This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/members-discuss@ripe.net/
[members-discuss] two-factor authentication mandatory
- Previous message (by thread): [members-discuss] two-factor authentication mandatory
- Next message (by thread): [members-discuss] two-factor authentication mandatory
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jochen Bern
ripe at binect.de
Thu Jan 11 16:28:29 CET 2024
On 11.01.24 14:35, Mike B wrote: > I would like to hear other views on this request to the RIPE NCC. First and foremost, my views depend *a lot* on whether we're talking about *additional* methods, or a set(?) of methods things may be cut back to in the long run. > However the current state of RIPE NCC MFA is not suitable to be made > mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would > like to see support for FIDO2 keys, if this is not possible OTP via > email would be a compromise. A FIDO key is a bit of hard- or software, just like TOTP tokens or apps are, and a MUA is as well; it's pretty much implied by all of those filling the slot of "something you have" in the 2FA concept. E-mail has the advantage of it being very, *very* unlikely that someone trying to log into the RIPE SSO does not have it available already, but on the flip side, both e-mail- and SMS-based 2FA have proven to be rather circumventable lately. (FWIW, according to what I've read, FIDO seems to be the most resilient one in that regard.) On 11.01.24 14:48, Mark Janssen via members-discuss wrote: > TOTP can be done without phones or phone apps... it just needs the > shared secret and a HMAC fucntion (... and a sufficiently well-synchronized clock for an input.) On 11.01.24 14:53, Ben Cartwright-Cox via members-discuss wrote: > I agree that FIDO support would be extremely appreciated, Lots of orgs > already have such keys issued to employees We distributed TOTP tokens¹ to most of our staff a little while ago - which we can now scrap because everyone wants us to do TOTP the "authenticator" way² these days. If you want to try and convince our management of setting up another 2FA hardware budget, be my guest. :-/ ¹ Single secret burnt into token by manufacturer, to be uploaded to service and associated with account by sysadmin ² Individual secrets created on demand by server, to be downloaded into "token" (under a new "account"/"config"/... to be created along with it) On 11.01.24 14:55, Oleksij Samorukov via members-discuss wrote: > But +1 for FIDO2 implementation, is a very popular standard with > many implementations on the market. And it should be easy to > implement on the backend/frondent side, implementation is very > straightforward with many examples all-around. ... *hope* you're right there. Last time I tried (with a USB-based OnlyKey token and my Linux work machine), things looked rather similar to this: https://learn.microsoft.com/en-us/entra/identity/authentication/fido2-compatibility#linux Kind regards, -- Jochen Bern Systemingenieur Binect GmbH -- Jochen Bern Systemingenieur T +49 6151 9067-231 E jochen.bern at binect.de Binect GmbH Brunnenweg 17 64331 Weiterstadt www.binect.de Folgen Sie uns: https://www.linkedin.com/company/18314056/admin/ https://www.xing.com/pages/binectgmbh https://www.facebook.com/binect/ https://www.youtube.com/channel/UC-vhGKk6YU1qPbeh0Nx768g Geschäftsführung: Dr. Frank Wermeyer, Michael Imiolczyk Unternehmenssitz: Weiterstadt Register: Amtsgericht Darmstadt, HRB 94685 Umsatzsteuer-ID: DE 221 302 264
- Previous message (by thread): [members-discuss] two-factor authentication mandatory
- Next message (by thread): [members-discuss] two-factor authentication mandatory
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]