[members-discuss] two-factor authentication mandatory

> On 22 Jan 2024, at 09:31, Gert Doering <gert at space.net> wrote:
> 
> Hi,
> 
>> On Thu, Jan 11, 2024 at 02:06:50PM +0000, Callum Green wrote:
>> The complexity around implementing two Factor can be a challenge, one thing I would like to see is maybe for RIPE to look at the rollout SAML authentication
>> (i.e allow people to log-in with services such as O365).
> 
> I'd argue against this.  RIPE NCC should not be dependent on some random
> cloud service which might or might not be reachable when you urgently need
> to access your LIR portal, for example to update a ROA *now*.

I do not think Callum was suggesting that everyone had to switch to exclusively using an external identity provider.

There is nothing in providing support for federated identity (which IMO/IME is seen as industry best practice) that precludes individual LIRs choosing not to use the federated identity option at all, or preventing those LIRs that *do* use it from having one or more (depending on their needs) “break-glass”, ripe-local-auth account(s) as a backup in case of emergency, as I am sure you will be familiar with if you use RADIUS or TACACS in your network devices.

I have a relatively tiny org staff wise compared to many and frankly it is already the case that managing individual accounts at every system that doesn’t support federated identity and access based on group membership in the external directory is a PITA, and that friction will inevitably lead to poor practices such as account sharing, a lack of 2fa, accounts hanging around after people have left etc.

It would be good to take RIPE off my list of “identity headaches”.

Regards,
Phillip Baker
Technical Director
Netcalibre Ltd

Sent from my mobile device, please excuse any abbreviations, typos, lack of pleasantries etc. E&OE