On 04/01/24 11:04, Benedikt Neuffer wrote:
A while ago, I raised a concern with RIPE NCC about the inability to check if 2FA is activated for an account linked to a LIR. It’s also not possible to enforce 2FA for accounts associated with a maintainer object in RIPE DB. Unfortunately, there has been no progress or action taken on this matter yet.
After some thought, I've come to the conclusion that RIPE NCC's services are so essential to the internet that enforcing 2FA for RIPE NCC Access accounts globally should be considered.
So, I propose a discussion urging RIPE NCC to either enforce 2FA on RIPE NCC access accounts globally, allow a LIR to enforce 2FA for linked RIPE NCC Access accounts, or at the very least, provide visibility in the LIR portal to identify which linked accounts have not activated 2FA.
I agree 100% with this. An LIR administrator should be able to set an enforcing policy that all RIPE NCC Access accounts associated with the LIR account must have 2FA enabled. I also found out today that it is not possible to delete RIPE NCC Access accounts, at least there is no obvious way to do so yourself. (You can de-associate them from LIR accounts, so the security impact is limited, but it seems odd to me that old and unused accounts cannot easily be purged from the system entirely.) Tore