The following attacks are structurally eliminated, not mitigated.
Why it works elsewhere: Attackers steal credentials and replay them.
Why it fails in PTERI:
There are no reusable secrets
Signatures are bound to challenges
Challenges are single-use and time-bound
A phished signature cannot be reused.
Why it works elsewhere: Identity is bound to phone numbers.
No SMS-based identity
No telecom dependency
No recovery via phone number
Why it works elsewhere: Databases store credentials or hashes.
No passwords stored
No credential databases
No secrets at rest on servers
A breached database yields nothing usable.
Why it works elsewhere: Static keys grant ambient authority.
API keys only access verification APIs
Authority always requires a signature
Keys cannot approve actions
Leaked API keys cannot move funds or authenticate users.
Why it works elsewhere: Tokens or sessions can be reused.
Challenges are nonce-based
Challenges expire
Signatures are bound to a specific intent
Replays are rejected deterministically.
Last updated 4 months ago
Was this helpful?
