two-factor authentication mandatory
Hello, I agree completely with the use of 2FA and do agree with the spirit of this being mandatory. However the current state of RIPE NCC MFA is not suitable to be made mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would like to see support for FIDO2 keys, if this is not possible OTP via email would be a compromise. My rational for this is that some organisations do not allow phones within the office, nor have any Apps available to install on their systems. Perhaps a more generic scenario is if a phone is out of battery. I'm sure you can appreciate while I am in favour of MFA I think this must be in a different format. I'm aware this is a feature many have been keen for for a while. I see two ways forward: 1) RIPE supports another method of MFA (FIDO KEYS or emailed OTP). 2) RIPE makes Mandatory MFA the choice of the LIR admin. I would like to hear other views on this request to the RIPE NCC. I am not looking for suggestions for workarounds such as online TOTP or writing my own code for this. Regards, Michael
On Thu, 2024-01-11 at 14:35 +0100, Mike B wrote:
My rational for this is that some organisations do not allow phones within the office, nor have any Apps available to install on their systems. Perhaps a more generic scenario is if a phone is out of battery. I'm sure you can appreciate while I am in favour of MFA I think this must be in a different format.
TOTP can be done without phones or phone apps... it just needs the shared secret and a HMAC fucntion, this can be done via various password-managers, simple python-scripts, your Ti-81 calculator or any number of other methods. I would advise against any form of e-mail 2fa, as this really reduces it to a single-factor (with password-resets via email). -- Mark Janssen -- Sig-I/O Automatisering mark@sig-io.nl http://sig-io.nl Phone: +31-6-5886.7992 Linux, Unix, Networking, Hosting, Virtual Private Servers and more
*** Please enter replies above this line *** You are receiving this message because a ticket was created for your company. Replies to this email will be added as a note onto this ticket. Ticket #T20240111.0031: Re: [members-discuss] two-factor authentication mandatory , Thank you for contacting us. A service ticket (#T20240111.0031) has been created for [Account: Name]. We will attend to your ticket as soon as possible. The details of the ticket are listed below. When replying to this ticket, please ensure that the ticket number is included in the email subject line. Ticket #: T20240111.0031 Created on [Ticket: Create Date/Time] by Autotask Administrator Title: Re: [members-discuss] two-factor authentication mandatory Description: From Mark Janssen via members-discuss <members-discuss@ripe.net>: On Thu, 2024-01-11 at 14:35 +0100, Mike B wrote:
My rational for this is that some organisations do not allow phones within the office, nor have any Apps available to install on their systems. Perhaps a more generic scenario is if a phone is out of battery. I'm sure you can appreciate while I am in favour of MFA I think this must be in a different format.
TOTP can be done without phones or phone apps... it just needs the shared secret and a HMAC fucntion, this can be done via various password-managers, simple python-scripts, your Ti-81 calculator or any number of other methods. I would advise against any form of e-mail 2fa, as this really reduces it to a single-factor (with password-resets via email). -- Mark Janssen -- Sig-I/O Automatisering mark@sig-io.nl http://sig-io.nl Phone: +31-6-5886.7992 Linux, Unix, Networking, Hosting, Virtual Private Servers and more _______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/support%40linfosys.nl **Created via Incoming Email Processor** From: Mark Janssen via members-discuss <members-discuss@ripe.net> To: Mike B <michael@booth.technology>, members-discuss@ripe.net [Miscellaneous: Additional Email Text] You can access your service ticket via our client portal by clicking the following link: [Ticket: Client Portal Link]. If you do not have access to the client portal and would like to use it, please let us know. Sincerely, Your [Miscellaneous: Your Company Name] Support Team If you are a [Miscellaneous: Your Company Name] staff member, you can access this ticket by clicking the following link: [Ticket: Link].
Hello Michael, Maybe a solution to the problem you mentioned would be to use a personal password manager with strong encryption that also supports TOTP. At least this is what I use for a long time without any problem. My suggestion: https://keepassxc.org/ https://keepassxc.org/docs/ https://www.linux.org/threads/in-depth-tutorial-how-to-set-up-2fa-totp-with-... Best Regards, *Georgios Kleisiaris* Board Member & Administrator *Sarantaporo.gr Non Profit Organization* 28 Karaiskaki Str., 10554, Athens, Greece Email: gklis@sarantaporo.gr, Web: www.sarantaporo.gr Στις Πέμ 11 Ιαν 2024 στις 3:36 μ.μ., ο/η Mike B <michael@booth.technology> έγραψε:
Hello,
I agree completely with the use of 2FA and do agree with the spirit of this being mandatory. However the current state of RIPE NCC MFA is not suitable to be made mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would like to see support for FIDO2 keys, if this is not possible OTP via email would be a compromise.
My rational for this is that some organisations do not allow phones within the office, nor have any Apps available to install on their systems. Perhaps a more generic scenario is if a phone is out of battery. I'm sure you can appreciate while I am in favour of MFA I think this must be in a different format.
I'm aware this is a feature many have been keen for for a while. I see two ways forward: 1) RIPE supports another method of MFA (FIDO KEYS or emailed OTP). 2) RIPE makes Mandatory MFA the choice of the LIR admin.
I would like to hear other views on this request to the RIPE NCC. I am not looking for suggestions for workarounds such as online TOTP or writing my own code for this.
Regards,
Michael _______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/gklis%40sarantaporo.g...
I agree that FIDO support would be extremely appreciated, Lots of orgs already have such keys issued to employees and are easier to handle in many respects. I would also like to point out to everybody ( from personal experience in this subject matter ) that the organisational complexity around implementing two Factor is not about the technical capabilities to do 2FA/MFA, it is more the complexity around how do you handle things like resetting accounts after MFA tokens have been lost ( and how do you do this with an acceptable level of security ) I applaud RIPE for taking this decision to enforce 2FA authentication, I'm glad that the industry is looking at the previous incident and deciding to make immediate corrections rather than waiting for it to happen over and over again like sometimes happens in other Industries/sectors On Thu, Jan 11, 2024 at 1:36 PM Mike B <michael@booth.technology> wrote:
Hello,
I agree completely with the use of 2FA and do agree with the spirit of this being mandatory. However the current state of RIPE NCC MFA is not suitable to be made mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would like to see support for FIDO2 keys, if this is not possible OTP via email would be a compromise.
My rational for this is that some organisations do not allow phones within the office, nor have any Apps available to install on their systems. Perhaps a more generic scenario is if a phone is out of battery. I'm sure you can appreciate while I am in favour of MFA I think this must be in a different format.
I'm aware this is a feature many have been keen for for a while. I see two ways forward:
1) RIPE supports another method of MFA (FIDO KEYS or emailed OTP). 2) RIPE makes Mandatory MFA the choice of the LIR admin.
I would like to hear other views on this request to the RIPE NCC. I am not looking for suggestions for workarounds such as online TOTP or writing my own code for this.
Regards,
Michael
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/ripencc%40benjojo.co....
Good Afternoon all, I agree with Ben here. The complexity around implementing two Factor can be a challenge, one thing I would like to see is maybe for RIPE to look at the rollout SAML authentication (i.e allow people to log-in with services such as O365). From what I have seen this is not possible at this time, I feel this might help with the issue Ben spoke about regarding more internal IT issues when accessing RIPE resource, it also allows for more easier administration in general (ie. When people leave a org RIPE access is blocked when the email account is disabled etc..). I also applaud RIPE for taking this decision to enforce 2FA authentication, It's a shame it's taking this long to have the discussion, but we all learn from issues. Kind Regards Callum Callum Green Head of Technical Operations Kloud9 0333 996 1000 www.kloud9.co.uk callum.green@kloud9.co.uk IMPORTANT: This email and any accompanying documents are confidential and may be privileged. If you are not the intended recipient, please notify us immediately by emailing us at info@kloud9.co.uk and delete the email. You must not copy, disclose or otherwise use this message. Unauthorised use is strictly prohibited and may be unlawful. Whilst AJ Technology Ltd T/A Kloud 9 makes every effort to ensure attachments are virus checked before transmission AJ Technology Ltd T/A Kloud 9 does not accept any liability in respect of any undetected virus. AJ Technology Ltd T/A Kloud 9 is a company registered in England & Wales, Registered Company No. 06027746. -----Original Message----- From: members-discuss <members-discuss-bounces@ripe.net> On Behalf Of Ben Cartwright-Cox via members-discuss Sent: Thursday, January 11, 2024 1:53 PM To: Mike B <michael@booth.technology> Cc: members-discuss@ripe.net Subject: Re: [members-discuss] two-factor authentication mandatory CAUTION - EXTERNAL EMAIL - This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender, expect the message and know that the content is safe. I agree that FIDO support would be extremely appreciated, Lots of orgs already have such keys issued to employees and are easier to handle in many respects. I would also like to point out to everybody ( from personal experience in this subject matter ) that the organisational complexity around implementing two Factor is not about the technical capabilities to do 2FA/MFA, it is more the complexity around how do you handle things like resetting accounts after MFA tokens have been lost ( and how do you do this with an acceptable level of security ) I applaud RIPE for taking this decision to enforce 2FA authentication, I'm glad that the industry is looking at the previous incident and deciding to make immediate corrections rather than waiting for it to happen over and over again like sometimes happens in other Industries/sectors On Thu, Jan 11, 2024 at 1:36 PM Mike B <michael@booth.technology> wrote:
Hello,
I agree completely with the use of 2FA and do agree with the spirit of this being mandatory. However the current state of RIPE NCC MFA is not suitable to be made mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would like to see support for FIDO2 keys, if this is not possible OTP via email would be a compromise.
My rational for this is that some organisations do not allow phones within the office, nor have any Apps available to install on their systems. Perhaps a more generic scenario is if a phone is out of battery. I'm sure you can appreciate while I am in favour of MFA I think this must be in a different format.
I'm aware this is a feature many have been keen for for a while. I see two ways forward:
1) RIPE supports another method of MFA (FIDO KEYS or emailed OTP). 2) RIPE makes Mandatory MFA the choice of the LIR admin.
I would like to hear other views on this request to the RIPE NCC. I am not looking for suggestions for workarounds such as online TOTP or writing my own code for this.
Regards,
Michael
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/ripencc%40benjo jo.co.uk
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/callum.green%40kloud9...
Hi, On Thu, Jan 11, 2024 at 02:06:50PM +0000, Callum Green wrote:
The complexity around implementing two Factor can be a challenge, one thing I would like to see is maybe for RIPE to look at the rollout SAML authentication (i.e allow people to log-in with services such as O365).
I'd argue against this. RIPE NCC should not be dependent on some random cloud service which might or might not be reachable when you urgently need to access your LIR portal, for example to update a ROA *now*. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
+1 for Gert Alex On 22.01.2024 11:29, Gert Doering wrote:
Hi,
On Thu, Jan 11, 2024 at 02:06:50PM +0000, Callum Green wrote:
The complexity around implementing two Factor can be a challenge, one thing I would like to see is maybe for RIPE to look at the rollout SAML authentication (i.e allow people to log-in with services such as O365). I'd argue against this. RIPE NCC should not be dependent on some random cloud service which might or might not be reachable when you urgently need to access your LIR portal, for example to update a ROA *now*.
Gert Doering -- NetMaster
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/alexandru.doszlop%40n...
On 22 Jan 2024, at 09:31, Gert Doering <gert@space.net> wrote:
Hi,
On Thu, Jan 11, 2024 at 02:06:50PM +0000, Callum Green wrote: The complexity around implementing two Factor can be a challenge, one thing I would like to see is maybe for RIPE to look at the rollout SAML authentication (i.e allow people to log-in with services such as O365).
I'd argue against this. RIPE NCC should not be dependent on some random cloud service which might or might not be reachable when you urgently need to access your LIR portal, for example to update a ROA *now*.
I do not think Callum was suggesting that everyone had to switch to exclusively using an external identity provider. There is nothing in providing support for federated identity (which IMO/IME is seen as industry best practice) that precludes individual LIRs choosing not to use the federated identity option at all, or preventing those LIRs that *do* use it from having one or more (depending on their needs) “break-glass”, ripe-local-auth account(s) as a backup in case of emergency, as I am sure you will be familiar with if you use RADIUS or TACACS in your network devices. I have a relatively tiny org staff wise compared to many and frankly it is already the case that managing individual accounts at every system that doesn’t support federated identity and access based on group membership in the external directory is a PITA, and that friction will inevitably lead to poor practices such as account sharing, a lack of 2fa, accounts hanging around after people have left etc. It would be good to take RIPE off my list of “identity headaches”. Regards, Phillip Baker Technical Director Netcalibre Ltd Sent from my mobile device, please excuse any abbreviations, typos, lack of pleasantries etc. E&OE
can we please just require totp now and create complexity later? randy
On 11.01.24 14:35, Mike B wrote:
I would like to hear other views on this request to the RIPE NCC.
First and foremost, my views depend *a lot* on whether we're talking about *additional* methods, or a set(?) of methods things may be cut back to in the long run.
However the current state of RIPE NCC MFA is not suitable to be made mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would like to see support for FIDO2 keys, if this is not possible OTP via email would be a compromise.
A FIDO key is a bit of hard- or software, just like TOTP tokens or apps are, and a MUA is as well; it's pretty much implied by all of those filling the slot of "something you have" in the 2FA concept. E-mail has the advantage of it being very, *very* unlikely that someone trying to log into the RIPE SSO does not have it available already, but on the flip side, both e-mail- and SMS-based 2FA have proven to be rather circumventable lately. (FWIW, according to what I've read, FIDO seems to be the most resilient one in that regard.) On 11.01.24 14:48, Mark Janssen via members-discuss wrote:
TOTP can be done without phones or phone apps... it just needs the shared secret and a HMAC fucntion
(... and a sufficiently well-synchronized clock for an input.) On 11.01.24 14:53, Ben Cartwright-Cox via members-discuss wrote:
I agree that FIDO support would be extremely appreciated, Lots of orgs already have such keys issued to employees
We distributed TOTP tokens¹ to most of our staff a little while ago - which we can now scrap because everyone wants us to do TOTP the "authenticator" way² these days. If you want to try and convince our management of setting up another 2FA hardware budget, be my guest. :-/ ¹ Single secret burnt into token by manufacturer, to be uploaded to service and associated with account by sysadmin ² Individual secrets created on demand by server, to be downloaded into "token" (under a new "account"/"config"/... to be created along with it) On 11.01.24 14:55, Oleksij Samorukov via members-discuss wrote:
But +1 for FIDO2 implementation, is a very popular standard with many implementations on the market. And it should be easy to implement on the backend/frondent side, implementation is very straightforward with many examples all-around.
... *hope* you're right there. Last time I tried (with a USB-based OnlyKey token and my Linux work machine), things looked rather similar to this: https://learn.microsoft.com/en-us/entra/identity/authentication/fido2-compat... Kind regards, -- Jochen Bern Systemingenieur Binect GmbH -- Jochen Bern Systemingenieur T +49 6151 9067-231 E jochen.bern@binect.de Binect GmbH Brunnenweg 17 64331 Weiterstadt www.binect.de Folgen Sie uns: https://www.linkedin.com/company/18314056/admin/ https://www.xing.com/pages/binectgmbh https://www.facebook.com/binect/ https://www.youtube.com/channel/UC-vhGKk6YU1qPbeh0Nx768g Geschäftsführung: Dr. Frank Wermeyer, Michael Imiolczyk Unternehmenssitz: Weiterstadt Register: Amtsgericht Darmstadt, HRB 94685 Umsatzsteuer-ID: DE 221 302 264
It's worth pointing out that 2FA methods is not a "winner takes all", Some people have FIDO keys deployed in production and are happy with it, others use TOTP with or without mobile phone apps, There is even room for email TOTP. All of these methods improve the status quo dramatically and will help LIRs not repeat the same incident that happened to Orange Spain. Let's not have perfect be in the way of good. On Thu, Jan 11, 2024 at 3:29 PM Jochen Bern <ripe@binect.de> wrote:
On 11.01.24 14:35, Mike B wrote:
I would like to hear other views on this request to the RIPE NCC.
First and foremost, my views depend *a lot* on whether we're talking about *additional* methods, or a set(?) of methods things may be cut back to in the long run.
However the current state of RIPE NCC MFA is not suitable to be made mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would like to see support for FIDO2 keys, if this is not possible OTP via email would be a compromise.
A FIDO key is a bit of hard- or software, just like TOTP tokens or apps are, and a MUA is as well; it's pretty much implied by all of those filling the slot of "something you have" in the 2FA concept.
E-mail has the advantage of it being very, *very* unlikely that someone trying to log into the RIPE SSO does not have it available already, but on the flip side, both e-mail- and SMS-based 2FA have proven to be rather circumventable lately. (FWIW, according to what I've read, FIDO seems to be the most resilient one in that regard.)
On 11.01.24 14:48, Mark Janssen via members-discuss wrote:
TOTP can be done without phones or phone apps... it just needs the shared secret and a HMAC fucntion
(... and a sufficiently well-synchronized clock for an input.)
On 11.01.24 14:53, Ben Cartwright-Cox via members-discuss wrote:
I agree that FIDO support would be extremely appreciated, Lots of orgs already have such keys issued to employees
We distributed TOTP tokens¹ to most of our staff a little while ago - which we can now scrap because everyone wants us to do TOTP the "authenticator" way² these days. If you want to try and convince our management of setting up another 2FA hardware budget, be my guest. :-/
¹ Single secret burnt into token by manufacturer, to be uploaded to service and associated with account by sysadmin ² Individual secrets created on demand by server, to be downloaded into "token" (under a new "account"/"config"/... to be created along with it)
On 11.01.24 14:55, Oleksij Samorukov via members-discuss wrote:
But +1 for FIDO2 implementation, is a very popular standard with many implementations on the market. And it should be easy to implement on the backend/frondent side, implementation is very straightforward with many examples all-around.
... *hope* you're right there. Last time I tried (with a USB-based OnlyKey token and my Linux work machine), things looked rather similar to this:
https://learn.microsoft.com/en-us/entra/identity/authentication/fido2-compat...
Kind regards, -- Jochen Bern Systemingenieur
Binect GmbH
-- Jochen Bern Systemingenieur
T +49 6151 9067-231 E jochen.bern@binect.de
Binect GmbH Brunnenweg 17 64331 Weiterstadt www.binect.de
Folgen Sie uns: https://www.linkedin.com/company/18314056/admin/ https://www.xing.com/pages/binectgmbh https://www.facebook.com/binect/ https://www.youtube.com/channel/UC-vhGKk6YU1qPbeh0Nx768g
Geschäftsführung: Dr. Frank Wermeyer, Michael Imiolczyk Unternehmenssitz: Weiterstadt Register: Amtsgericht Darmstadt, HRB 94685 Umsatzsteuer-ID: DE 221 302 264
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/ripencc%40benjojo.co....
I really like the idea of having good support for "Two Factor" Auth! That said, with this setup it depends a lot on personal preference. I am also really against "forcing" change, encouraging is the much better way. We should allow "choice" in type of mechanism, and only offering options that can be supported in the long term. Preferably most options should be "vendor neutral". So even tho its slightly less secure at times (like email 2fa) I'd like to suggest the following: - RipeNCC Access Account Creation: Change the dialouge to have 2FA avalible in a way where users have to "opt-out" of it instead of "opt-in". (We could potentially make email-2fa the default option. From wich users can either "opt-out" completely or upgrade to a more secure type of 2FA). - LIR/Member: When a LIR/Member is created we could look into including one Hardware Token in the welcome package. This could be part of the one-time cost of becoming a LIR. (The use of the token should be suggested, but not mandatory). regards On 1/11/24 16:58, Ben Cartwright-Cox via members-discuss wrote:
It's worth pointing out that 2FA methods is not a "winner takes all", Some people have FIDO keys deployed in production and are happy with it, others use TOTP with or without mobile phone apps, There is even room for email TOTP.
All of these methods improve the status quo dramatically and will help LIRs not repeat the same incident that happened to Orange Spain.
Let's not have perfect be in the way of good.
On Thu, Jan 11, 2024 at 3:29 PM Jochen Bern <ripe@binect.de> wrote:
On 11.01.24 14:35, Mike B wrote:
I would like to hear other views on this request to the RIPE NCC. First and foremost, my views depend *a lot* on whether we're talking about *additional* methods, or a set(?) of methods things may be cut back to in the long run.
However the current state of RIPE NCC MFA is not suitable to be made mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would like to see support for FIDO2 keys, if this is not possible OTP via email would be a compromise. A FIDO key is a bit of hard- or software, just like TOTP tokens or apps are, and a MUA is as well; it's pretty much implied by all of those filling the slot of "something you have" in the 2FA concept.
E-mail has the advantage of it being very, *very* unlikely that someone trying to log into the RIPE SSO does not have it available already, but on the flip side, both e-mail- and SMS-based 2FA have proven to be rather circumventable lately. (FWIW, according to what I've read, FIDO seems to be the most resilient one in that regard.)
On 11.01.24 14:48, Mark Janssen via members-discuss wrote:
TOTP can be done without phones or phone apps... it just needs the shared secret and a HMAC fucntion (... and a sufficiently well-synchronized clock for an input.)
On 11.01.24 14:53, Ben Cartwright-Cox via members-discuss wrote:
I agree that FIDO support would be extremely appreciated, Lots of orgs already have such keys issued to employees We distributed TOTP tokens¹ to most of our staff a little while ago - which we can now scrap because everyone wants us to do TOTP the "authenticator" way² these days. If you want to try and convince our management of setting up another 2FA hardware budget, be my guest. :-/
¹ Single secret burnt into token by manufacturer, to be uploaded to service and associated with account by sysadmin ² Individual secrets created on demand by server, to be downloaded into "token" (under a new "account"/"config"/... to be created along with it)
On 11.01.24 14:55, Oleksij Samorukov via members-discuss wrote:
But +1 for FIDO2 implementation, is a very popular standard with many implementations on the market. And it should be easy to implement on the backend/frondent side, implementation is very straightforward with many examples all-around. ... *hope* you're right there. Last time I tried (with a USB-based OnlyKey token and my Linux work machine), things looked rather similar to this:
https://learn.microsoft.com/en-us/entra/identity/authentication/fido2-compat...
Kind regards, -- Jochen Bern Systemingenieur
Binect GmbH
-- Jochen Bern Systemingenieur
T +49 6151 9067-231 E jochen.bern@binect.de
Binect GmbH Brunnenweg 17 64331 Weiterstadt www.binect.de
Folgen Sie uns: https://www.linkedin.com/company/18314056/admin/ https://www.xing.com/pages/binectgmbh https://www.facebook.com/binect/ https://www.youtube.com/channel/UC-vhGKk6YU1qPbeh0Nx768g
Geschäftsführung: Dr. Frank Wermeyer, Michael Imiolczyk Unternehmenssitz: Weiterstadt Register: Amtsgericht Darmstadt, HRB 94685 Umsatzsteuer-ID: DE 221 302 264
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/ripencc%40benjojo.co....
members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/ripe-members%40sebast...
I agree completely with the use of 2FA and do agree with the spirit of this being mandatory. However the current state of RIPE NCC MFA is not suitable to be made mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would like to see support for FIDO2 keys, if this is not possible OTP via email would be a compromise.
right now, totp works. make it mandatory and we have raised the bar seriously. i agree that webauth with fido2 would be nice. it will take too long, and could be costly in this time of tightening budgets. so i will be patient. email or sms are really bad ideas for widely known security reasons. randy
One option we propose is to limit access by IP. We limit access to the IPs of our VPN so that it makes no difference whether we are in our office or on the road or from which computer we are connecting. On 11/01/2024 14:35, Mike B wrote:
Hello,
I agree completely with the use of 2FA and do agree with the spirit of this being mandatory. However the current state of RIPE NCC MFA is not suitable to be made mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would like to see support for FIDO2 keys, if this is not possible OTP via email would be a compromise.
My rational for this is that some organisations do not allow phones within the office, nor have any Apps available to install on their systems. Perhaps a more generic scenario is if a phone is out of battery. I'm sure you can appreciate while I am in favour of MFA I think this must be in a different format.
I'm aware this is a feature many have been keen for for a while. I see two ways forward:
1) RIPE supports another method of MFA (FIDO KEYS or emailed OTP). 2) RIPE makes Mandatory MFA the choice of the LIR admin.
I would like to hear other views on this request to the RIPE NCC. I am not looking for suggestions for workarounds such as online TOTP or writing my own code for this.
Regards,
Michael
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/jm%40ginernet.com
-- José Manuel Giner https://ginernet.com
participants (13)
-
Alexandru Doszlop -
Ben Cartwright-Cox -
Callum Green -
George Klissiaris -
Gert Doering -
Jochen Bern -
José Manuel Giner -
Linfosys | Support -
Mark Janssen -
Mike B -
Phillip Baker -
Randy Bush -
Sebastian-Graf