[ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online

Heather Schiller has at google.com
Tue Jan 24 15:06:39 EST 2023 

My inquiry about the number of human pocs, was to better understand the
volume of risk due to a single user needing to recover their access in some
way.  80% is not reassuring. eek.

--h

On Tue, Jan 24, 2023 at 3:00 PM Ross Tajvar <ross at tajvar.io> wrote:

> Each account does its own 2FA. You don't need multiple hardware tokens on
> the same account unless you're sharing that account, which is unnecessary,
> because you can associate multiple accounts with one POC. I don't think
> limiting the number of tokens will cause an issue for orgs with multiple
> human POCs.
>
> Maybe I'm misunderstanding your concern?
>
> On Tue, Jan 24, 2023 at 2:58 PM Adam Thompson <athompso at athompso.net>
> wrote:
>
>> I **don’t** think we can nonchalantly apply the Pareto principle to
>> authentication:  how are those ~20% of accounts going to do 2FA with ARIN
>> next month?  The only way I can see is to register multiple TOTP
>> authenticators.  Have I missed something?
>>
>> -Adam
>>
>>
>>
>> *From:* ARIN-consult <arin-consult-bounces at arin.net> *On Behalf Of *John
>> Sweeting
>> *Sent:* Tuesday, January 24, 2023 1:56 PM
>> *To:* Heather Schiller <has at google.com>; ARIN <info at arin.net>
>> *Cc:* arin-consult at arin.net
>> *Subject:* Re: [ARIN-consult] Consultation on Expanding 2FA Options for
>> ARIN Online
>>
>>
>>
>> Thanks for your input Heather.
>>
>>
>>
>> Tangentially related, what percentage of accounts do you think have a
>> single human poc?
>>
>>
>>
>> Approximately 80% appear to have a single human poc
>>
>>
>>
>>
>>
>> *From: *ARIN-consult <arin-consult-bounces at arin.net> on behalf of
>> Heather Schiller via ARIN-consult <arin-consult at arin.net>
>> *Reply-To: *Heather Schiller <has at google.com>
>> *Date: *Tuesday, January 24, 2023 at 2:16 PM
>> *To: *ARIN <info at arin.net>
>> *Cc: *"arin-consult at arin.net" <arin-consult at arin.net>
>> *Subject: *Re: [ARIN-consult] Consultation on Expanding 2FA Options for
>> ARIN Online
>>
>>
>>
>> Can we add, authorization should expire in <24hrs?  Per markk@ it
>> expires in a week, which means anyone that gains access to that browser
>> session will be able to effect changes.  Given that we've added more, not
>> less, critical infrastructure impacting functionality to ARIN online, the
>> security requirements should be stricter.
>>
>>
>>
>> Historically, NIST explicitly recommended AGAINST using SMS as 2FA, going
>> all the way back to 2016.
>>
>>  "*Due to the risk that SMS messages or voice calls may be intercepted
>> or redirected, implementers of new systems SHOULD carefully consider
>> alternative authenticators. If the out-of-band verification is to be made
>> using the public switched telephone network (PSTN), the verifier SHALL
>> verify that the pre-registered telephone number being used is not
>> associated with a VoIP (or other software-based) service. It then sends the
>> SMS or voice message to the pre-registered telephone number. Changing the
>> pre-registered telephone number SHALL NOT be possible without two-factor
>> authentication at the time of the change." *
>>
>>
>>
>> SMS based 2FA hasn't really gotten any better over the years.  I would
>> not be in support of expanding the functionality of SMS 2FA.   Similarly, I
>> would not support the use of email as 2FA either.
>>
>>
>>
>> Tangentially related, what percentage of accounts do you think have a
>> single human poc?
>>
>>
>>
>>  --Heather
>>
>>
>>
>> On Tue, Jan 24, 2023 at 1:54 PM ARIN <info at arin.net> wrote:
>>
>> On 1 November 2022, ARIN  announced that we will require two-factor
>> authentication (2FA) on all ARIN Online accounts beginning 1 February
>> 2023. ARIN currently has three options for customers to set up 2FA on their
>> ARIN Online accounts:
>>
>> - Time-based One-time Password (TOTP) using an authenticator of your
>> choice
>> - Short Message Service (SMS) for customers within the ARIN service region
>> - FIDO2/Passkey-enabled Security Key
>>
>> Please note: Voice 2FA is not currently available for new 2FA
>> activations; it is still available to those customers who already have that
>> method set up on their accounts.
>>
>> Following the announcement of the planned enforcement date of 1 February
>> 2023, we received several suggestions for further expansion of our
>> authentication offerings, including:
>>
>> - Allowing email as an authentication method
>> - Enabling SMS support for customers who reside outside of the ARIN
>> service region
>> - Allowing registration of multiple hardware security keys.
>>
>> We are seeking community feedback on these suggestions as well as
>> additional input on our 2FA options. Specifically:
>>
>> 1. Would you support ARIN offering email as an additional 2FA method?
>>
>> 2. Given that 13% of web user accounts list phone numbers outside the
>> ARIN service region, should we widen the availability of SMS, or are the
>> other offered 2FA options sufficient to meet the needs of these users?
>>
>> 3. We agree that users should be allowed to register multiple hardware
>> security keys. The question is: What is the optimal number of keys that
>> should be allowed to be registered?
>>
>> The feedback you provide during this consultation will help us decide the
>> path forward regarding our 2FA options for ARIN Online. Thank you for your
>> participation in the ARIN Consultation and Suggestion Process.
>>
>> Please provide comments to arin-consult at arin.net. You can subscribe to
>> this mailing list at:
>> https://lists.arin.net/mailman/listinfo/arin-consult
>>
>> This consultation will remain open through 5:00 PM ET on 7 February 2023.
>>
>> Regards,
>>
>> John Curran
>> President and CEO
>> American Registry for Internet Numbers (ARIN)
>>
>> Helpful Resources:
>>
>> Consultation:
>> https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/
>> Two-Factor
>> <https://www.arin.net/participate/community/acsp/consultations/2023/2023-1/Two-Factor>
>> Authentication at ARIN: https://arin.net/2FA
>>
>>
>> _______________________________________________
>> ARIN-Consult
>> You are receiving this message because you are subscribed to the ARIN
>> Consult Mailing
>> List (ARIN-consult at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
>> ARIN Member Services
>> Help Desk at info at arin.net if you experience any issues.
>>
>> _______________________________________________
>> ARIN-Consult
>> You are receiving this message because you are subscribed to the ARIN
>> Consult Mailing
>> List (ARIN-consult at arin.net).
>> Unsubscribe or manage your mailing list subscription at:
>> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
>> ARIN Member Services
>> Help Desk at info at arin.net if you experience any issues.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20230124/af9206f3/attachment.htm>

More information about the ARIN-consult mailing list