FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts
Royce Williams
royce at techsolvency.com
Sat May 28 04:41:03 UTC 2022
On Fri, May 27, 2022, 9:55 PM Peter Beckman <beckman at angryox.com> wrote:
> Not to be confused with FIDO U2F, which is basically what TOTP 2FA is,
> just implemented differently.
>
FIDO U2F is materially different from TOTP 2FA.
With TOTP, there is no cryptographic validation of the requester / server.
A user can be fooled into providing a TOTP code to the wrong site, or via
phishing, or by an attacker simply making repeated authentication requests
in the middle of the night until the user gets exasperated and provides the
code.
By contrast, even the original FIDO U2F spec authenticates the 'origin' -
the server being authenticated *to*. I'm glossing over the details, but in
essence, the browser compares the cryptographic signature, and if it
doesn't match the expected origin, it won't complete the authentication.
It is this property that virtually eliminated an entire class of phishing
at Google:
https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
TOTP does not have equivalent phishing resistance.
--
Royce
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220527/86bcaa2d/attachment.html>
More information about the NANOG
mailing list