[members-discuss] two-factor authentication mandatory

Good Afternoon all, 

I agree with Ben here.

The complexity around implementing two Factor can be a challenge, one thing I would like to see is maybe for RIPE to look at the rollout SAML authentication (i.e allow people to log-in with services such as O365). From what I have seen this is not possible at this time, I feel this might help with the issue Ben spoke about regarding more internal IT issues when accessing RIPE resource, it also allows for more easier administration in general (ie. When people leave a org RIPE access is blocked when the email account is disabled etc..).

I also applaud RIPE for taking this decision to enforce 2FA authentication, It's a shame it's taking this long to have the discussion, but we all learn from issues.

Kind Regards 
Callum

Callum Green 
Head of Technical Operations
Kloud9 

0333 996 1000 
www.kloud9.co.uk 
callum.green at kloud9.co.uk 

IMPORTANT: This email and any accompanying documents are confidential and may be privileged. If you are not the intended recipient, please notify us immediately by emailing us at info at kloud9.co.uk and delete the email. You must not copy, disclose or otherwise use this message. Unauthorised use is strictly prohibited and may be unlawful. Whilst AJ Technology Ltd T/A Kloud 9 makes every effort to ensure attachments are virus checked before transmission AJ Technology Ltd T/A Kloud 9 does not accept any liability in respect of any undetected virus. AJ Technology Ltd T/A Kloud 9 is a company registered in England & Wales, Registered Company No. 06027746.

-----Original Message-----
From: members-discuss <members-discuss-bounces at ripe.net> On Behalf Of Ben Cartwright-Cox via members-discuss
Sent: Thursday, January 11, 2024 1:53 PM
To: Mike B <michael at booth.technology>
Cc: members-discuss at ripe.net
Subject: Re: [members-discuss] two-factor authentication mandatory

CAUTION - EXTERNAL EMAIL - This email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender, expect the message and know that the content is safe.


I agree that FIDO support would be extremely appreciated, Lots of orgs already have such keys issued to employees and are easier to handle in many respects.

I would also like to point out to everybody ( from personal experience in this subject matter )  that the organisational complexity around implementing two Factor is not about the technical capabilities to do 2FA/MFA, it is more the complexity around how do you handle things like resetting accounts after MFA tokens have been lost (  and how do you do this with an acceptable level of security )

I applaud RIPE for taking this decision to enforce 2FA authentication, I'm glad that the industry is looking at the previous incident and deciding to make immediate corrections rather than waiting for it to happen over and over again like sometimes happens in other Industries/sectors

On Thu, Jan 11, 2024 at 1:36 PM Mike B <michael at booth.technology> wrote:
>
>
> Hello,
>
> I agree completely with the use of 2FA and do agree with the spirit of this being mandatory. However the current state of RIPE NCC MFA is not suitable to be made mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would like to see support for FIDO2 keys, if this is not possible OTP via email would be a compromise.
>
>
>
> My rational for this is that some organisations do not allow phones within the office, nor have any Apps available to install on their systems. Perhaps a more generic scenario is if a phone is out of battery. I'm sure you can appreciate while I am in favour of MFA I think this must be in a different format.
>
>
>  I'm aware this is a feature many have been keen for for a while. I see two ways forward:
>
> 1) RIPE supports another method of MFA (FIDO KEYS or emailed OTP).
> 2) RIPE makes Mandatory MFA the choice of the LIR admin.
>
> I would like to hear other views on this request to the RIPE NCC.  I am not looking for suggestions for workarounds such as online TOTP or writing my own code for this.
>
>
> Regards,
>
> Michael
>
> _______________________________________________
> members-discuss mailing list
> members-discuss at ripe.net
> https://mailman.ripe.net/
> Unsubscribe: 
> https://lists.ripe.net/mailman/options/members-discuss/ripencc%40benjo
> jo.co.uk

_______________________________________________
members-discuss mailing list
members-discuss at ripe.net
https://mailman.ripe.net/
Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/callum.green%40kloud9.co.uk