nanog mailing list archives
Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
From: Royce Williams <royce () techsolvency com>
Date: Fri, 27 May 2022 22:41:03 -0600
On Fri, May 27, 2022, 9:55 PM Peter Beckman <beckman () angryox com> wrote:
Not to be confused with FIDO U2F, which is basically what TOTP 2FA is, just implemented differently.
FIDO U2F is materially different from TOTP 2FA. With TOTP, there is no cryptographic validation of the requester / server. A user can be fooled into providing a TOTP code to the wrong site, or via phishing, or by an attacker simply making repeated authentication requests in the middle of the night until the user gets exasperated and provides the code. By contrast, even the original FIDO U2F spec authenticates the 'origin' - the server being authenticated *to*. I'm glossing over the details, but in essence, the browser compares the cryptographic signature, and if it doesn't match the expected origin, it won't complete the authentication. It is this property that virtually eliminated an entire class of phishing at Google: https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/ TOTP does not have equivalent phishing resistance. -- Royce
Current thread:
- FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts John Curran (May 24)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Laura Smith via NANOG (May 24)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Matt Harris (May 24)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Crist Clark (May 25)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Peter Beckman (May 27)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Royce Williams (May 27)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts John Curran (May 28)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Matt Harris (May 24)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Laura Smith via NANOG (May 24)
- Re: FYI - 2FA to be come mandatory for ARIN Online? John Curran (May 24)
- Re: FYI - 2FA to be come mandatory for ARIN Online? Raymond Burkholder (May 24)
- Re: FYI - 2FA to be come mandatory for ARIN Online? Peter Beckman (May 27)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Randy Bush (May 28)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Jim Popovitch via NANOG (May 28)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts goemon--- via NANOG (May 28)
- Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts Owen DeLong via NANOG (May 28)