That's the assumption that file authentication would remove. Well, assuming that the server isn't also sending a backdoored client..