Very interesting news. Improving online security is a win and this sounds promising.


Never having used FIDO2 for anything I am left, probably not uniquely, in the dark for hardware device support. The only link I found on the ARIN website for "hardware keys" was a link to another ARIN page, which as of the time I am writing this email, results in a 404.


The page with the link to supported hardware key details near the bottom @ https://www.arin.net/reference/materials/security/2fa/2fafaq/

The referenced hardware key details page that is 404 @ https://www.arin.net/reference/materials/security/wfa/fido2


I searched generally online for FIDO2 hardware keys and found a lot choices out there. Are all hardware keys the same? Will all hardware keys work with ARIN Online? I realize this is a brand new offering from ARIN so I am not upset that there is little data of the sort I am looking for right now but I would suggest ARIN get some better hardware key information on their website for people who are curious about but have little or no experience with FIDO2 and hardware components. After reading this https://en.wikipedia.org/wiki/FIDO2_Project I am wondering, can I simply use a smartphone itself as the hardware token to log into ARIN Online? Is there an app needed to do this?

I then discovered this FIDO2 keys page from online searching: https://www.yubico.com/store/compare/ which seems like one of many pretty popular key makers.
I assume there are possible risks affiliated with buying unknown hardware devices and plugging them into our trusted computer systems: key loggers, data exfiltration, trojan/malware infections, etc. There are even SFPs with built in switches or ones running Linux within the SFP itself able to do packet captures and all sorts of fun stuff. All the more reason I would appreciate a list/suggestion of well trusted hardware token makers. I did find this on Microsoft's website that seems like an easy to digest breakdown of some key makers: https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-key-providers

Is FIDO2 just another industry buzzword? Am I the last one on NANOG to get into FIDO2 and therefore I am just asking a bunch of moronic questions? I rather think not and this time it seems like it may be worth getting buzzword compliant.

I realize it is not the job of ARIN to educate its customer base on the ins and outs of FIDO2 but I think a little extra working information would be quite helpful going forward.

Thanks to ARIN for implementing this, thanks to those that have pushed for the deployment of this protocol, and thanks to those that will respond kindly to me in my ignorance on this topic!!


-Justin



From: NANOG <nanog-bounces+jkrejci=usinternet.com@nanog.org> on behalf of Royce Williams <royce@techsolvency.com>
Sent: Tuesday, January 3, 2023 5:20 PM
To: John Curran
Cc: NANOG
Subject: Re: FIDO2/Passkey now supported for 2FA for ARIN Online (was: Fwd: [arin-announce] New Features Added to ARIN Online)
 
On Tue, Jan 3, 2023 at 11:59 AM John Curran <jcurran@arin.net> wrote:
FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor authentication (2FA) - this is a noted priority for some organizations.

John - this is a great step forward! Kudos to the tech team who helped make the leap - it can be daunting. 

Some feedback, take or leave as you see fit, based on my scars:

First, thanks specifically for the support for unique key names (you might be surprised at how many services don't!), and for the FIDO2 support of on-key PINs.

Second, I'd like to second ;) - but go beyond - Job's feature request for multiple-key support, both in count and additional UX. Support for *more* than two keys is recommended, to fit a wider variety of use cases and threat/risk models (connector availability, shared/role accounts, offsite key backup, etc etc). From my survey of 50 providers of U2F / FIDO / FIDO2, key-count support ramps up quickly from one (PayPal - come on, y'all!), two (Bank of America), and five (AOL/Yahoo and Coinbase), with the rest supporting *ten or more keys* (and yes, higher key counts have use cases, though user experience degrades above ten keys). And when multiple key support is added, please consider some UX around managing the list of keys (like allowing the user to *modify* key names without having to delete and re-add them, showing the timestamp, IP, OS family / platform, etc. from where the key was last used). Great key UX examples to emulate in this space include Dropbox and Google. (And showing the IP's ASN would be a uniquely ARIN twist. :D )

Third, please consider allowing a mix of authenticators (instead of the current exclusive choice among TOTP, FIDO2, and SMS). While it will be excellent to allow users to *eventually* opt into exclusive use of security keys (as with Google's Advanced Protection Program) ... doing so with a *single* key unacceptably shifts the risk model for some users. A mix allows users to manage their risk model directly, often by voluntarily using FIDO2 first to get the phishing resistance / origin verification of FIDO2, but mitigating single-key risk with fallback to TOTP (which may be more fluidly available than the 2FA recovery codes, etc.).

But the hardest part - going from zero keys to any - is already done. Really appreciate it!

Royce