diff --git a/ThreatModel.md b/ThreatModel.md
index c6420d9..61abd57 100644
--- a/ThreatModel.md
+++ b/ThreatModel.md
@@ -1,7 +1,6 @@
 # GoSmartKeyboard Threat Model
 
 
-GoSmartKeyboard assumes that it is running behind a reverse proxy that provides TLS termination. This is a common setup for web applications, and is the default configuration for the [Caddy](https://caddyserver.com/) web server.
+GoSmartKeyboard assumes that it is running behind a reverse proxy that provides TLS termination. This is a common setup for web applications, and is the default configuration for the [Caddy](https://caddyserver.com/) web server. Alternatively you could use SSH port forwarding to tunnel the traffic to the server.
 
-The daemon is intended to be used by a single user, with the client used by the same person.
-It is not recommended to use this over the internet, as it is intended for the user to be able to physically see the screen.
\ No newline at end of file
+The server daemon is intended to be used on a single-user system. The goal is to prevent against well funded attackers without physical access to the machine from authenticating to the service. To prevent this, a 256 bit random token is generated and stored in a file. The token is then displayed to the user, and they are expected to copy it to store it safely. The token cannot be recovered because only a sha256 hash of the token is stored on disk.
\ No newline at end of file