[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Peter Beckman beckman at angryox.com
Fri May 27 23:26:26 EDT 2022


Just to be explicit about a TOTP 2FA login flow:

     1. Visit site
     2. Enter Username & Password
     3. Look at phone (or use app on computer you are using) to get or enter
         6-digit code
     4. Enter 6-digit code in text box
     5. Press submit

The 6-digit code is generally valid for 30 seconds, servers generally
accept the previous, current, and next code to account for clock skew.
Clocks skewed further than that would prevent a valid code from being
generated.

On Wed, 25 May 2022, Owen DeLong wrote:

>> What exactly are you using then to log into ARIN?!?
>
> In many cases, Lynx on a busy-box based system.

  Is this because of an accessibility reason that you use a text-based web
  browser?

  A raspberry pi-based computer in your pocket would be an ideal system to
  carry on your person to avoid using untrusted computers.

  Have you found a Password Manager for Lynx? If so, you should see if it
  supports TOTP. If not, there are text-based TOTP code generators, I'd be
  happy find them for you. I will compile and build them for you!

  I'd be very curious why you use Lynx instead of a graphical-based browser.
  Or a generally GUI OS.

> I’m not always logging in from my desktop. I’m not even always logging in
> from a machine I generally control.

  Untrusted computers are called that because they cannot be trusted.
  Entering ARIN credentials there risks your account being stolen. 2FA would
  prevent your stolen creds from being used by an unauthorized 3rd party.

> What’s the support for TOTP from a shared system in, say a Library or a
> Maker Space? How am I supposed to secure that?

  You should always have a trusted device with you. If not, you should never
  log into your accounts on a shared or untrusted system, ever.

> I am hearing it, I’m just saying that one size doesn’t fit all and that
> mere OS support isn’t the only issue here.

  Multiple sizes, operating systems, software, apps have been presented.

  What size fits you, other than the status quo?

> I have yet to see a good solution for putting a TOTP capability on a
> machine I can’t generally trust.

  Nobody said to do this, and you should not. You should always carry a
  trusted device to generate the TOTP code. If you do not, you should not
  log into your accounts when using a untrusted terminal.

> That’s kind of like installing your SSH private keys on servers at a
> client site if you’re a consultant… Not too bright.

  You would never install the shared secret on an untrusted server. You
  don't need to. You're just reading the 6-digit code, which could be
  installed on multiple devices convenient for you, and entering it along
  with your username and password.

> Someone who reuses passwords in this day and age probably deserves
> whatever happens to them.

  It's not just the user who is harmed. In this case, ARIN is harmed. If the
  user represents the company, the company is harmed. It will cost everyone
  involved time and money.

Beckman
---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                https://www.angryox.com/
---------------------------------------------------------------------------


More information about the ARIN-consult mailing list