Bruce Schneier thinks this idea from Ittay Eyal is brilliant and broadly applicable. Since I like pretty much everything Bruce says (that I can understand) I tried to get my head around this and the discussion it spawned in Post Status Slack with Rowley and JJJ.
Bruce’s summary:
The paper is about cryptocurrency wallet design, but the ideas are more general. Ittay points out that a key—or an account, or anything similar—can be in one of four states:
safe Only the user has access,
loss No one has access,
leak Both the user and the adversary have access, or
theft Only the adversary has access.Once you know these states, you can assign probabilities of transitioning from one state to another (someone hacks your account and locks you out, you forgot your own password, etc.) and then build optimal security and reliability to deal with it. It’s a truly elegant way of conceptualizing the problem.
I think of it more like this, since it’s how most people actually operate:
- Secure: Only I have access (as far as I know)
- Strong Secure: Proper strong, unique passwords, 2FA
- Weak Secure: Weak, reused passwords, no 2FA (OK for trivial sites that require a login, bad for your bank account.)
- Loss:/Lockout No one has access
- Shared: I and designated others have access, which could easily become:
- Leak: Undesignated, unknown others have access, which could easily become:
- Theft/Breach: An adversary has access
- Theft and Lockout: An adversary has access and may have broadly leaked or shared access with others, but I am locked out.
- Theft and No Lockout: My account has been hacked but I can still get in.
- Theft/Breach: An adversary has access
- Leak: Undesignated, unknown others have access, which could easily become:
Avoid Sharing/Leaking with strong secure accounts, and the probability of theft/breach is much, much lower.
