# Lab 1: Security Requirements ## Metaverse User Stories `Metaverse Users` are referred to as users here. User | Task | Goal | Context | Action | Outcomes -- | -- | -- | -- | -- | -- User | perform authorized payment transactions | only I can make transactions in my name | An adversary knows my payment information | he tries to pay with my info | the payment is declined if not authorized by me Developer | access user configurations (avatars, config) | personalize the user experience of my applications Teacher | make physical course material available in the metaverse | students can see them in virtual reality User | have a unique identification key in bound to my avatar | everyone can recognize my avatar | my avatar is public | my avatar is used by another user | the user cannot impersonate my identity because he doesn't know the key User | virtual home to be self or zero knowledge hosted | my privacy can not be intruded Corrections: - User stories are more non-functional and should not contain less security aspects, rather the use-case functionality User | Task | Goal -- | -- | -- User | Perform a payment | Acquire a virtual/physical asset User | Add and remove friends | Keep track of what my friends are up to User | Set home privacy | Prevent strangers from entering my home User | Use voice chat | Communicate with other users User | Fast travel | Quickly get to another location in the virtual space User | Give another user an item | Sell/Gift assets ## Assets - User identity - User belongings - Friends lists - Public image of system - Voice data ### Harm analysis Action | Asset | Harm -- | -- | -- Steal user credentials | User identity | User information compromised, belongings stolen Accept unwanted friend request | Friends lists | User information partially compromised, trust acquired Unmute user microphone without consent | Voice data | User privacy compromised ### *'Achieve'* goals - Always use multi-factor authentication for users -