[ARIN-consult] [ARIN-Consult] Consultation on Expanding 2FA Options for ARIN Online

[Ross Tajvar]

On the topic of hypothetical compromise - my ARIN account hasn't been
compromised, but other accounts protected with SMS 2FA have been. I have
had money stolen via that vector. So it's a real concern for me. Maybe
*my* ARIN
account isn't valuable enough to hack, but my employer's is.

I don't think we should disregard real attack vectors that definitely do
happen in the real world just because they're uncommon and the mitigations
are inconvenient to some people. I also acknowledge the importance of
disability accommodation; however, I doubt that disallowing email (or SMS)
2FA would be an issue there (though I welcome a correction if I'm wrong).

On Tue, Jan 24, 2023 at 3:36 PM Adam Thompson <athompso at athompso.net> wrote:

> Since I have a nearly magical ability to damage every authentication
> device I've ever been issued (including my phone - this one has lasted over
> a year, which I think is av record), I'm highly doubtful of any scheme that
> *assumes* any authenticator is durable.  I would like a *minimum* of 3
> active - one in my pocket, one in a locked drawer at work, one in a secure
> spot at home or in my car or somewhere else.
>
> Double + 1 that number to account for rollover, and I'll already want to
> have up to 7 registered at times, for any account that's super-critical.
>
> Yes, that's about how many copies of physical keys for locks that I like
> to get made, because I lose those, too.
>
> Could I live with a limit of 10? Yeah, probably.
>
> Which is more important: keeping bad actors out, or letting authorized
> users in?
>
> All I'm hearing during this discussion is protecting accounts against
> hypothetical compromise (with IIRC no evidence this has ever happened, or
> any negative outcome has occurred previously) with no consideration of
> people who have unusual needs.
>
> (Some of those needs, definitely not all, are referred to in American law
> as "disabilities", btw.  I hope someone at ARIN has thought about how the
> proposed 2FA scheme complies with the ADA?)
>
> -Adam
>
> Get Outlook for Android <https://aka.ms/AAb9ysg>
> ------------------------------
> *From:* ARIN-consult <arin-consult-bounces at arin.net> on behalf of Richard
> Laager <rlaager at wiktel.com>
> *Sent:* Tuesday, January 24, 2023 2:22:43 PM
> *To:* arin-consult at arin.net <arin-consult at arin.net>
> *Subject:* Re: [ARIN-consult] [ARIN-Consult] Consultation on Expanding
> 2FA Options for ARIN Online
>
> On 1/24/23 12:56, Adam Thompson wrote:
>
> Why on earth would you set a hard-coded limit?  It's not like an additional database table is expensive.
>
> While, in general, I understand this sentiment (real world cardinality is
> usually: 1, 2, or many), I do see two counterpoints. Even speaking in
> general, it is sometimes useful to define a limit for testing purposes. If
> you say, "We support 5", then you are hopefully actually testing 5.
>
> In this particular situation, I think the following argument is even more
> relevant:
>
> On 1/24/23 14:02, Tim Lyons via ARIN-consult wrote:
>
> In terms of allowing the registration of multiple hardware security keys,
> I suggest allowing a maximum of 3 keys to be registered. This provides
> backup options in case a user loses or misplaces their primary key but
> encourages users to be cognizant of deleting old keys that have been lots
> or become non-functional.
>
> --
> Richard
>
> _______________________________________________
> ARIN-Consult
> You are receiving this message because you are subscribed to the ARIN
> Consult Mailing
> List (ARIN-consult at arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-consult Please contact the
> ARIN Member Services
> Help Desk at info at arin.net if you experience any issues.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-consult/attachments/20230124/e338c2ea/attachment.htm>