This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/members-discuss@ripe.net/
[members-discuss] two-factor authentication mandatory
- Previous message (by thread): [members-discuss] two-factor authentication mandatory
- Next message (by thread): [members-discuss] two-factor authentication mandatory
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Phillip Baker
phil at netcalibre.uk
Mon Jan 22 11:31:51 CET 2024
> On 22 Jan 2024, at 09:31, Gert Doering <gert at space.net> wrote: > > Hi, > >> On Thu, Jan 11, 2024 at 02:06:50PM +0000, Callum Green wrote: >> The complexity around implementing two Factor can be a challenge, one thing I would like to see is maybe for RIPE to look at the rollout SAML authentication >> (i.e allow people to log-in with services such as O365). > > I'd argue against this. RIPE NCC should not be dependent on some random > cloud service which might or might not be reachable when you urgently need > to access your LIR portal, for example to update a ROA *now*. I do not think Callum was suggesting that everyone had to switch to exclusively using an external identity provider. There is nothing in providing support for federated identity (which IMO/IME is seen as industry best practice) that precludes individual LIRs choosing not to use the federated identity option at all, or preventing those LIRs that *do* use it from having one or more (depending on their needs) “break-glass”, ripe-local-auth account(s) as a backup in case of emergency, as I am sure you will be familiar with if you use RADIUS or TACACS in your network devices. I have a relatively tiny org staff wise compared to many and frankly it is already the case that managing individual accounts at every system that doesn’t support federated identity and access based on group membership in the external directory is a PITA, and that friction will inevitably lead to poor practices such as account sharing, a lack of 2fa, accounts hanging around after people have left etc. It would be good to take RIPE off my list of “identity headaches”. Regards, Phillip Baker Technical Director Netcalibre Ltd Sent from my mobile device, please excuse any abbreviations, typos, lack of pleasantries etc. E&OE
- Previous message (by thread): [members-discuss] two-factor authentication mandatory
- Next message (by thread): [members-discuss] two-factor authentication mandatory
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]