This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/ncc-services-wg@ripe.net/
[ncc-services-wg] Enforce 2FA for RIPE NCC Access account
- Previous message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account
- Next message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hank Nussbacher
hank at interall.co.il
Thu Jan 4 16:54:08 CET 2024
On 04/01/2024 12:04, Benedikt Neuffer wrote: I believe I have found a bug in RIPE Portal 2FA access. To whom should I report it? Thanks, Hank > Happy New Year, everyone! > > However, the year begins with some concerning news: RIPE NCC has > announced a Security Breach Investigation[0]. It likely relates to the > incident where Orange Spain lost credentials[1][2]. This topic has been > discussed in the unofficial RIPE Telegram chat[3] and the German network > community on Telegram[4], on the discussion mailing list[5][6] and a lot > of more places. > > The primary issue in this case was the lack of 2FA usage. We must not > allow ourselves to be distracted by the debate over weak passwords. Even > strong passwords can be compromised. > > A while ago, I raised a concern with RIPE NCC about the inability to > check if 2FA is activated for an account linked to a LIR. It’s also not > possible to enforce 2FA for accounts associated with a maintainer object > in RIPE DB. Unfortunately, there has been no progress or action taken on > this matter yet. > > After some thought, I've come to the conclusion that RIPE NCC's services > are so essential to the internet that enforcing 2FA for RIPE NCC Access > accounts globally should be considered. > > So, I propose a discussion urging RIPE NCC to either enforce 2FA on RIPE > NCC access accounts globally, allow a LIR to enforce 2FA for linked RIPE > NCC Access accounts, or at the very least, provide visibility in the LIR > portal to identify which linked accounts have not activated 2FA. > > To be honest, I don't get the impression that RIPE NCC takes the > security of RIPE NCC Access accounts very seriously. How can we, as a > community, influence RIPE NCC in this regard? Would it be possible, for > example, to develop a policy in the RIPE NCC Services WG that enforces > 2FA for RIPE NCC Access accounts? > > Kind Regards, > Benedikt > > [0] > https://www.ripe.net/publications/news/ripe-ncc-access-security-breach-investigation > [1] https://twitter.com/Ms_Snow_OwO/status/1742357282917109928 > [2] > https://twitter.com/vxunderground/status/1742704099035160612?t=GkJ0_jiIGI3NEDGcV7021g > [3] https://t.me/ripe_chat > [4] https://t.me/bgpde > [5] > https://www.ripe.net/ripe/mail/archives/ripe-list-unmoderated/2024-January/005920.html > [6] > https://www.ripe.net/ripe/mail/archives/ripe-list-unmoderated/2024-January/005923.html > > >
- Previous message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account
- Next message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]