On Tue, Jan 3, 2023 at 11:59 AM John Curran <jcurran@arin.net> wrote:
FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor authentication (2FA) - this is a noted priority for some organizations.
John - this is a great step forward! Kudos to the tech team who helped make the leap - it can be daunting. Some feedback, take or leave as you see fit, based on my scars: First, thanks specifically for the support for unique key names (you might be surprised at how many services don't!), and for the FIDO2 support of on-key PINs. Second, I'd like to second ;) - but go beyond - Job's feature request for multiple-key support, both in count and additional UX. Support for *more* than two keys is recommended, to fit a wider variety of use cases and threat/risk models (connector availability, shared/role accounts, offsite key backup, etc etc). From my survey of 50 providers of U2F / FIDO / FIDO2, key-count support ramps up quickly from one (PayPal - come on, y'all!), two (Bank of America), and five (AOL/Yahoo and Coinbase), with the rest supporting *ten or more keys* (and yes, higher key counts have use cases, though user experience degrades above ten keys). And when multiple key support is added, please consider some UX around managing the list of keys (like allowing the user to *modify* key names without having to delete and re-add them, showing the timestamp, IP, OS family / platform, etc. from where the key was last used). Great key UX examples to emulate in this space include Dropbox and Google. (And showing the IP's ASN would be a uniquely ARIN twist. :D ) Third, please consider allowing a mix of authenticators (instead of the current exclusive choice among TOTP, FIDO2, and SMS). While it will be excellent to allow users to *eventually* opt into exclusive use of security keys (as with Google's Advanced Protection Program) ... doing so with a *single* key unacceptably shifts the risk model for some users. A mix allows users to manage their risk model directly, often by voluntarily using FIDO2 first to get the phishing resistance / origin verification of FIDO2, but mitigating single-key risk with fallback to TOTP (which may be more fluidly available than the 2FA recovery codes, etc.). But the hardest part - going from zero keys to any - is already done. Really appreciate it! Royce