[ncc-services-wg] Enforce 2FA for RIPE NCC Access account
- Previous message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account
- Next message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hank Nussbacher
hank at interall.co.il
Thu Jan 4 16:54:08 CET 2024
On 04/01/2024 12:04, Benedikt Neuffer wrote: I believe I have found a bug in RIPE Portal 2FA access. To whom should I report it? Thanks, Hank > Happy New Year, everyone! > > However, the year begins with some concerning news: RIPE NCC has > announced a Security Breach Investigation[0]. It likely relates to the > incident where Orange Spain lost credentials[1][2]. This topic has been > discussed in the unofficial RIPE Telegram chat[3] and the German network > community on Telegram[4], on the discussion mailing list[5][6] and a lot > of more places. > > The primary issue in this case was the lack of 2FA usage. We must not > allow ourselves to be distracted by the debate over weak passwords. Even > strong passwords can be compromised. > > A while ago, I raised a concern with RIPE NCC about the inability to > check if 2FA is activated for an account linked to a LIR. It’s also not > possible to enforce 2FA for accounts associated with a maintainer object > in RIPE DB. Unfortunately, there has been no progress or action taken on > this matter yet. > > After some thought, I've come to the conclusion that RIPE NCC's services > are so essential to the internet that enforcing 2FA for RIPE NCC Access > accounts globally should be considered. > > So, I propose a discussion urging RIPE NCC to either enforce 2FA on RIPE > NCC access accounts globally, allow a LIR to enforce 2FA for linked RIPE > NCC Access accounts, or at the very least, provide visibility in the LIR > portal to identify which linked accounts have not activated 2FA. > > To be honest, I don't get the impression that RIPE NCC takes the > security of RIPE NCC Access accounts very seriously. How can we, as a > community, influence RIPE NCC in this regard? Would it be possible, for > example, to develop a policy in the RIPE NCC Services WG that enforces > 2FA for RIPE NCC Access accounts? > > Kind Regards, > Benedikt > > [0] > https://www.ripe.net/publications/news/ripe-ncc-access-security-breach-investigation > [1] https://twitter.com/Ms_Snow_OwO/status/1742357282917109928 > [2] > https://twitter.com/vxunderground/status/1742704099035160612?t=GkJ0_jiIGI3NEDGcV7021g > [3] https://t.me/ripe_chat > [4] https://t.me/bgpde > [5] > https://www.ripe.net/ripe/mail/archives/ripe-list-unmoderated/2024-January/005920.html > [6] > https://www.ripe.net/ripe/mail/archives/ripe-list-unmoderated/2024-January/005923.html > > >
- Previous message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account
- Next message (by thread): [ncc-services-wg] Enforce 2FA for RIPE NCC Access account
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]