Manav Manav.id
← All demos
POLICY · 4 of 10

Ghost-worker swaps fail because the signature can't be forged.

Previously framed as a detection problem ("who took over the keyboard?"), this is actually a step-up authentication problem. Every meaningful risk threshold demands a fresh, payload-bound ceremony. An attacker who has the laptop still cannot satisfy Face ID. The swap is useless.

Privacy posture for this scene
We don't detect the swap. We make the swap pointless.
  • Zero continuous monitoring of the user. No telemetry SDK on the worker's machine.
  • The legitimate worker is challenged only at moments of consequence (wires, deploys, contracts).
  • An attacker without the user's biometric cannot satisfy the ceremony, regardless of session theft.

The bad framing, surveillance

"We detect when someone else takes over the keyboard mid-session by analyzing keystroke biometrics, mouse cadence, and webcam-based liveness." Requires continuous monitoring. Generates false positives. Violates GDPR Article 22 in regulated geographies. Workers and unions push back.

The privacy-preserving framing, policy

Every meaningful risk threshold (wire approval, contract sign, prod deploy, admin promotion) demands a fresh WebAuthn assertion bound to the specific action. The assertion is satisfied by the original user's Secure Enclave plus Face ID / Touch ID, which Apple/Google handle on-device, Manav never sees the biometric.

Try it

Asha steps away. A new person sits down. They try to approve a $12,000 vendor wire. The session token is still valid. The action fails, they cannot satisfy the device biometric.

Wire, $12,000 to Acme Logistics

wire_7733
Session[email protected] (active)
Manav policystep-up required at $1k+

⛔ Ceremony failed

The new person's face doesn't match the Face ID enrolled on Asha's device. The OS rejects the WebAuthn ceremony. No signature is produced. The wire stays pending. No surveillance was performed, the system simply demanded proof the legitimate user could provide.

✓ Wire released

Asha returned, satisfied her own Face ID, the signature was produced, the wire moved. No keystrokes were tracked. No webcam was on. The system did not "know" Asha had stepped away, it simply required fresh consent at the moment of risk.

Want to ship this in your own app?

Three lines of JavaScript. Demo key mnav_test_demo works on localhost.

Get the SDK →
← Slack admin promotion Receipt context →