<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><speaking_for_myself.disclaimer><br class=""><div><br class=""></div><div>If given the choice between and SMS-based second factor and no second factor at all, which would you choose? </div><div><br class=""></div><div>I agree that SMS is the weakest form of 2FA of the options being considered, and I would not be happy with a system that only supported it and did not support TOTP or FIDO2. I would find it highly unlikely, however, that requiring 2FA for logins and *not* allowing SMS as an option will prove a successful approach, however - it’s Just Complex Enough that I can see a far-too-large segment of ARIN’s user base requiring quite a bit of support to enable it. </div><div><br class=""></div><div>-C</div><div><br class=""><blockquote type="cite" class=""><div class="">On May 24, 2022, at 12:23 PM, Max Krivanek via ARIN-consult <<a href="mailto:arin-consult@arin.net" class="">arin-consult@arin.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="">Hi,</div><div class=""><br class=""></div><div class="">I find SMS highly insecure since it can be intercepted (it goes across the system in plain text, similar to HTTP) and there is also SIM hijacking. This article by Krebs goes into more detail of why it's insecure.<br class=""><a href="https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/" class="">https://krebsonsecurity.com/2021/03/can-we-stop-pretending-sms-is-secure-now/</a><br class=""><br class=""></div><div class="">The fact that major financial institutions use it is a detriment to them. As TOTP or FIDO2 are way more secure. But this is where reality hits the road. Most people will not want to set up TOTP or FIDO2, but as long as those of us who are more security minded can make sure SMS or the phone number in general cannot be used for authentication purposes I would be fine with including it as a stop gap.<br class=""></div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, May 24, 2022 at 1:59 PM Richard Laager <<a href="mailto:rlaager@wiktel.com" class="">rlaager@wiktel.com</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I believe ARIN absolutely should require 2FA. Your actual experience with dictionary attacks confirms that.<br class="">
<br class="">
SMS 2FA seems like a pragmatic compromise. I’m aware that SMS is generally considered a less secure 2nd factor, but: 1) I’m not sure how much less secure it really is. It obviously cannot be worse than a password alone. 2) Major financial institutions seem okay with it. 3) It might be necessary in practice to get people to turn on / accept 2FA.<br class="">
<br class="">
You will have to think hard about recovery procedures. They will become the weak link in the security.<br class="">
<br class="">
-- <br class="">
Richard<br class="">
_______________________________________________<br class="">
ARIN-Consult<br class="">
You are receiving this message because you are subscribed to the ARIN Consult Mailing<br class="">
List (<a href="mailto:ARIN-consult@arin.net" target="_blank" class="">ARIN-consult@arin.net</a>).<br class="">
Unsubscribe or manage your mailing list subscription at:<br class="">
<a href="https://lists.arin.net/mailman/listinfo/arin-consult" rel="noreferrer" target="_blank" class="">https://lists.arin.net/mailman/listinfo/arin-consult</a> Please contact the ARIN Member Services<br class="">
Help Desk at <a href="mailto:info@arin.net" target="_blank" class="">info@arin.net</a> if you experience any issues.<br class="">
</blockquote></div><br clear="all" class=""><br class="">-- <br class=""><div dir="ltr" class="gmail_signature"><div dir="ltr" class=""><span style="color:rgb(153,153,153)" class="">Max Krivanek</span><br style="color:rgb(153,153,153)" class=""><font color="#888888" class=""><span style="color:rgb(153,153,153)" class="">Managing Member</span><br class=""><a style="font-family:arial,helvetica,sans-serif" href="http://www.codingdirect.com/" target="_blank" class=""><span style="color:rgb(0,153,0)" class="">Coding</span><b style="color:rgb(153,153,153)" class="">Direct</b></a><br class="">
<br class="">Phone: (682) 232-4867<a value="+18176015553" class=""></a></font><br class=""></div></div>
_______________________________________________<br class="">ARIN-Consult<br class="">You are receiving this message because you are subscribed to the ARIN Consult Mailing<br class="">List (<a href="mailto:ARIN-consult@arin.net" class="">ARIN-consult@arin.net</a>).<br class="">Unsubscribe or manage your mailing list subscription at:<br class=""><a href="https://lists.arin.net/mailman/listinfo/arin-consult" class="">https://lists.arin.net/mailman/listinfo/arin-consult</a> Please contact the ARIN Member Services<br class="">Help Desk at <a href="mailto:info@arin.net" class="">info@arin.net</a> if you experience any issues.<br class=""></div></blockquote></div><br class=""></body></html>