[ARIN-consult] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

Peter Beckman beckman at angryox.com
Sat May 28 00:12:22 EDT 2022 

Excellently researched, well written, and yes I read it all, even past the
point where you wondered. :-) Thanks Gary!!j

I still disagree with your conclusion that ARIN should allow orgs to choose
whether or not to use 2FA.


ARIN "owns" the resources. Members are assigned portions of these
resources. The resources can be taken away.

Theft, modification, or general malfeasance of any member's account and
resources will ALWAYS require ARIN's resources, time, and money to correct
and repair.

I think of ARIN resources like someone else's car. The owner let you borrow
it, but if you crash or damage it, it is the owner of the car that is
inconvenienced the most, and now has a less valuable asset, and must invest
the time to fix it, cannot use it while it is being fixed, pays for a
rental during repair, etc. While the borrower maybe pays out the financial
cost (maybe) but loses no time nor value.


When ARIN requires 2FA to manage critical account resources, they are
protecting ARIN's assets that have been designated to you and allow you to
manage.

They are protecting ARIN from their weakest security link: humans.

ARIN requiring 2FA for all accounts reduces or eliminates ARIN's cost of
cleaning up the mess after a member's account is breached.


Can someone at ARIN weigh in with a story about the cost to ARIN of a
breached ARIN account? I assume it has happened, and thus this discussion.

Beckman

On Sat, 28 May 2022, Gary Buhrmaster wrote:

>
> So, I do not believe ARIN should *require* 2FA,
> it should provide the infrastructure to allow orgs
> to require it if *they* so choose, based on *their*
> risk evaluation.
>
>
>
>
> Now that I have mostly rejected most of the proposal,
> I think it is only fair to offer a few top of the head (not
> fully fleshed out) alternatives to consider:
>
> If ARIN wants to encourage MFA adoption, implement
> FIDO2 as agreed, and send out two FIDO2 keys to all
> ARIN online account holders who control resources
> under an RSA and who requests them (I'll bet most
> orgs can afford the keys, and would even prefer they
> do their own sourcing, but why give some orgs yet
> another reason to not use MFA?  Make it easy).
> FD: I was an early adopter of U2F, and have more
> FIDO2 keys than one can shake a stick at, and
> whenever I can, I use the keys for the site(s) I have
> access to.
>
> Any change to an ARIN online account, or by an
> ARIN online account, should allow both the online
> account, and the impacted organization the ability
> to be notified (both to the old and new contact
> details).   "The phone number associated with your
> online account has been changed.  If you did not
> perform this action, contact ARIN immediately".
> "The ARIN online account which has access to your
> organizational data has been updated.  If you do
> not approve of this action, contact ARIN...".
>
> While time based forced password changes are
> also discouraged by NIST, require all ARIN online
> accounts that do not have MFA enabled by a
> certain date to change their password before next
> use where ARIN will be able to (at least) ensure
> that password is not (currently) in one of the
> many lists of known compromised passwords
> (one can brute force any password with enough
> time, and the list of compromised passwords
> is added to all the time but a fair number of the
> brutes will use the various known password
> dictionary sets).  I suppose if you want to be
> especially annoying, require a password change
> every six months if the account does not use MFA
> (although I do not really think that is a good thing).
>
> If implementing proper MFA is currently considered
> too hard, outsource the MFA support to companies
> such as okta, duo, or others (review Gartner's
> quadrants), which allows one to specific exactly
> what level identify assurance is required for the
> transaction being performed and authenticate
> appropriately.
>
> If not already done, add a captcha challenge to
> multiple failed password attempts against an
> account (if you fail nnn times, you are going to
> get slowed down just a bit as you have to identify
> the ships/trains/automobiles). Multiple different
> IP sources should also trigger the challenge (yes,
> I hate captcha as much as the next person, maybe
> more, but they do have some benefit of training
> a company's self driving AI to not drive into the
> train (which is generally considered a bad thing)).
>
>
>
> Gary
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>

---------------------------------------------------------------------------
Peter Beckman                                                  Internet Guy
beckman at angryox.com                                https://www.angryox.com/
---------------------------------------------------------------------------

More information about the ARIN-consult mailing list