all customers. Thank you for your participation in the ARIN Consultation and Suggestion Process. Please provide comments to arin-consult at arin.net. You can subscribe to this mailing list at:
>> 
>> http://lists.arin.net/mailman/listinfo/arin-consult
>> 
>> This consultation will remain open through 5:00 PM ET on 24 June 2022.
>> 
>> Regards,
>> 
>> John Curran
>> President and CEO
>> American Registry for Internet Numbers (ARIN)
>> 
>> Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
>> 
>> 
>> _______________________________________________
>> ARIN-Consult
>> You are receiving this message because you are subscribed to the ARIN Consult Mailing
>> List (ARIN-consult at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
>> Help Desk at info at arin.net if you experience any issues.
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                https://www.angryox.com/
---------------------------------------------------------------------------

More information about the ARIN-consult mailing list