Least credentials and Age verification


Least credentials and Age verification

In yet another breach of sensitive data (passports), Bruce Schneier makes a good point that using such powerful credentials as proof required for an unimportant purpose is the design flaw behind this operational snafu. This is the equivalent to the superintendent of a large apartment building giving the master key to someone who only needs access to a storage closet for a day.

Much of the uproar about proposed age verification requirements concerns this very issue. This principle expresses what creates the honeypot effort (all those high value credentials), ruins anonymous use (strong identity disclosure), normalization of spam requesting the same, expanding attack surface, enabling scope creep.

The principle of Least privilege is well known, warning against granting more privileges such as access rights than is strictly necessary; I’ve added Least information as another Exposure Minimization pattern. Now we add Least Credential to the list, differentiating the scope of the authenticating token (and its utility getting authorization) from the over-provisioning privileges.