This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[ncc-services-wg] Enforce 2FA for RIPE NCC Access account

Previous message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account
Next message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Benedikt Neuffer benedikt.neuffer at kit.edu
Thu Jan 4 12:21:26 CET 2024

Hi Daniel,

I agree that in the long term, support for FIDO2/WebAuthn would be 
beneficial. However, as long as a LIR is unable to mandate 2FA or audit 
whether all accounts have enabled 2FA, methods other than TOTP do not 
help preventing accounts from disabling 2FA again.

RIPE NCC should begin by addressing the basic requirements, and then 
gradually introduce additional functionalities.

Regards,
Benedikt


On 04.01.24 12:10, Daniel Suchy via ncc-services-wg wrote:
> Hello,
> I agree with MFA requirement in general, but but also RIPE should 
> implement more methods here and don't rely only on TOTP. It's necessary 
> to admit that the development hasn't progressed here too much...
> 
> There're modern MFA methods like FIDO2/WebAuthn already, unfortunately 
> RIPE access doesn't implement them. There also should opportunity to 
> have multiple methods actived concurrently (to have choice between 
> multiple tokens, for example) - similary to implementations on 
> Google/GitHube etc.
> 
> - Daniel
> 
> 
> On 1/4/24 11:04, Benedikt Neuffer wrote:
>> Happy New Year, everyone!
>>
>> However, the year begins with some concerning news: RIPE NCC has 
>> announced a Security Breach Investigation[0]. It likely relates to the 
>> incident where Orange Spain lost credentials[1][2]. This topic has 
>> been discussed in the unofficial RIPE Telegram chat[3] and the German 
>> network community on Telegram[4], on the discussion mailing list[5][6] 
>> and a lot of more places.
>>
>> The primary issue in this case was the lack of 2FA usage. We must not 
>> allow ourselves to be distracted by the debate over weak passwords. 
>> Even strong passwords can be compromised.
>>
>> A while ago, I raised a concern with RIPE NCC about the inability to 
>> check if 2FA is activated for an account linked to a LIR. It’s also 
>> not possible to enforce 2FA for accounts associated with a maintainer 
>> object in RIPE DB. Unfortunately, there has been no progress or action 
>> taken on this matter yet.
>>
>> After some thought, I've come to the conclusion that RIPE NCC's 
>> services are so essential to the internet that enforcing 2FA for RIPE 
>> NCC Access accounts globally should be considered.
>>
>> So, I propose a discussion urging RIPE NCC to either enforce 2FA on 
>> RIPE NCC access accounts globally, allow a LIR to enforce 2FA for 
>> linked RIPE NCC Access accounts, or at the very least, provide 
>> visibility in the LIR portal to identify which linked accounts have 
>> not activated 2FA.
>>
>> To be honest, I don't get the impression that RIPE NCC takes the 
>> security of RIPE NCC Access accounts very seriously. How can we, as a 
>> community, influence RIPE NCC in this regard? Would it be possible, 
>> for example, to develop a policy in the RIPE NCC Services WG that 
>> enforces 2FA for RIPE NCC Access accounts?
>>
>> Kind Regards,
>> Benedikt
>>
>> [0] 
>> https://www.ripe.net/publications/news/ripe-ncc-access-security-breach-investigation
>> [1] https://twitter.com/Ms_Snow_OwO/status/1742357282917109928
>> [2] 
>> https://twitter.com/vxunderground/status/1742704099035160612?t=GkJ0_jiIGI3NEDGcV7021g
>> [3] https://t.me/ripe_chat
>> [4] https://t.me/bgpde
>> [5] 
>> https://www.ripe.net/ripe/mail/archives/ripe-list-unmoderated/2024-January/005920.html
>> [6] 
>> https://www.ripe.net/ripe/mail/archives/ripe-list-unmoderated/2024-January/005923.html
>>
>>
>>
> 

-- 
Karlsruher Institut für Technologie (KIT)
Scientific Computing Center (SCC)

Benedikt Neuffer
Netze und Telekommunikation (NET)

Büro CN:
Hermann-von-Helmholtz-Platz 1
Gebäude 442
Raum 122
76344 Eggenstein-Leopoldshafen

Büro CS:
Zirkel 2
Gebäude 20.21
Raum 001.1
76131 Karlsruhe

Telefon CN: +49 721 608-24502
Telefon CS: +49 721 608-46342
Fax:        +49 721 608-47763
E-Mail: benedikt.neuffer at kit.edu
Web: https://www.scc.kit.edu



Sitz der Körperschaft:
Kaiserstraße 12, 76131 Karlsruhe



KIT – Die Forschungsuniversität in der Helmholtz-Gemeinschaft



Signaturversion: 23.1.0 beta

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5841 bytes
Desc: S/MIME Cryptographic Signature
URL: </ripe/mail/archives/ncc-services-wg/attachments/20240104/8e0ae806/attachment.p7s>

Previous message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account
Next message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ ncc-services-wg Archives ]