[ARIN-consult] Consultation on Expanding 2FA Options for ARIN Online

Wed Jan 25 11:31:45 EST 2023

Seeing all this discussion about YubiKeys and who should cover the cost I suspect my yesterday's email got lost. Anyway, here it is (as well some additional comments at the end):

> On Tue, Jan 24, 2023 at 01:39:21PM -0800, Chris Woodfield wrote:
> > Would requiring TOTP/FIDO (and not allowing SMS) be more palatable if ARIN were able/willing to furnish yubikeys (or alternate authenticators) to users free of charge? I don’t know what these cost in bulk nowadays, but it’s probably right on the edge of reasonable for this use case.
> 
> TOTP itself does not require hardware. It's always possible to use LastPass or some other password manager ( open source https://keepassxc.org/ is great). So it can be completely free or the organization can cover the cost of hardware keys. No need for ARIN to pick up the bill.
> 
> 
> Looking at the emails in this thread, everyone says how insecure SMS and email options are. I agree completely, but what's important to keep in mind is why those options are provided by different providers. Google, MS, banks, etc - they are aimed for a wide audience that may not necessarily be tech-savvy. People who manage important and highly confidential information should have no problem using a password manager. Providing an SMS, email or other insecure options to people who manage such records (aka anyone with an ARIN account), just because they are "not tech savvy" is a poor excuse. Yes, we have to think of community, but holding back said community from advancement is a disservice to the very group we're talking about.
> 
> I think TOTP, U2F and FIDO2 are great protocols for support of 2FA. What we need to do as a community is ensure that there are articles, manuals, and guides on how those can be used and why. This way, all members of our community, both those who are and are not familiar with these options, can advance. And we should also ensure to promote and educate those around us.

YubiKey itself is a product provided by a single vendor. We should not talk about it as the only possible option at all. There are other vendors out there that support those standards: https://en.wikipedia.org/wiki/FIDO_Alliance

Now, as for TOTP itself, it's another open standard that is available to everyone: https://en.wikipedia.org/wiki/Time-based_one-time_password You can use it with ``oathtool`` in Linux CLI, you can use it different password managers (LastPass, https://keepassxc.org/ , etc. Here's a list for example: https://www.wired.com/story/best-password-managers/ ). Installing a piece of software and saving a code in it should not be a problem.

And if it is a problem and "we're forcing a business decision" (as I saw in one email yesterday), we should also keep in mind that we're talking about securing communication channels or access to their governing body. A very crucial fabric that our society relies on. So saying that we should allow SMS, email and other insecure options is like saying that the government is restricting people's use of transportation by making everyone wear a seatbelt.

-- 
Roman V Tatarnikov | https://linkedin.com/in/rtatarnikov