
Dear colleagues, We would like to share some updates regarding security measures available to RIPE NCC members. We have now introduced a feature that shows LIR administrators whether or not two-factor authentication (2FA) has been enabled by users on their LIR account. This feature allows LIR administrators greater insight into the security measures being implemented within their teams. Please note that only admins have access to this feature. We have also strengthened password requirements and added a reminder to enable 2FA when users log in to their RIPE NCC Access accounts. This is an interim measure until mandatory 2FA is rolled out. Our roadmaps have been updated to expedite the rollout of mandatory two-factor authentication: https://www.ripe.net/support/documentation/quarterly-planning/business-appli... The rollout is currently planned to take place towards the end of Q1 2024. Additionally, we have increased our efforts to actively identify leaked credentials available online and to reset those passwords. The password reset process for any credentials identified as leaked through our monitoring system has been automated. We urge all members to be mindful of their password security and to enable two-factor authentication. Please follow our security recommendations: - Review your LIR account(s), restrict access to necessary personnel only and remove former employee accounts. - Make use of our new feature and ensure that all users on your account enable two-factor authentication. - If you use a password management tool, we recommend that you enable data breach monitoring for your own credentials. Kind regards, Eleonora Petridou Chief Information Security Officer RIPE NCC

Hi colleagues, On 3/19/24 9:59 AM, Eleonora Petridou wrote:
We have also strengthened password requirements and added a reminder to enable 2FA when users log in to their RIPE NCC Access accounts. This is an interim measure until mandatory 2FA is rolled out. Our roadmaps have been updated to expedite the rollout of mandatory two-factor authentication:
The current policy does not allow for having the same OTP code on two different mobile phones at the same time, so the only way to migrate to a new phone is to turn off 2FA completely and then turn it back on again to get a QR code for the new phone. When 2FA becomes mandatory, it cannot be turned off, am I right? What is the plan to enable the moving to a new phone or other authenticator device? Best Regards, -- Aleksi Suhonen / Axu TM Oy Internetworking Consulting

This is a very good point, and I can see where the issue would occur when the OTP application used doesn't support migration to a new device (which some don;t in my experience). Another thing I (among other network operators) would like to see is the implementation of support for WebAuthn and multiple hardware keys. It's not solely sufficient in my opinion to have only a single method of 2FA possible, so the support of different types of 2FA would be great to have implemented prior to 2FA becoming mandatory. Kind regards, Peter Potvin On Wed, Mar 20, 2024 at 1:09 PM Aleksi Suhonen <ripe-ml-2024@ssd.axu.tm> wrote:
Hi colleagues,
On 3/19/24 9:59 AM, Eleonora Petridou wrote:
We have also strengthened password requirements and added a reminder to enable 2FA when users log in to their RIPE NCC Access accounts. This is an interim measure until mandatory 2FA is rolled out. Our roadmaps have been updated to expedite the rollout of mandatory two-factor authentication:
The current policy does not allow for having the same OTP code on two different mobile phones at the same time, so the only way to migrate to a new phone is to turn off 2FA completely and then turn it back on again to get a QR code for the new phone.
When 2FA becomes mandatory, it cannot be turned off, am I right?
What is the plan to enable the moving to a new phone or other authenticator device?
Best Regards,
-- Aleksi Suhonen / Axu TM Oy Internetworking Consulting
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/ncc-services-wg
participants (3)
-
Aleksi Suhonen
-
Eleonora Petridou
-
Peter Potvin