Frequently Asked Question

Can a determined attacker capture and replay user activity to defeat Plurilock authentication?

Practically speaking, no· While in theory the capture and replay of user activity is possible, as a real-world task such an attack would be prohibitively complex to achieve, for multiple compounding reasons.

First, Plurilock user profiles evolve over time as users’ movement patterns evolve, meaning that captured data is only temporarily valid. Next, any capture attempt must detect low-level press, release, timing, and acceleration data, not merely the content of keystrokes or the positions of clicks, and the ability to capture this data implies an already severely compromised system.

Finally, even if somehow successfully captured and prepared for reuse in time, replay requires the replication of timing and movement patterns at a low enough level to fool the Plurilock agent(s), which likely involves a dedicated hardware attack solution—for example, simulated USB HID device(s) able to reproduce these timing and movement patterns seamlessly and faithfully.

Though in theory these things might be possible with sufficient time, skill, and resources, a successful Plurilock attack is significantly more difficult to achieve than—for example—an attack involving the theft of OTP codes delivered via SMS, which is trivial by comparison.

2FA/MFA Rapid Reference

Authentication at a glance

Download the 2FA/MFA Rapid Reference now:

  • 2FA and MFA basics and common solutions
  • The benefits and drawbacks of each
  • Glossary of authentication terms

 

2FA/MFA Rapid Reference

  • 2FA and MFA basics and common solutions
  • The benefits and drawbacks of each
  • Glossary of authentication terms
Save PDF  

MORE DOWNLOADABLE REFERENCEs

PDF

2020 Authentication Guide

Summary of authentication recommendations from major standards bodies, plus Plurilock’s own recommendations.
PDF

White Paper: Advanced Authentication

The state of authentication today—and why you need Plurilock products.
PDF

Understanding MFA vs. Privacy

Is multi-factor authentication always good for privacy? See why it isn't, and which strategies make the grade.
PDF

Behavioral Biometrics Guide

The definitive guide to behavioral biometrics, a core Plurilock technology.

Stay informed. Join our low-volume mailing list for Plurilock and cybersecurity news and updates.

PLURILOCK IS THE LEADER IN ADVANCED AUTHENTICATION

Plurilock is the leader in advanced, risk-based authentication. We provide invisible, device-free MFA for corporate endpoints, Citrix sessions, cloud applications, and their users in finance, healthcare, education, and SaaS.

Follow

        

Contact Plurilock

Have a question or comment? 

Plurilock Lead Capture Block

Show Q1

Show Q2

Show Q3

Welcome to Plurilock!

We’d love to hear about your interest in our products.

May want to buy

Evaluating options

Just looking, thanks

Let's chat  

Great!

Okay, cool.

We'd like to provide you with more info. How can we reach you?

Enter your email above to agree to receive commercial electronic communication from Plurilock via email.

Thanks!

Someone from Plurilock will get in touch with you soon.
 
In the meantime, learn more about our ADAPT and DEFEND products—and be sure to check out our Blog for in-depth cybersecurity coverage.