VC-S-2 — Attacker spoofs facetec-api to inject biometric approval
Component: vc Platform. Mitigations: facetec-api → apigw uses mTLS + bearer token; both required. Action: None required.
| Property | Value |
|---|---|
| Section | Spoofing |
| Owner | platform |
Mapped Controls
| Control | Title |
|---|---|
| SID-TRANS-01 | TLS 1.2+ Minimum with Configurable Version |
| SID-AUTH-01 | FIDO2/WebAuthn Passwordless Authentication |
Source: STRIDE analysis (April 2026), architecture/stride-threat-model.md