Hacker News new | past | comments | ask | show | jobs | submit login

Since agents need to be authenticated once with users, the replay vulnerability should not be a concern. But a malware that sits on a client and potentially can access to agent keys can definitely be used to authenticate when phone is in proximity of infected machine. But that level of vulnerability on clients is pretty serious.

Well, if its your home computer and you know a target uses this method, then you know they've authenticated their agent. Maybe someone cleverer than I can come up with an attack vector starting with an unauthenticated agent, but I'll ignore that for now.

And I'm not talking about root access here. Just userspace to record mouse and keystrokes and then replay that. Then, just a couple of clicks and letters changed to some service that uses this authentication. If the replay is done right, those couple of clicks might lower the confidence of the behaviour analysis but not enough to lock it up (that sort of sensitivity would just make it infeasible). Now that it is authenticated, it can stop pretending and quickly move the mouse around and type to do whatever it wants. maybe it downloads your emails and uploads them somewhere.

The point is, your method requires no interaction for the majority of authentications and is potentially always online.

Applications are open for YC Winter 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact