[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
Peter Beckman
beckman at angryox.com
Fri May 27 22:56:22 EDT 2022
On Wed, 25 May 2022, Owen DeLong wrote:
> Well… ARIN can’t detect that until your next (successful) login, anyway.
Fair, agreed. This also requires ARIN to constantly be updating their
"disclosed password" list, which seems like that could also fall through
the cracks.
>> 2FA eliminates the risk of static data disclosure becoming a security
>> liability.
>
> Until the particular seed/algo/etc. for the 2FA is compromised (such as a
> Stolen hardware token, or the time when a batch of SecurID tokens were
> Compromised, or…
>
> Less frequent than password compromises? Sure. Sufficiently less frequent
> to be worth the inconvenience for securing something that isn’t a
> particularly attractive target? Not so sure.
What would it take to convince you?
Is there anything that would?
Is it just to inconvenient for you to accept that it will improve
security that you just want to keep throwing out arguments to not change
your own processes?
Password compromises: weekly
2FA compromises: none
Can you point to any 2FA disclosures or breaches that occurred because the
shared secret was also compromised? I could not find a single one. I
honestly wanted to, just for you, Owen! It is theoretically plausible but
either hasn't happened or has but has not been documented.
Here's what I could find:
- Coinbase 2FA Flaw using SMS contributed to breach (SMS not TOTP)
https://www.cpomagazine.com/cyber-security/coinbase-hack-attributed-to-a-multi-factor-authentication-flaw-that-allowed-scammers-to-steal-cryptocurrency-from-6000-accounts/
- How to hack 2FA
https://www.csoonline.com/article/3620223/how-to-hack-2fa.html
(none suggested stealing the secret as an easy way)
- Breaches 2FA could have prevented
https://www.tyntec.com/blog/breaches-multifactor-authentication-could-have-prevented
- Linode 2016 non-breach but 2FA implementation changed
https://www.linode.com/blog/linode/security-investigation-retrospective/
- RSA SecurID 2011 Breach (phishing and hack of RSA, not TOTP)
https://en.wikipedia.org/wiki/RSA_SecurID#March_2011_system_compromise
I could not find anything but theoretical "the shared secret would be
disclosed in a breach." And this is true, but ARIN would need to be
hacked, not another website.
ARIN could sufficiently protect accounts with 2FA by implementing a
microservice like Linode and store the 2FA shared secrets in a secure
enclave apart from other authentication and customer data, which would
require hackers to target all of ARIN and breach MULTIPLE systems, which
exponentially increases the difficulty of reaching a successful breach.
Much more likely for a flaw in coding to allow someone into an account
without 2FA.
Beckman
---------------------------------------------------------------------------
Peter Beckman Internet Guy
beckman at angryox.com https://www.angryox.com/
---------------------------------------------------------------------------
More information about the ARIN-consult
mailing list