[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Thu May 26 00:53:15 EDT 2022

> On May 25, 2022, at 21:34, Peter Beckman <beckman at angryox.com> wrote:
> 
> On Wed, 25 May 2022, Owen DeLong via ARIN-consult wrote:
> 
>> The added overhead is small if you are in an office with your cell phone
>> handy.
>> 
>> It’s less convenient if your cell phone isn’t handy (for a variety of
>> reasons), and you’re trying to do something quickly without having to
>> retrieve said phone.
> 
> What exactly are you using then to log into ARIN?!?

In many cases, Lynx on a busy-box based system.

> You do NOT need a mobile phone to use TOTP 2FA.
> 
> I use 1Password on my Desktop all day long, and the same TOTP 2FA code
> generated on my desktop is the same TOTP 2FA code that is generated on my
> mobile phone.

I’m not always logging in from my desktop. I’m not even always logging in from a machine I generally control.

What’s the support for TOTP from a shared system in, say a Library or a Maker Space? How am I supposed to secure that?

> I am feeling like you aren't hearing that TOTP 2FA has support for
> practically ALL COMPUTERS: Linux, Windows, MacOS, IOS, Android,
> Javascript/Web.

I am hearing it, I’m just saying that one size doesn’t fit all and that mere OS support isn’t the only issue here.

> There is also a GitHub project code for running TOTP 2FA on a TI-83
> calculator. https://github.com/jshin313/ti-authenticator

So?

I have yet to see a good solution for putting a TOTP capability on a machine I can’t generally trust.

That’s kind of like installing your SSH private keys on servers at a client site if you’re a consultant… Not too bright.

> 
> 
>>> Perhaps requiring better (non-dictionary) passwords on accounts that don’t have 2FA would be a solution more targeted at the actual problem.
>>> How would ARIN judge the complexity of a password? As far as I'm aware, checking if it uses dictionary words is non-trivial. And even then, a sufficiently long passphrase using dictionary words is pretty secure (vs a short one) - I don't think it makes sense to penalize users for that.
>> 
>> Yes, sufficient length if just words (alpha only), or sufficient entropy if not long.
>> 
>> Checking for dictionary words isn’t completely trivial, but it’s not particularly computationally difficult, either.
>> 
>> Plenty of sites manage to do this.
> 
> This does not solve the problem if the account and password are disclosed
> in a breach, and someone is re-using passwords on ARIN and elsewhere. 2FA
> prevents the disclosure of account creds from giving an unauthorized 3rd
> party from gaining access to other/any accounts.

Someone who reuses passwords in this day and age probably deserves whatever happens to them.

Owen