This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/members-discuss@ripe.net/
[members-discuss] two-factor authentication mandatory
- Previous message (by thread): [members-discuss] two-factor authentication mandatory
- Next message (by thread): [members-discuss] two-factor authentication mandatory
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jochen Bern
ripe at binect.de
Thu Jan 11 16:28:29 CET 2024
On 11.01.24 14:35, Mike B wrote:
> I would like to hear other views on this request to the RIPE NCC.
First and foremost, my views depend *a lot* on whether we're talking
about *additional* methods, or a set(?) of methods things may be cut
back to in the long run.
> However the current state of RIPE NCC MFA is not suitable to be made
> mandatory. Namely the TOTP requires a phone (sms) or TOTP App. I would
> like to see support for FIDO2 keys, if this is not possible OTP via
> email would be a compromise.
A FIDO key is a bit of hard- or software, just like TOTP tokens or apps
are, and a MUA is as well; it's pretty much implied by all of those
filling the slot of "something you have" in the 2FA concept.
E-mail has the advantage of it being very, *very* unlikely that someone
trying to log into the RIPE SSO does not have it available already, but
on the flip side, both e-mail- and SMS-based 2FA have proven to be
rather circumventable lately. (FWIW, according to what I've read, FIDO
seems to be the most resilient one in that regard.)
On 11.01.24 14:48, Mark Janssen via members-discuss wrote:
> TOTP can be done without phones or phone apps... it just needs the
> shared secret and a HMAC fucntion
(... and a sufficiently well-synchronized clock for an input.)
On 11.01.24 14:53, Ben Cartwright-Cox via members-discuss wrote:
> I agree that FIDO support would be extremely appreciated, Lots of orgs
> already have such keys issued to employees
We distributed TOTP tokens¹ to most of our staff a little while ago -
which we can now scrap because everyone wants us to do TOTP the
"authenticator" way² these days. If you want to try and convince our
management of setting up another 2FA hardware budget, be my guest. :-/
¹ Single secret burnt into token by manufacturer, to be uploaded to
service and associated with account by sysadmin
² Individual secrets created on demand by server, to be downloaded
into "token" (under a new "account"/"config"/... to be created
along with it)
On 11.01.24 14:55, Oleksij Samorukov via members-discuss wrote:
> But +1 for FIDO2 implementation, is a very popular standard with
> many implementations on the market. And it should be easy to
> implement on the backend/frondent side, implementation is very
> straightforward with many examples all-around.
... *hope* you're right there. Last time I tried (with a USB-based
OnlyKey token and my Linux work machine), things looked rather similar
to this:
https://learn.microsoft.com/en-us/entra/identity/authentication/fido2-compatibility#linux
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
--
Jochen Bern
Systemingenieur
T +49 6151 9067-231
E jochen.bern at binect.de
Binect GmbH
Brunnenweg 17
64331 Weiterstadt
www.binect.de
Folgen Sie uns:
https://www.linkedin.com/company/18314056/admin/
https://www.xing.com/pages/binectgmbh
https://www.facebook.com/binect/
https://www.youtube.com/channel/UC-vhGKk6YU1qPbeh0Nx768g
Geschäftsführung: Dr. Frank Wermeyer, Michael Imiolczyk
Unternehmenssitz: Weiterstadt
Register: Amtsgericht Darmstadt, HRB 94685
Umsatzsteuer-ID: DE 221 302 264
- Previous message (by thread): [members-discuss] two-factor authentication mandatory
- Next message (by thread): [members-discuss] two-factor authentication mandatory
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]