Closed andrewbwm closed 2 years ago
The reworking of Credentials in #58 resulted in introducing a new association between Credentials called ConditionalAuthentication
. While more broad in scope its primary use is likely to be multi-factor authentication. The relationship prevents a Credentials asset from being used if the requiredFactors
associated with it have not been compromised.
Additionally, credentials guessing was introduced and it is inversely proportional with the securityAwareness
defence of the User to which they belong(via Identity assets).
Three new defences were also introduced.
notGuessable
is directly tied to the credentials guessing mentioned above and simply states that those credentials cannot be guessed by the attacker due to some of their innate properties.notPhishable
means that they cannot be stolen via social engineering due to some intrinsic traits.unique
represents that the attacker cannot use this credentials as a part of credentials reuse attack(either as a source or as victim).
This seems to work by nesting Credentials via the Data asset.
If we are content with this implementation perhaps we want to remove the "TwoFactorAuthentication" defence on the Identity asset. We just need to make sure the behaviour is the desired one.