Research & Proof of Concept

SteroidID

Phone stays in your pocket. Auth happens on your terms.

FIDO2 passkeys meet Estonia's Smart-ID — phishing-resistant, zero phone touch.

01
The Problem

Your phone is the weakest link

🎣

Phishing & AiTM

Users can't spot Ihv.ee vs lhv.ee. Attackers proxy auth in real-time.

💣

Push Bombing

Spam notifications cause fatigue. One tired tap = full account compromise.

📱

QRLJacking

QR codes relayed to victims. They scan "their" code — you get their session.

And every single time, the user has to pick up their phone and manually enter a PIN.

02
The Vision

Flip the trust model

Today
📱 Phone buzzes — "Approve?"
👤 User squints at phone
🔢 Enter PIN manually
❓ Hope it's legitimate
SteroidID
💻 Laptop: "I intend to auth with Bank XYZ"
🖐️ User taps fingerprint
🤖 Daemon auto-executes all phone taps
✅ Verified. Phone stays in pocket.

The phone becomes a signing oracle, not a user interface.

03
How It Works

One pipeline. Zero phone touches.

🧩
Browser Extension
Passkey auth in sidebar
🔐
FIDO2 Server
Verifies biometric proof
🧠
Orchestrator
Directs all phone actions
📡
a11y Bridge
Reads & taps phone UI
📱
Smart-ID App
Signs. No user needed.

Everything runs locally. No cloud. No third party. No credentials leave your machine.

04
The Secret Sauce

100× faster than the old way

Read UI tree
3–5 seconds
A11y Bridge
~50ms
16KB
APK Footprint
100×
Speedup

Android Accessibility Service → HTTP API on localhost:7333 — no screencaps, no adb dumps.

05
Security Model

Defense in depth

1

Passkey Gate

WebAuthn biometric assertion required before any tap command is issued. No passkey = no taps.

2

PIN Isolation

PIN values encrypted on laptop. Decrypted only in RAM during auth. Daemon receives tap coordinates, never secrets.

3

Local-Only

All communication is loopback HTTP. Nothing traverses the network. No cloud dependency.

4

Zero Credentials on Daemon

Compromise the daemon? You get tap coordinates to an unknown screen. No PINs, no keys, no tokens.

06
Happy Path

Auth in under 8 seconds

1
Click "Smart-ID login" — phone buzzes in your pocket. Ignore it.
2
Tap your fingerprint on the laptop. WebAuthn verifies you initiated this.
3
Daemon takes over — taps Confirm, selects the correct code, enters PIN1.
4
Type PIN2 on your laptop. Keystrokes mapped to phone coordinates. Daemon taps.
Authenticated. Phone never left your pocket. Under 8 seconds.
07
By the Numbers

Performance that matters

100×
Faster than uiautomator
0
Phone interactions
<8s
End-to-end auth
16KB
APK on device

From 60+ seconds of screencap-tap-guess-repeat → one biometric touch and done.

08
Why Now

The timing is right

🇪🇺

eIDAS 2.0

EU mandate for phishing-resistant digital identity. Smart-ID needs FIDO2 alignment.

🔑

Passkey Adoption

Google, Apple, Microsoft shipping passkeys. 1B+ devices support WebAuthn today.

⚠️

Phishing Epidemic

90% of breaches start with phishing. AiTM toolkits make it trivial. Passwords are dead.

Estonia's 1.3M Smart-ID users deserve authentication that can't be phished.

09

Stronger auth.
Less friction.

Open source. FIDO2-native. eIDAS-aligned.

SteroidID proves that security and usability aren't opposites — they're the same thing, done right.

Explore the Code
10
See It In Action

Zero phone touches.
100% passkey-gated.

11