Password & SMS-OTP login is routinely compromised by phishing, credential stuffing and SIM-swap fraud.
Face authentication is vulnerable to presentation attacks — printed photos, video replays, silicone masks, AR filters, deepfake injection.
Every new application re-implements auth; KVKK & GDPR compliance is patched on as an afterthought.
Mainstream IAM suites (Okta, Auth0, Entra) treat biometrics as a device-local feature and rarely unify digital access, document verification and proctoring under one tenant boundary.
Per-frame liveness fails for proctoring — an attacker holds a spoof for 30 s, flashes a real face for one frame, resumes the spoof, and the average passes.
2. What FIVUCSAS Is
FIVUCSAS — Face & Identity Verification using Cloud-based SaaS Models —
is a production-deployed, multi-tenant biometric identity SaaS exposed through one hosted
OAuth 2.0 + OIDC + PKCE (RFC 7636) redirect. What we built:
Face recognition core — DeepFace 0.0.98 detection → MediaPipe FaceLandmarker 468-point → Facenet-512 embedding (Fernet AES-128 encrypted) → cosine match on pgvector (HNSW m=16/ef=64).
The Biometric Puzzle — randomised challenge–response: 7 face actions + 9 hand-gesture actions, EAR / MAR / yaw thresholds, server-nonced UUID, 5-minute TTL.
Multi-tenant SaaS — Postgres Row-Level Security on 9 tables (V25), audit-log partitioning (V40 + pg_partman V57); Marmara Üniversitesi live tenant at demo.fivucsas.com.
Main Goal
Deliver a production-grade, KVKK / GDPR-compliant biometric authentication SaaS
that any client application can adopt with one OAuth 2.0 / OIDC redirect —
replacing fragmented, spoofable, per-app authentication with a single
tenant-configurable identity layer that runs on commodity CPU.
Objectives
Objective 01
Face Recognition Core
Sub-second 1:1 / 1:N matching on commodity CPU, no GPU.
e-Devlet & reCAPTCHA mental model · side-by-side · 3 use-cases
We position the product through two familiar mental models. "Sign in with e-Devlet" is Türkiye's
public-sector SSO gateway; FIVUCSAS offers the same drop-in experience for the private sector.
reCAPTCHA adds bot protection to any site with a single HTML snippet; FIVUCSAS adds ten-factor
biometric identity verification with a single <FIVUCSAS/> button. For end users:
no separate registration on every app. For developers: no login / register pages to
write — an OIDC discovery URL and one button.
Three buttons, one mental model
T.C.
e-Devlet ile Giriş Yapturkiye.gov.tr · public sector SSO
I'm not a robot — reCAPTCHAgoogle.com · bot protection drop-in
</>
Sign in with FIVUCSASverify.fivucsas.com · biometric SaaS drop-in
<a class="fivucsas-btn"
href="https://verify.fivucsas.com/oauth2/authorize
?client_id=YOUR_CLIENT_ID
&response_type=code
&scope=openid+profile+email
&redirect_uri=https://yourapp.com/cb
&code_challenge=...
&code_challenge_method=S256">
<FIVUCSAS/> ile Giriş Yap
</a>
Side-by-side comparison
Aspect
e-Devlet
reCAPTCHA
FIVUCSAS
Primary purpose
SSO
Bot defence
Identity verification
Scope
Public-sector
Any web
Any web / mobile / desktop
Auth model
Government SSO
Token-only
OAuth2 + OIDC + PKCE
Biometric
—
—
Active Puzzle + Passive PAD + Facenet-512
NFC document
—
—
T.C. + ICAO 9303 (mobile) + Web NFC (simple cards)
MFA factors
2
0
10 composable
Proctoring
—
—
WebSocket · session-level verdict
Multi-tenant
—
per-key
Postgres RLS · 9 tables (V25)
Integration
Gov approval
Public site-key
Public OIDC + drop-in button
Self-host
—
—
Docker Compose · GPU-less
Open source
—
—
MIT (spoof-detector) · OSS roadmap
Legal
KVKK
Google ToS
KVKK + GDPR + ISO 30107-3 L1
Bank-grade KYC
Fintech mobile onboarding: face + NFC document + liveness → one session, sub-second verification.
Online exam proctoring
Marmara BYS live at demo.fivucsas.com: continuous identity tracking, 15-axis liveness, incident detection.
Detection → Quality → Landmark → Align → Embed → Encrypt → Index → Match
Server-authoritative pipeline in biometric-processor/ (FastAPI, Python 3.12).
Every stage is replaceable — backbone, detector and similarity all swap via DI in
app/infrastructure/ml/factories/. Verification (1:1) compares against the enrolled
vector with cosine distance; identification (1:N) returns pgvector ANN top-k. Aged embeddings
(> 2 years) use a more permissive threshold.
Default θ = 0.45. Aged-embedding (> 2 yr) θ_aged = 0.38 (more permissive). 1:N top-k pgvector ANN.
θ = 0.45 · θ_aged = 0.38
app/core/config.py:156, 171-180
Honest gap. No in-house EER / FAR / FRR has been measured in the project test fixtures — published rates apply to the underlying Facenet-512 model only. Load-test targets (Login p95 < 300 ms, Verification p95 < 500 ms — load-tests/README.md:137-180) are targets, not measurements. Future work: in-house Marmara cohort EER curve.
05
NFC Document Subsystem — Two Rails
Native mobile (ICAO 9303) · Web NFC (simple cards) · cross-check to live selfie
One logical contract, two physical rails. Rail A — Native mobile NFC: Turkish T.C. ID, Turkish passports and every ICAO 9303
document sharing the same BAC chip are read over Android IsoDep + Bouncy Castle (iOS CoreNFC on roadmap).
Rail B — Web NFC: ISO/IEC 14443 Type-A & Type-B simple cards (loyalty cards, membership cards, transit cards,
MIFARE Classic / Ultralight, NTAG2xx tags) are read directly from Chrome on Android via the Web NFC API
— no native NFC layer required. Both rails speak to the same server-side verifier.
T.C. Yeni Kimlik Kartı
The contactless ISO/IEC 14443 chip lives on the back of the T.C. ID card; on passports it is in the cover. Common ICAO AID A0 00 00 02 47 10 01. The same BAC key derivation (SHA-1 from MRZ) is reused for TD3 passports and every other ICAO 9303 document carrying the same chip.
Submodule · MIT · paper draft · iBeta L1 submission · amispoof.fivucsas.com
Live demobrowser bundle · GPU-less (WASM + optional WebGPU)
https://amispoof.fivucsas.com/
GPU-less, two ways. spoof-detector runs without a GPU on both sides: server-side (Python reference, Hetzner CX43 CPU, 63 ms / frame, 15.9 fps) and client-side (browser WASM bundle, optional WebGPU, 25–30 fps on desktop). This architectural choice frees both the FIVUCSAS SaaS deployment and any self-hosted environment from any GPU dependency.
spoof-detector is a separate submodule (git@github.com:Rollingcat-Software/spoof-detector.git, MIT,
published as @rollingcat/spoof-detector v0.2.1). It contains the
19-analyzer hybrid PAD, a 15-axis LivenessProver (185-pt ceiling, natural decay),
a session-level peak-sensitive verdict aggregator, and a TypeScript browser port deployed
at amispoof.fivucsas.com. The architectural contribution — proven
formally in §4 of the paper — is that session verdicts resist spoof-burst dilution:
54 spoof frames at p = 0.20 + 6 real frames at p = 0.95 → verdict SPOOF; an otherwise live
session with a single dip frame → verdict LIVE.
A. Architecture
Backbone — MiniFASNet ONNX (UniFace v2, frozen, 1.7 MB), 80×80 input, P(REAL) ∈ [0, 100]. Discrimination gap on in-house set +94.7 (μ_real 99.9, μ_spoof 5.1). paper/ARCHITECTURE.md:75-76 · 05_calibration.md:25
Calibration — 13 linear coefficients in MultiClassFuser, calibrated against 43 KVKK-consented Marmara captures (27 bona-fide + 16 attacks). No model training. 05_calibration.md:66
Anti-correlation finding (§5 contribution) — Laplacian-texture & Gabor-moire are anti-correlated on high-PPI AMOLED replays. Re-weighting 1.0 → 0.1 recovers 0.017 of 0.019 AUC gap.
Measured results (paper, bootstrap 95 % CI on 100 stratified resamples)
Dataset / regime
Pipeline
Value
95 % CI
Source
CASIA-FASD AUC (zero-shot, N = 2 408)
minifasnet_only
0.9452
[0.9366, 0.9560]
07_results.md:15
CASIA-FASD ACER
minifasnet_only
12.67 %
[11.07, 13.92]
:15
CelebA-Spoof AUC (zero-shot, N = 2 611)
minifasnet_only
0.7818
[0.7663, 0.7993]
:36
CelebA-Spoof ACER
minifasnet_only
28.67 %
[27.36, 30.23]
:36
In-house replay AUC (N = 100)
image_only
0.9264
[0.8685, 0.9744]
:68
Cross-dataset CI separation
minifasnet_only
0.14 AUC pts
> 4 × CI width
:42-43
Per-frame latency (Hetzner CX43 CPU)
hybrid
63.0 ms
p99 = 117.8 ms
:110
Sustained FPS (Python reference)
hybrid
15.9 fps
—
:110-112
Browser (desktop Chrome, WebGPU)
browser bundle
25 – 30 fps
—
BROWSER_READINESS.md:4
Browser (Pixel-class Android, Brave)
browser bundle
6.7 – 9.5 fps
with Worker frame-skip
ROADMAP.md:139-141
ISO/IEC 30107-3 (in-house scripted)
session
Grade C
BPCER 0 % · APCER 30 % · ACER 15 %
README.md:74-84
Honest competitive positioning. The paper does not claim to beat commercial PAD competitors (FaceTec ZoOm, iProov GPA, Onfido Atlas, Jumio, AWS Rekognition Liveness, Microsoft Face API) head-to-head. Modern intra-dataset SOTA (CDCN, FAS-SGTD) reaches AUC > 0.99 with full retraining; FIVUCSAS's 0.9452 is zero-shot — competitive with mid-tier published methods on the strictest robustness regime. Where FIVUCSAS does hold genuine ground: session-level verdicts (proctoring-native), client-side browser deployment (no GPU server, no frame upload), the anti-correlated signal discovery, reproducible no-training calibration (13 floats), MIT open-source. Where it does not yet: model maturity (frozen 3rd-party backbone), dataset scale (43-sample in-house calibration).
The active liveness layer is a collection of 23 canonical micro-challenges the user performs with face
or hand biometrics (web-app/src/features/biometric-puzzles/BiometricPuzzleId.ts).
Per attempt the server selects a random sequence of 2–7 challenges, signs it with a UUID v4 nonce (Redis),
assigns a difficulty tier and sends it to the client. The client streams only landmark and metric vectors —
the server classifies each step against EAR / MAR / yaw thresholds and signs the verdict. Pre-recorded video,
AR filters, deepfake injection and screen-replay all fail because the requested sequence is unpredictable
and unmodifiable client-side.
14 Face Micro-Challenges
FACE_BLINK
EAR 0.21 / 0.23
CLOSE_LEFT
L-EAR drop
CLOSE_RIGHT
R-EAR drop
SMILE
corner-raise 0.05
OPEN_MOUTH
MAR · 0.6
TURN_LEFT
yaw −20°
TURN_RIGHT
yaw +20°
LOOK_UP
pitch +12°
LOOK_DOWN
pitch −12°
RAISE_BOTH_BROWS
eye-brow Δ 0.08
RAISE_LEFT_BROW
L-brow Δ
RAISE_RIGHT_BROW
R-brow Δ
NOD
pitch oscillation
SHAKE_HEAD
yaw oscillation
9 Hand-Gesture Micro-Challenges (landmark-only — no image upload)
FINGER_COUNT
TIP/PIP ratio
WAVE
wrist-x zero-cross
FLIP
palm-normal sign
FINGER_TAP
idx ↔ mid proximity
PINCH
thumb ↔ idx distance
PEEK_A_BOO
monotonic cover
MATH (n=k)
random open-fingers
SHAPE_TRACE
DTW vs template
TRACE_TEMPLATE
DTW catalog
A. Sequence & timing
Difficulty: easy (2–3 actions, 7 s each) · standard (3–4 / 5 s) · hard (4–5 / 4 s). app/domain/entities/puzzle.py:14-19
Step count: randomised 2–7 · per-step timeout 2–30 s · max 3 retry · session timeout 120 s.
Total TTL: 5 minutes · puzzle UUID stored in Redis.
Entropy: 23 P k permutations for length-k sequences. For a single 4-step puzzle ≈ 212 520 ordered sequences.
B. Anti-replay & hybrid fusion
Sequence is generated server-side; client cannot mutate it.
NIST 800-63B · Know / Have / Are / Show · tenant JSON, not Java
∑ 10
Per-tenant MFA composition · no backend code required
Know
Password
BCrypt-12
PasswordAuthHandler.java
Have
Email OTP
6-digit · 5 min
OtpService.java:16
Have
SMS OTP
Twilio · 6-digit
SmsOtpAuthHandler.java
Have
TOTP
RFC 6238 · 30 s
TotpService.java:32
Have
QR Code
cross-device
QrCodeAuthHandler.java
Are
Face
Facenet-512 + Puzzle
FaceAuthHandler.java
Are
Voice
Resemblyzer · 256-D
V33 voice_enrollments
Are
Fingerprint
WebAuthn platform
FingerprintAuthHandler.java
Have
Hardware Key
FIDO2 · WebAuthn
HardwareKeyAuthHandler.java
Show
NFC Document
ICAO 9303 · BAC
NfcDocumentAuthHandler.java
8.5
Self-Host or SaaS · GPU-less by Design
Open source · install in your own infra · no GPU dependency anywhere
A. Two delivery models — your choice
SaaS (managed) — like Marmara University: hosted login on verify.fivucsas.com, zero operational burden, shared Hetzner CX43. For teams who would rather we operate it.
Self-host (on-prem / private cloud) — open source, single-machine Docker Compose install. Same operating model as PostgreSQL, OpenWebUI, Keycloak, Authentik, Supabase. For banks, public sector and KVKK / GDPR-local deployments.
Hybrid — control plane (Identity Core) on the tenant side, ML services (Biometric Processor + spoof-detector) in the FIVUCSAS cloud. Network egress is limited to Fernet-encrypted embeddings.
License — spoof-detector is MIT-public; the main monorepo opens on the Spring 2026 roadmap, alongside paper publication.
B. GPU-less — by design, not by accident
Hetzner CX43 is a single rented physical machine — 8 vCPU / 16 GB / 150 GB / no GPU. On that one box,
7 production containers + Postgres + Redis + Prometheus + Grafana + Loki + the 19-analyzer hybrid PAD +
MediaPipe FaceLandmarker + DeepFace + Facenet-512 + the MiniFASNet ONNX backbone all run CPU-only.
Self-hosters inherit the same property — modest commodity hardware is enough.
Boot sentinel: ALLOW_HEAVY_ML=false by default refuses to boot with retinaface, yolov8 – 12, ArcFace, VGG-Face or GhostFaceNet.
The spoof-detector browser port uses WebGPU when available but falls back to WASM for 100 % CPU-only operation; native Chrome runs 25–30 fps with WebGPU, 8–12 fps via the WASM Worker with frame-skip.
Architectural achievement: a GPU-free environment hosts the 23-puzzle active liveness, the 19-analyzer passive PAD, Facenet-512, ICAO 9303 NFC, ten composable auth factors and a multi-tenant SaaS — all on one box.
C. Paper scope — whole-project or spoof-detector-only?
The current paper draft ("Beyond Single Frames: Session-Based Hybrid Image-and-Video Face Anti-Spoofing with Calibrated Multi-Class Fusion")
is spoof-detector–focused and targets BIOSIG 2026 / IJCB 2026 / IEEE FG 2027. Alternative scope:
"FIVUCSAS — A GPU-less, Multi-Tenant Biometric Identity SaaS with Hybrid Active + Passive Liveness, 23 Active Micro-Challenges,
ICAO 9303 NFC Two-Rail Architecture, and a Drop-in OIDC Button" — a whole-system / system-design paper for ICSE, ICST, ASE
or an industry-track venue. The decision will be made once the current draft is finalised.
09
Differentiators & Engineering Effort
What we delivered · what was actually hard
A. What we delivered
Production multi-tenant SaaS — Marmara Üniversitesi live (demo.fivucsas.com) · 7 prod containers on Hetzner CX43.
Hexagonal / DDD — ports/adapters in both Java (identity-core) and Python (biometric-processor).
Shared UI component library (DRY) — app.fivucsas.com and verify.fivucsas.com share one design system: colours, buttons, form inputs, modals and the biometric-enrolment flow are written once and ship to both products. UI updates propagate from a single source.
~691 k lines · ~2 768 tests · ~1 847 commits (last 6 months, all repos).
B. What was actually hard (honest engineering log)
Cross-modal timing — Puzzle ↔ PAD fusion; fail-open cosine bug in FaceVerifyMfaStepHandler closed in PR #83.
MediaPipe Tasks-API port — migrated from legacy face_mesh (active branch fix/2026-05-12-mediapipe-tasks-api-port).
pgvector index tuning — IVFFlat (lists = 100) vs HNSW (m = 16 / ef = 64). Recall-vs-latency calibration ongoing.
Postgres RLS + audit-log partitioning — V57 silently no-op'd until V59 / V60 backfill of 140 NULL tenant_ids.
BAC crypto correctness — SHA-1 key derivation from MRZ; PACE / AA / CA still out-of-scope.
FK-cascade incident — DELETE FROM users wiped a real user's TOTP / WebAuthn / NFC; patched to soft-delete-aware findByEmail.
Anti-correlated signal discovery — texture / moire higher on real in modern hi-PPI capture (paper §5).
Public service-health page (UptimeRobot) — API + biometric + verify widget.
amispoof.fivucsas.com
Spoof-detector demo
19-analyzer PAD running entirely in the browser: WebGPU + WASM, no frame uploads. 217 vitest green.
Grafana [internal-only]
Observability container
Prometheus + Loki dashboards. Docker container fivucsas-grafana runs; Traefik public router is commented out (infra/traefik/config/dynamic.yml:103) and no public DNS — accessible only from within the host.
One QR · all links. A single QR code on this poster points to a link navigator page we own:
links.fivucsas.com. We do not depend on a third-party shortener — our own static
subdomain hosts every project subdomain, the team (GitHub, LinkedIn, portfolio, email), poster artefacts
(HTML, PDF, PNG, text brief) and shortcuts to live surfaces. Hostinger static (no Docker), the same pattern
as bys-demo / amispoof / landing.
One QR · all links
Scan to open the FIVUCSAS hub
A single QR for landing + hosted-login + admin + docs + demo + spoof-detector + status — every surface under one short link. Scan from any phone and jump to the surface you need.
https://fivucsas.com/links
11
By the Numbers
Measured 2026-05-19 · all values from repo, no estimates
It removes the requirement to register and log in to every web/mobile app. With one FIVUCSAS button, users sign in anywhere FIVUCSAS is supported using any of ten methods. App owners ship hosted-login via OIDC + PKCE without writing register/login pages.
How is it different from e-Devlet?
e-Devlet is Türkiye's public-sector SSO; FIVUCSAS offers the same drop-in button to the private sector. Open OIDC discovery, ICAO 9303 NFC, active Puzzle + passive PAD, multi-tenant RLS, KVKK + GDPR + ISO 30107-3 L1 submission package.
Why ten composable authentication factors?
Following NIST 800-63B's Know / Have / Are / Show axes, each tenant composes its own MFA flow from the supported set — no backend code required, configuration is JSON. A bank and a small SaaS reuse the same code path with different combinations.
How does the Biometric Puzzle catch spoofs?
The server emits a UUID-nonced sequence of 3–5 random actions per attempt (5-min TTL). Pre-recorded video, deepfake injection and screen-replay all fail because the requested action set is unpredictable, timestamped, server-generated and immutable client-side.
How is KVKK / GDPR compliance achieved?
Embeddings are sealed at rest with Fernet AES-128 + HMAC-SHA256. Soft-delete via deleted_at + Hibernate @SQLRestriction. Postgres RLS on 9 tables (V25). Audit logs partitioned by tenant_id (V40 + pg_partman V57). EU/TR-accessible Hetzner hosting.
What does it add to proctoring?
A session-level peak-sensitive verdict (α = 0.5, mean + worst-decile) with a formal proof of resistance to spoof-burst dilution. A 15-axis LivenessProver runs continuously; 63 ms / frame Python reference, 25–30 fps in-browser (WebGPU). Background-grid analyzer is proctoring-specific.
Is NFC mandatory?
No — it is an optional factor. For bank-grade KYC it adds physical-document verification via DG2 face JPEG2000 ↔ live selfie cosine match. Supports Turkish T.C. ID + ICAO 9303 passports (BAC); simple ISO 14443 cards over Web NFC require no native layer.
Active Puzzle vs passive PAD — what is the difference?
Passive (UniFace MiniFASNet + 18 auxiliary analyzers): silent, no user cooperation. Active (Puzzle): the user performs server-requested actions — replay-proof. Hybrid fusion rule: accept iff min(Pactive, Ppassive) ≥ θ.
Where is the spoof-detector research published?
MIT submodule at github.com/Rollingcat-Software/spoof-detector; manuscript skeleton in paper/sections/*.md targeting BIOSIG 2026 / IJCB 2026 / IEEE FG 2027. Live browser demo at amispoof.fivucsas.com. iBeta PAD-L1 submission package on commit cc73cf08.
Do you have in-house EER / FAR / FRR numbers?
For the face pipeline, no in-house measurement yet — we say this honestly. Published Facenet-512 rates apply. For the spoof-detector, CASIA-FASD AUC 0.9452 (zero-shot, 95 % CI [0.94, 0.96]) and ACER 12.67 % were measured.
Does the system need a GPU?
No. A single Hetzner CX43 (8 vCPU / 16 GB / no GPU) runs all 7 services + 23-puzzle active liveness + 19-analyzer passive PAD + Facenet-512 + NFC pipeline. The boot sentinel ALLOW_HEAVY_ML=false refuses any GPU-only model. Self-hosters inherit the same property.
Can I self-host on my own infrastructure?
Yes — a single Docker Compose command. Same operational model as PostgreSQL, OpenWebUI, Keycloak, Authentik or Supabase. spoof-detector is already MIT-public; the main monorepo opens in Q4 2026 alongside paper publication. SaaS at verify.fivucsas.com for those who prefer hosted.
