Hacker News new | past | comments | ask | show | jobs | submit login

The bluetooth dependency looka painful. But I'm also highly skeptical of the behavioural analysis. I feel like a piece of malware could replay recorded behaviour and attack at 2:30am when the user is probably close enough to trigger an automatic authentication.

Since agents need to be authenticated once with users, the replay vulnerability should not be a concern. But a malware that sits on a client and potentially can access to agent keys can definitely be used to authenticate when phone is in proximity of infected machine. But that level of vulnerability on clients is pretty serious.

Well, if its your home computer and you know a target uses this method, then you know they've authenticated their agent. Maybe someone cleverer than I can come up with an attack vector starting with an unauthenticated agent, but I'll ignore that for now.

And I'm not talking about root access here. Just userspace to record mouse and keystrokes and then replay that. Then, just a couple of clicks and letters changed to some service that uses this authentication. If the replay is done right, those couple of clicks might lower the confidence of the behaviour analysis but not enough to lock it up (that sort of sensitivity would just make it infeasible). Now that it is authenticated, it can stop pretending and quickly move the mouse around and type to do whatever it wants. maybe it downloads your emails and uploads them somewhere.

The point is, your method requires no interaction for the majority of authentications and is potentially always online.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact