[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Peter Beckman beckman at angryox.com
Fri May 27 22:56:22 EDT 2022 

On Wed, 25 May 2022, Owen DeLong wrote:

> Well… ARIN can’t detect that until your next (successful) login, anyway.

  Fair, agreed. This also requires ARIN to constantly be updating their
  "disclosed password" list, which seems like that could also fall through
  the cracks.

>> 2FA eliminates the risk of static data disclosure becoming a security
>> liability.
>
> Until the particular seed/algo/etc. for the 2FA is compromised (such as a
> Stolen hardware token, or the time when a batch of SecurID tokens were
> Compromised, or…
>
> Less frequent than password compromises? Sure. Sufficiently less frequent
> to be worth the inconvenience for securing something that isn’t a
> particularly attractive target? Not so sure.

  What would it take to convince you?

  Is there anything that would?

  Is it just to inconvenient for you to accept that it will improve
  security that you just want to keep throwing out arguments to not change
  your own processes?

  Password compromises: weekly
  2FA compromises: none

  Can you point to any 2FA disclosures or breaches that occurred because the
  shared secret was also compromised? I could not find a single one. I
  honestly wanted to, just for you, Owen! It is theoretically plausible but
  either hasn't happened or has but has not been documented.

  Here's what I could find:

     - Coinbase 2FA Flaw using SMS contributed to breach (SMS not TOTP)
       https://www.cpomagazine.com/cyber-security/coinbase-hack-attributed-to-a-multi-factor-authentication-flaw-that-allowed-scammers-to-steal-cryptocurrency-from-6000-accounts/

     - How to hack 2FA
       https://www.csoonline.com/article/3620223/how-to-hack-2fa.html
       (none suggested stealing the secret as an easy way)

     - Breaches 2FA could have prevented
       https://www.tyntec.com/blog/breaches-multifactor-authentication-could-have-prevented

     - Linode 2016 non-breach but 2FA implementation changed
       https://www.linode.com/blog/linode/security-investigation-retrospective/

     - RSA SecurID 2011 Breach (phishing and hack of RSA, not TOTP)
       https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise

  I could not find anything but theoretical "the shared secret would be
  disclosed in a breach." And this is true, but ARIN would need to be
  hacked, not another website.

  ARIN could sufficiently protect accounts with 2FA by implementing a
  microservice like Linode and store the 2FA shared secrets in a secure
  enclave apart from other authentication and customer data, which would
  require hackers to target all of ARIN and breach MULTIPLE systems, which
  exponentially increases the difficulty of reaching a successful breach.

  Much more likely for a flaw in coding to allow someone into an account
  without 2FA.


Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                https://www.angryox.com/
---------------------------------------------------------------------------

More information about the ARIN-consult mailing list