Improving the authentication user experience is on the Services Roadmap for MyAPNIC, comprising both a change from username to email address as login ID, and an overhaul of the two-factor authentication mechanism.
Since 2008, MyAPNIC has authenticated users through a username and password, and optionally provided higher security through an X.509 identity certificate. Using certificates provides strong cryptographic authentication, but tools to manage and use certificates are not always easy to use.
To amend this, MyAPNIC will offer an alternative second factor for authentication, using time-based one time passwords – known as TOTP, defined as an open standard in RFC6238. This method is familiar to many Internet users already, with a large list of services using it already, including Amazon Web Services, Google Mail, Kickstarter, Microsoft Account, Facebook, GitHub, and Dropbox.
After a few setup steps, authentication will involve entering your user ID, password, and a six digit code generated by a device you control, typically a smartphone. The device replaces the X.509 certificate as “something you possess”, while your password remains “something you know,” providing the two different methods of authentication required for two-factor to provide its security benefits.
Before we go further, though, the Secretariat would like to receive feedback. Is this something you’d like to see happen? Are you comfortable with time-based one time passwords? Would you like to see X.509 support maintained, or phased out through a transition period? Please leave a comment below, or contact us directly.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.