FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
NANOGers - A consultation opened today on potentially requiring use of 2-factor authentication to login into ARIN Online – this would take place once SMS 2FA is deployed. If you think that this is: a) a great idea, b) a bad idea, c) anything else, then feel free to subscribe to the arin-consult mailing list (open to all at http://lists.arin.net/mailman/listinfo/arin-consult) and provide your feedback. Best wishes, /John John Curran President and CEO American Registry for Internet Numbers Begin forwarded message: From: ARIN <info@arin.net<mailto:info@arin.net>> Subject: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Date: 24 May 2022 at 12:45:48 PM EDT To: "arin-announce@arin.net<mailto:arin-announce@arin.net>" <arin-announce@arin.net<mailto:arin-announce@arin.net>> **Background** In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation of Two-Factor Authentication (2FA). Since the time of implementing that login security feature, 3.2 percent of ARIN Online users have opted to use 2FA with their accounts. Since October 2020, the ARIN Online system has been subject to a series of dictionary-based password guessing attacks. In March of 2021, we conducted ACSP Consultation 2021.2: Password Security for ARIN Online Accounts (https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/) on proposed improvements to increase account security. This consultation resulted in an agreement to move forward with several improvements that have subsequently been deployed. However, we continue to see frequent attacks on our log-in systems, and ARIN staff continues to be heavily engaged in mitigating these attacks. Accounts not using 2FA are susceptible to these attacks. We recently updated the community on this topic during ARIN 49 held in Nashville and online in April. You can review this information from the ARIN 49 Meeting Report (https://www.arin.net/participate/meetings/ARIN49/) by looking for the presentation titled “Brute Force Login Attacks”. It is our intention to make 2FA mandatory for all existing and new ARIN Online accounts going forward. The security of ARIN Online accounts is paramount to the success of the registry, and we do not believe it is tenable to continue without making 2FA required for all ARIN Online accounts. We are currently developing a second method of 2FA use with ARIN Online to add to our long-deployed TOTP implementation. In the coming months, we will deploy a Short Message Service (SMS) 2FA implementation, thereby adding a second 2FA option for ARIN Online users. At that time, users will be able to choose between two types of 2FA – SMS and TOTP. Adoption of TOTP 2FA has been limited in part due to perceived complexity, and the addition of SMS-based 2FA will provide a second option that is easier to use for many customers – and provide much more protection than the simple username-password condition of many ARIN Online user accounts today. (ARIN also plans on adding support for a third 2FA option in the future – Fast Identity Online 2 (FIDO2) – in response to community suggestions, but we do not believe it is prudent to delay requiring 2FA on ARIN Online accounts until that third option becomes available.) **Requiring 2FA For ARIN Online Accounts** By requiring 2FA for ARIN Online accounts that control number resources, the ARIN community should see stronger security for the registry, reduced risk of account fraud attempts, and increased confidence in the integrity of their ARIN resources. ARIN intends to require 2FA for all ARIN Online accounts shortly after SMS-based 2FA authentication is generally available. We are seeking confirmation from the ARIN community regarding this plan, and ask the following consultation question: ------------------- Once SMS-based two-factor authentication (2FA) is available for ARIN Online, do you believe ARIN *should not* proceed with requiring 2FA authentication (SMS-based or TOTP) for all ARIN Online accounts? If so, why? ------------------- The feedback you provide during this consultation will help form our path forward to increasing the security of ARIN Online for all customers. Thank you for your participation in the ARIN Consultation and Suggestion Process. Please provide comments to arin-consult@arin.net<mailto:arin-consult@arin.net>. You can subscribe to this mailing list at: http://lists.arin.net/mailman/listinfo/arin-consult This consultation will remain open through 5:00 PM ET on 24 June 2022. Regards, John Curran President and CEO American Registry for Internet Numbers (ARIN) _______________________________________________ ARIN-Announce You are receiving this message because you are subscribed to the ARIN Announce Mailing List (ARIN-announce@arin.net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-announce Please contact info@arin.net if you experience any issues.
Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ? ------- Original Message ------- On Tuesday, May 24th, 2022 at 19:28, John Curran <jcurran@arin.net> wrote:
NANOGers - A consultation opened today on potentially requiring use of 2-factor authentication to login into ARIN Online – this would take place once SMS 2FA is deployed. If you think that this is: a) a great idea, b) a bad idea, c) anything else, then feel free to subscribe to the arin-consult mailing list (open to all at http://lists.arin.net/mailman/listinfo/arin-consult) and provide your feedback. Best wishes,/John John CurranPresident and CEOAmerican Registry for Internet Numbers
Begin forwarded message: From: ARIN <info@arin.net> Subject: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Date: 24 May 2022 at 12:45:48 PM EDT To: "arin-announce@arin.net" <arin-announce@arin.net>
**Background**
In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation of Two-Factor Authentication (2FA). Since the time of implementing that login security feature, 3.2 percent of ARIN Online users have opted to use 2FA with their accounts.
Since October 2020, the ARIN Online system has been subject to a series of dictionary-based password guessing attacks. In March of 2021, we conducted ACSP Consultation 2021.2: Password Security for ARIN Online Accounts (https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/) on proposed improvements to increase account security. This consultation resulted in an agreement to move forward with several improvements that have subsequently been deployed. However, we continue to see frequent attacks on our log-in systems, and ARIN staff continues to be heavily engaged in mitigating these attacks. Accounts not using 2FA are susceptible to these attacks. We recently updated the community on this topic during ARIN 49 held in Nashville and online in April. You can review this information from the ARIN 49 Meeting Report (https://www.arin.net/participate/meetings/ARIN49/) by looking for the presentation titled “Brute Force Login Attacks”.
It is our intention to make 2FA mandatory for all existing and new ARIN Online accounts going forward. The security of ARIN Online accounts is paramount to the success of the registry, and we do not believe it is tenable to continue without making 2FA required for all ARIN Online accounts.
We are currently developing a second method of 2FA use with ARIN Online to add to our long-deployed TOTP implementation. In the coming months, we will deploy a Short Message Service (SMS) 2FA implementation, thereby adding a second 2FA option for ARIN Online users. At that time, users will be able to choose between two types of 2FA – SMS and TOTP. Adoption of TOTP 2FA has been limited in part due to perceived complexity, and the addition of SMS-based 2FA will provide a second option that is easier to use for many customers – and provide much more protection than the simple username-password condition of many ARIN Online user accounts today. (ARIN also plans on adding support for a third 2FA option in the future – Fast Identity Online 2 (FIDO2) – in response to community suggestions, but we do not believe it is prudent to delay requiring 2FA on ARIN Online accounts until that third option becomes available.)
**Requiring 2FA For ARIN Online Accounts**
By requiring 2FA for ARIN Online accounts that control number resources, the ARIN community should see stronger security for the registry, reduced risk of account fraud attempts, and increased confidence in the integrity of their ARIN resources.
ARIN intends to require 2FA for all ARIN Online accounts shortly after SMS-based 2FA authentication is generally available. We are seeking confirmation from the ARIN community regarding this plan, and ask the following consultation question:
------------------- Once SMS-based two-factor authentication (2FA) is available for ARIN Online, do you believe ARIN *should not* proceed with requiring 2FA authentication (SMS-based or TOTP) for all ARIN Online accounts? If so, why? -------------------
The feedback you provide during this consultation will help form our path forward to increasing the security of ARIN Online for all customers. Thank you for your participation in the ARIN Consultation and Suggestion Process. Please provide comments to arin-consult@arin.net. You can subscribe to this mailing list at:
http://lists.arin.net/mailman/listinfo/arin-consult
This consultation will remain open through 5:00 PM ET on 24 June 2022.
Regards,
John Curran President and CEO American Registry for Internet Numbers (ARIN)
_______________________________________________ ARIN-Announce You are receiving this message because you are subscribed to the ARIN Announce Mailing List (ARIN-announce@arin.net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-announce Please contact info@arin.net if you experience any issues.
On Tue, May 24, 2022 at 3:21 PM Laura Smith via NANOG <nanog@nanog.org> wrote:
Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ?
While it's probably obvious to most of us that mandatory 2fa is a good thing, I think it should be likewise clear that community consultation is also a very good thing as a general practice for changes such as this. A good example is that several folks in the context of this discussion on the ARIN-CONSULT list have voiced concerns related to SMS as the secondary method, and others of us have discussed options which may be superior for a variety of reasons. - mdh Matt Harris|VP of Infrastructure 816-256-5446|Direct Looking for help? Helpdesk|Email Support We build customized end-to-end technology solutions powered by NetFire Cloud.
FIDO2. On Tue, May 24, 2022 at 1:32 PM Matt Harris <matt@netfire.net> wrote:
Matt Harris | VP of Infrastructure 816‑256‑5446 | Direct Looking for help? *Helpdesk* <https://help.netfire.net/> | *Email Support* <help@netfire.net>
We build customized end‑to‑end technology solutions powered by NetFire Cloud. On Tue, May 24, 2022 at 3:21 PM Laura Smith via NANOG <nanog@nanog.org> wrote:
Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ?
While it's probably obvious to most of us that mandatory 2fa is a good thing, I think it should be likewise clear that community consultation is also a very good thing as a general practice for changes such as this. A good example is that several folks in the context of this discussion on the ARIN-CONSULT list have voiced concerns related to SMS as the secondary method, and others of us have discussed options which may be superior for a variety of reasons.
- mdh
On Wed, 25 May 2022, Crist Clark wrote:
FIDO2
I'm in full support of ARIN implementing FIDO2 IN ADDITION TO TOTP 2FA. For the uninitiated -- FIDO2 requires you to have one of the following in order for you to log into your ARIN account: - A security key (like Yubikey): USB, NFC, Bluetooth - A mobile device capable of biometric confirmation (FaceID, TouchID, etc) FIDO2 does NOT support older browsers, text-based browsers, and generally non-mainstream modern devices. Not to be confused with FIDO U2F, which is basically what TOTP 2FA is, just implemented differently. Beckman --------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com https://www.angryox.com/ ---------------------------------------------------------------------------
On Fri, May 27, 2022, 9:55 PM Peter Beckman <beckman@angryox.com> wrote:
Not to be confused with FIDO U2F, which is basically what TOTP 2FA is, just implemented differently.
FIDO U2F is materially different from TOTP 2FA. With TOTP, there is no cryptographic validation of the requester / server. A user can be fooled into providing a TOTP code to the wrong site, or via phishing, or by an attacker simply making repeated authentication requests in the middle of the night until the user gets exasperated and provides the code. By contrast, even the original FIDO U2F spec authenticates the 'origin' - the server being authenticated *to*. I'm glossing over the details, but in essence, the browser compares the cryptographic signature, and if it doesn't match the expected origin, it won't complete the authentication. It is this property that virtually eliminated an entire class of phishing at Google: https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employe... TOTP does not have equivalent phishing resistance. -- Royce
As a reminder - There could easily be some operational concerns resulting from making 2FA authentication mandatory of which we on the ARIN staff are not aware, so we conduct a consultation. Your voice can be part of that consultation, but again it’s taking place on arin-consult mailing list (open to all) – not here. Thanks, /John John Curran President and CEO American Registry for Internet Numbers
* nanog@nanog.org (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:
Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ?
To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to protect critical infrastructure, but apparently ARIN does need a consultation for that -- Niels.
On 24 May 2022, at 4:39 PM, niels=nanog@bakker.net wrote:
* nanog@nanog.org (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:
Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ?
To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to protect critical infrastructure, but apparently ARIN does need a consultation for that
Niels - I can think of several reasons why "SMS 2FA isn't necessarily a good way to protect critical infrastructure”… Of course, there’s also the point that requiring 2FA for everyone – even if just SMS – would still be a superior state of affairs then the present condition (wherein 97% of ARIN Online users rely on just a password, and this despite 2FA via TOTP being available for ARIN Online accounts for years…) There could easily be some operational concerns resulting from making 2FA authentication mandatory of which we on the ARIN staff are not aware, so we conduct a consultation. Your voice can be part of that consultation, but again it’s taking place on arin-consult mailing list (open to all) – not here. Thanks! /John John Curran President and CEO American Registry for Internet Numbers
On 2022-05-24 16:22, John Curran wrote:
On 24 May 2022, at 4:39 PM, niels=nanog@bakker.net wrote:
* nanog@nanog.org (Laura Smith via NANOG) [Tue 24 May 2022, 22:22 CEST]:
Its 2022. Do we really still need a consultation on why mandatory 2FA is a good thing ? Even more so for something like ARIN ? To many of us in 2022 it's clear that SMS 2FA isn't necessarily a good way to protect critical infrastructure, but apparently ARIN does need a consultation for that Niels -
I can think of several reasons why "SMS 2FA isn't necessarily a good way to protect critical infrastructure”…
Of course, there’s also the point that requiring 2FA for everyone – even if just SMS – would still be a superior state of affairs then the present condition (wherein 97% of ARIN Online users rely on just a password, and this despite 2FA via TOTP being available for ARIN Online accounts for years…) What about optional additional second factor of sending out an email with digits to enter or a link to confirm login / some other critical operation? There could easily be some operational concerns resulting from making 2FA authentication mandatory of which we on the ARIN staff are not aware, so we conduct a consultation. Your voice can be part of that consultation, but again it’s taking place on arin-consult mailing list (open to all) – not here.
Most services that implement 2FA using SMS and/or Email have been compromised multiple times. Services that implement 2FA using TOTP or even App-based Push Notifications have not. If someone has your ARIN login, and you use the same passwords on ARIN as you do with your email provider, then they have access to your email account. And they can impersonate you to ARIN using the emailed code. Beckman On Tue, 24 May 2022, Raymond Burkholder wrote:
What about optional additional second factor of sending out an email with digits to enter or a link to confirm login / some other critical operation?
--------------------------------------------------------------------------- Peter Beckman Internet Guy beckman@angryox.com https://www.angryox.com/ ---------------------------------------------------------------------------
Hello, I am not in the ARIN region but I have attended few Arin meetings. As a comment, I live a country were mobile roaming does not exists, therefore, when 2FA only works with SMS I can not use the service. Having said that, please consider at least one more way to perform 2FA, maybe send a code to the email address or something else. My two cents, Alejandro, PS If you have already thought about this sorry for the noise. On Tue, May 24, 2022, 2:29 PM John Curran <jcurran@arin.net> wrote:
NANOGers -
A consultation opened today on potentially requiring use of 2-factor authentication to login into ARIN Online – this would take place once SMS 2FA is deployed. If you think that this is: a) a great idea, b) a bad idea, c) anything else, then feel free to subscribe to the arin-consult mailing list (open to all at http://lists.arin.net/mailman/listinfo/arin-consult) and provide your feedback.
Best wishes, /John
John Curran President and CEO American Registry for Internet Numbers
Begin forwarded message:
*From: *ARIN <info@arin.net> *Subject: **[arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts* *Date: *24 May 2022 at 12:45:48 PM EDT *To: *"arin-announce@arin.net" <arin-announce@arin.net>
**Background**
In 2015, ARIN deployed a Time-Based One-Time password (TOTP) implementation of Two-Factor Authentication (2FA). Since the time of implementing that login security feature, 3.2 percent of ARIN Online users have opted to use 2FA with their accounts.
Since October 2020, the ARIN Online system has been subject to a series of dictionary-based password guessing attacks. In March of 2021, we conducted ACSP Consultation 2021.2: Password Security for ARIN Online Accounts ( https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/) on proposed improvements to increase account security. This consultation resulted in an agreement to move forward with several improvements that have subsequently been deployed. However, we continue to see frequent attacks on our log-in systems, and ARIN staff continues to be heavily engaged in mitigating these attacks. Accounts not using 2FA are susceptible to these attacks. We recently updated the community on this topic during ARIN 49 held in Nashville and online in April. You can review this information from the ARIN 49 Meeting Report ( https://www.arin.net/participate/meetings/ARIN49/) by looking for the presentation titled “Brute Force Login Attacks”.
It is our intention to make 2FA mandatory for all existing and new ARIN Online accounts going forward. The security of ARIN Online accounts is paramount to the success of the registry, and we do not believe it is tenable to continue without making 2FA required for all ARIN Online accounts.
We are currently developing a second method of 2FA use with ARIN Online to add to our long-deployed TOTP implementation. In the coming months, we will deploy a Short Message Service (SMS) 2FA implementation, thereby adding a second 2FA option for ARIN Online users. At that time, users will be able to choose between two types of 2FA – SMS and TOTP. Adoption of TOTP 2FA has been limited in part due to perceived complexity, and the addition of SMS-based 2FA will provide a second option that is easier to use for many customers – and provide much more protection than the simple username-password condition of many ARIN Online user accounts today. (ARIN also plans on adding support for a third 2FA option in the future – Fast Identity Online 2 (FIDO2) – in response to community suggestions, but we do not believe it is prudent to delay requiring 2FA on ARIN Online accounts until that third option becomes available.)
**Requiring 2FA For ARIN Online Accounts**
By requiring 2FA for ARIN Online accounts that control number resources, the ARIN community should see stronger security for the registry, reduced risk of account fraud attempts, and increased confidence in the integrity of their ARIN resources.
ARIN intends to require 2FA for all ARIN Online accounts shortly after SMS-based 2FA authentication is generally available. We are seeking confirmation from the ARIN community regarding this plan, and ask the following consultation question:
------------------- Once SMS-based two-factor authentication (2FA) is available for ARIN Online, do you believe ARIN *should not* proceed with requiring 2FA authentication (SMS-based or TOTP) for all ARIN Online accounts? If so, why? -------------------
The feedback you provide during this consultation will help form our path forward to increasing the security of ARIN Online for all customers. Thank you for your participation in the ARIN Consultation and Suggestion Process. Please provide comments to arin-consult@arin.net. You can subscribe to this mailing list at:
http://lists.arin.net/mailman/listinfo/arin-consult
This consultation will remain open through 5:00 PM ET on 24 June 2022.
Regards,
John Curran President and CEO American Registry for Internet Numbers (ARIN)
_______________________________________________ ARIN-Announce You are receiving this message because you are subscribed to the ARIN Announce Mailing List (ARIN-announce@arin.net). Unsubscribe or manage your mailing list subscription at: https://lists.arin.net/mailman/listinfo/arin-announce Please contact info@arin.net if you experience any issues.
I am not in the ARIN region but I have attended few Arin meetings. As a comment, I live a country were mobile roaming does not exists, therefore, when 2FA only works with SMS I can not use the service. Having said that, please consider at least one more way to perform 2FA, maybe send a code to the email address or something else.
i use google authenticator with arin.net randy
On Sat, 2022-05-28 at 11:36 -0700, Randy Bush wrote:
I am not in the ARIN region but I have attended few Arin meetings. As a comment, I live a country were mobile roaming does not exists, therefore, when 2FA only works with SMS I can not use the service. Having said that, please consider at least one more way to perform 2FA, maybe send a code to the email address or something else.
i use google authenticator with arin.net
There's also the RedHat supported app FreeOTP. -Jim P.
On Sat, 28 May 2022, Jim Popovitch via NANOG wrote:
On Sat, 2022-05-28 at 11:36 -0700, Randy Bush wrote:
I am not in the ARIN region but I have attended few Arin meetings. As a comment, I live a country were mobile roaming does not exists, therefore, when 2FA only works with SMS I can not use the service. Having said that, please consider at least one more way to perform 2FA, maybe send a code to the email address or something else. i use google authenticator with arin.net There's also the RedHat supported app FreeOTP.
There are lots of inexpensive hardware TOTP tokens as well. Personally when I have to 2fa where sms is not possible, I use a token2 molto-1. -Dan
I use google auth for several forced 2FA sites and a few sites where what I am protecting is worth the hassle. One difficulty that quickly emerges is managing and finding the correct Totp in the long unsorted list. It’s no big deal when you have 6 or even 10, but as it approaches 100 different totp strings, it does become a hassle. 2FA is great where it makes sense, but contrary to the rhetoric here, it is not without trade offs. Owen
On May 28, 2022, at 16:24, goemon--- via NANOG <nanog@nanog.org> wrote:
On Sat, 28 May 2022, Jim Popovitch via NANOG wrote:
On Sat, 2022-05-28 at 11:36 -0700, Randy Bush wrote:
I am not in the ARIN region but I have attended few Arin meetings. As a comment, I live a country were mobile roaming does not exists, therefore, when 2FA only works with SMS I can not use the service. Having said that, please consider at least one more way to perform 2FA, maybe send a code to the email address or something else. i use google authenticator with arin.net There's also the RedHat supported app FreeOTP.
There are lots of inexpensive hardware TOTP tokens as well.
Personally when I have to 2fa where sms is not possible, I use a token2 molto-1.
-Dan
On Sunday, 29 May, 2022 06:04, "Owen DeLong via NANOG" <nanog@nanog.org> said:
I use google auth for several forced 2FA sites and a few sites where what I am protecting is worth the hassle. One difficulty that quickly emerges is managing and finding the correct Totp in the long unsorted list.
In case it's of help, Authy seems a much-improved UI over Google Auth, including searching, and sync between devices, so e.g. your tablet can be your back-up key if your phone dies, is replaced, etc. No connection other than as a happy user. Cheers, Tim.
On 2022-05-30 11:45, tim@pelican.org wrote:
On Sunday, 29 May, 2022 06:04, "Owen DeLong via NANOG" <nanog@nanog.org> said:
I use google auth for several forced 2FA sites and a few sites where what I am protecting is worth the hassle. One difficulty that quickly emerges is managing and finding the correct Totp in the long unsorted list.
In case it's of help, Authy seems a much-improved UI over Google Auth, including searching, and sync between devices, so e.g. your tablet can be your back-up key if your phone dies, is replaced, etc.
For a while google authenticator did not let you "export" (copy to another device) for "security reasons". Nowadays it does, not sure since exactly when. It also lets you search, so in these regards they are probably on par now. Robert
For a while google authenticator did not let you "export" (copy to another device) for "security reasons". Nowadays it does
i think this is probably good for some folk. though personally i am not sure i want to consider two devices as endangered. but as the list gets longer and longer, export as a backup mechanism is tempting. though an encrypted blob a la hsm backup would be a much smaller increase in attack surface than cloning. as i get more and more entries in the list, i would love it being alpha sorted. search requires that i adopt the fantasy that the iphone has a keyboard. randy
participants (16)
-
Alejandro Acosta
-
Crist Clark
-
goemon@sasami.anime.net
-
Jim Popovitch
-
John Curran
-
John Curran
-
Laura Smith
-
Matt Harris
-
niels=nanog@bakker.net
-
Owen DeLong
-
Peter Beckman
-
Randy Bush
-
Raymond Burkholder
-
Robert Kisteleki
-
Royce Williams
-
tim@pelican.org