FIDO2/Passkey now supported for 2FA for ARIN Online (was: Fwd: [arin-announce] New Features Added to ARIN Online)
NANOGers - FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor authentication (2FA) - this is a noted priority for some organizations. FYI, /John John Curran President and CEO American Registry for Internet Numbers Begin forwarded message: From: ARIN <info@arin.net> Subject: [arin-announce] New Features Added to ARIN Online Date: January 3, 2023 at 3:25:35 PM EST To: "arin-announce@arin.net" <arin-announce@arin.net> ARIN is pleased to present the latest version of ARIN Online, including improvements, new features, and updates. Full release notes are included at the end of this message. All ARIN systems have been restored and are now operating normally. We thank you for your patience. If you have additional questions, comments, or issues, please submit an Ask ARIN ticket using your ARIN Online account or contact the Registration Services Help Desk by phone Monday through Friday, 7:00 AM to 7:00 PM ET at +1.703.227.0660. Regards, Mark Kosters Chief Technology Officer American Registry for Internet Numbers (ARIN) ---------------------------- Release Notes - We have added FIDO2/Passkey as an option for two-factor authentication (2FA). This version of 2FA allows the use of a FIDO2-enabled hardware security key. - We have improved the security of how ARIN Online handles your API Keys. Users will now only be shown their full API Key once at creation time, after which it will only be identifiable by its prefix. - We have enhanced payment processing in ARIN Online, including the addition of an option to pay by eCheck. - ARIN Online will begin applying a Transfer Processing Fee to transfer requests. - We have made stylistic updates in the mobile version of ARIN Online to provide a more consistent experience across devices and operating systems. _
Dear John, On Tue, Jan 03, 2023 at 08:57:47PM +0000, John Curran wrote:
NANOGers -
FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor authentication (2FA) - this is a noted priority for some organizations.
Thank you for sharing this wonderful news! I tried the new shiny thing, it was very easy to switch from TOPT to FIDO2. A feature request: it would be nice if (at least) two FIDO2 Security Keys can be associated to a single account. I like having a spare key with traveling and all. :-) Kind regards, Job
Job - Yes, we’ve heard that request (support for multiple FIDO2 security keys) and it’s on the list… We’ve got to catch up in some other areas but it won’t be forgotten. Thanks! /John John Curran President and CEO American Registry for Internet Numbers
On Jan 3, 2023, at 4:10 PM, Job Snijders via NANOG <nanog@nanog.org> wrote:
Dear John,
On Tue, Jan 03, 2023 at 08:57:47PM +0000, John Curran wrote:
NANOGers -
FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor authentication (2FA) - this is a noted priority for some organizations.
Thank you for sharing this wonderful news! I tried the new shiny thing, it was very easy to switch from TOPT to FIDO2.
A feature request: it would be nice if (at least) two FIDO2 Security Keys can be associated to a single account. I like having a spare key with traveling and all. :-)
Kind regards,
Job
On Tue, Jan 3, 2023 at 11:59 AM John Curran <jcurran@arin.net> wrote:
FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor authentication (2FA) - this is a noted priority for some organizations.
John - this is a great step forward! Kudos to the tech team who helped make the leap - it can be daunting. Some feedback, take or leave as you see fit, based on my scars: First, thanks specifically for the support for unique key names (you might be surprised at how many services don't!), and for the FIDO2 support of on-key PINs. Second, I'd like to second ;) - but go beyond - Job's feature request for multiple-key support, both in count and additional UX. Support for *more* than two keys is recommended, to fit a wider variety of use cases and threat/risk models (connector availability, shared/role accounts, offsite key backup, etc etc). From my survey of 50 providers of U2F / FIDO / FIDO2, key-count support ramps up quickly from one (PayPal - come on, y'all!), two (Bank of America), and five (AOL/Yahoo and Coinbase), with the rest supporting *ten or more keys* (and yes, higher key counts have use cases, though user experience degrades above ten keys). And when multiple key support is added, please consider some UX around managing the list of keys (like allowing the user to *modify* key names without having to delete and re-add them, showing the timestamp, IP, OS family / platform, etc. from where the key was last used). Great key UX examples to emulate in this space include Dropbox and Google. (And showing the IP's ASN would be a uniquely ARIN twist. :D ) Third, please consider allowing a mix of authenticators (instead of the current exclusive choice among TOTP, FIDO2, and SMS). While it will be excellent to allow users to *eventually* opt into exclusive use of security keys (as with Google's Advanced Protection Program) ... doing so with a *single* key unacceptably shifts the risk model for some users. A mix allows users to manage their risk model directly, often by voluntarily using FIDO2 first to get the phishing resistance / origin verification of FIDO2, but mitigating single-key risk with fallback to TOTP (which may be more fluidly available than the 2FA recovery codes, etc.). But the hardest part - going from zero keys to any - is already done. Really appreciate it! Royce
Very interesting news. Improving online security is a win and this sounds promising. Never having used FIDO2 for anything I am left, probably not uniquely, in the dark for hardware device support. The only link I found on the ARIN website for "hardware keys" was a link to another ARIN page, which as of the time I am writing this email, results in a 404. The page with the link to supported hardware key details near the bottom @ https://www.arin.net/reference/materials/security/2fa/2fafaq/ The referenced hardware key details page that is 404 @ https://www.arin.net/reference/materials/security/wfa/fido2 I searched generally online for FIDO2 hardware keys and found a lot choices out there. Are all hardware keys the same? Will all hardware keys work with ARIN Online? I realize this is a brand new offering from ARIN so I am not upset that there is little data of the sort I am looking for right now but I would suggest ARIN get some better hardware key information on their website for people who are curious about but have little or no experience with FIDO2 and hardware components. After reading this https://en.wikipedia.org/wiki/FIDO2_Project I am wondering, can I simply use a smartphone itself as the hardware token to log into ARIN Online? Is there an app needed to do this? I then discovered this FIDO2 keys page from online searching: https://www.yubico.com/store/compare/ which seems like one of many pretty popular key makers. I assume there are possible risks affiliated with buying unknown hardware devices and plugging them into our trusted computer systems: key loggers, data exfiltration, trojan/malware infections, etc. There are even SFPs with built in switches or ones running Linux within the SFP itself able to do packet captures and all sorts of fun stuff. All the more reason I would appreciate a list/suggestion of well trusted hardware token makers. I did find this on Microsoft's website that seems like an easy to digest breakdown of some key makers: https://learn.microsoft.com/en-us/azure/active-directory/authentication/conc... Is FIDO2 just another industry buzzword? Am I the last one on NANOG to get into FIDO2 and therefore I am just asking a bunch of moronic questions? I rather think not and this time it seems like it may be worth getting buzzword compliant. I realize it is not the job of ARIN to educate its customer base on the ins and outs of FIDO2 but I think a little extra working information would be quite helpful going forward. <https://www.yubico.com/store/compare/>Thanks to ARIN for implementing this, thanks to those that have pushed for the deployment of this protocol, and thanks to those that will respond kindly to me in my ignorance on this topic!! -Justin ________________________________ From: NANOG <nanog-bounces+jkrejci=usinternet.com@nanog.org> on behalf of Royce Williams <royce@techsolvency.com> Sent: Tuesday, January 3, 2023 5:20 PM To: John Curran Cc: NANOG Subject: Re: FIDO2/Passkey now supported for 2FA for ARIN Online (was: Fwd: [arin-announce] New Features Added to ARIN Online) On Tue, Jan 3, 2023 at 11:59 AM John Curran <jcurran@arin.net<mailto:jcurran@arin.net>> wrote: FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor authentication (2FA) - this is a noted priority for some organizations. John - this is a great step forward! Kudos to the tech team who helped make the leap - it can be daunting. Some feedback, take or leave as you see fit, based on my scars: First, thanks specifically for the support for unique key names (you might be surprised at how many services don't!), and for the FIDO2 support of on-key PINs. Second, I'd like to second ;) - but go beyond - Job's feature request for multiple-key support, both in count and additional UX. Support for *more* than two keys is recommended, to fit a wider variety of use cases and threat/risk models (connector availability, shared/role accounts, offsite key backup, etc etc). From my survey of 50 providers of U2F / FIDO / FIDO2, key-count support ramps up quickly from one (PayPal - come on, y'all!), two (Bank of America), and five (AOL/Yahoo and Coinbase), with the rest supporting *ten or more keys* (and yes, higher key counts have use cases, though user experience degrades above ten keys). And when multiple key support is added, please consider some UX around managing the list of keys (like allowing the user to *modify* key names without having to delete and re-add them, showing the timestamp, IP, OS family / platform, etc. from where the key was last used). Great key UX examples to emulate in this space include Dropbox and Google. (And showing the IP's ASN would be a uniquely ARIN twist. :D ) Third, please consider allowing a mix of authenticators (instead of the current exclusive choice among TOTP, FIDO2, and SMS). While it will be excellent to allow users to *eventually* opt into exclusive use of security keys (as with Google's Advanced Protection Program) ... doing so with a *single* key unacceptably shifts the risk model for some users. A mix allows users to manage their risk model directly, often by voluntarily using FIDO2 first to get the phishing resistance / origin verification of FIDO2, but mitigating single-key risk with fallback to TOTP (which may be more fluidly available than the 2FA recovery codes, etc.). But the hardest part - going from zero keys to any - is already done. Really appreciate it! Royce
participants (4)
-
Job Snijders
-
John Curran
-
Justin Krejci
-
Royce Williams