Marmara University
<FIVUCSAS/>

Face & Identity Verification using Cloud-based SaaS Models

Register once. Verify everywhere. One hosted OIDC redirect, ten biometric and credential factors.
Faculty of Engineering
Team · Authors
Ahmet Abdullah Gültekin
ahmetabdullahgultekin@gmail.com
github.com/ahmetabdullahgultekin
Ayşe Gülsüm Eren
aysegulsumeren@gmail.com
github.com/aysegulsum
Ayşenur Arıcı
aysenurarici@hotmail.com
github.com/Aysenur15
SupervisorAssoc. Prof. Dr. Mustafa Ağaoğlu
01

Introduction

The Problem

  • Passwords and SMS-OTP fail to phishing, credential stuffing and SIM-swap.
  • Face login is spoofable by printed photos, screen replay, masks and deepfakes.
  • Every app rebuilds auth from scratch, and KVKK / GDPR compliance gets tacked on afterwards.
  • Mainstream IAM (Okta, Auth0, Azure AD) treat biometrics as a device-local feature.
Main Goal
The project aims to develop a multi-platform, multi-tenant, and cloud-native SaaS platform for secure and flexible multi-biometric identity authentication, with KVKK / GDPR compliance built in.

What FIVUCSAS Is

A multi-tenant biometric identity SaaS that is already running in production. Every login is confirmed with your own biometric data, behind a single “Sign in with FIVUCSAS” button. It plugs into any app the way e-Devlet or “Sign in with Google” do, only here the identity proof is biometric, and you can host the whole thing yourself.

  • Face recognition: Facenet-512 embeddings, pgvector IVFFlat, 1:1 and 1:N.
  • Hybrid liveness: the active Biometric Puzzle plus passive MiniFASNet.
  • Ten factors: password, OTPs, TOTP, QR, face, voice, WebAuthn, FIDO2, NFC.
  • Multi-platform: Android (KMP) and a React 18 admin.
Objectives
Face Recognition
Sub-second 1:1 / 1:N on commodity CPU.
Biometric Puzzle
Randomised active liveness against photo, replay and deepfake.
Multi-Tenant SaaS
Ten factors; per-tenant MFA flows by JSON, not Java.
Hybrid Anti-Spoofing
Active puzzle plus passive PAD; ISO/IEC 30107-3 aligned.
02

Methodology and Technical Approach

Container Diagram

Multi-tenant biometric authentication platform. Clients reach a single Traefik edge; only the Identity Core API is public; the Biometric Processor is internal-only (Docker network + X-API-Key), and the two external comms providers are called solely by the Spring API.

FIVUCSAS · C4 Container Diagram (real deployment) CLIENTS BACKEND · DOCKER ON HETZNER CX43 EXTERNAL SERVICES DATA STORES · DOCKER VOLUMES uses · logs in integrates (OIDC SDK) HTTPS · REST / OAuth2 / OIDC routes :8080 REST · X-API-Key SMS email uploads asyncpg JDBC Lettuce End User PERSON Tenant Developer PERSON · INTEGRATOR Web Dashboard React 18 · TypeScript · Vite app.fivucsas.com · admin & self-service · Hostinger static Hosted Login + Widget React build + nginx verify.fivucsas.com · OIDC universal login + step-up MFA Mobile App Kotlin Multiplatform · Compose Android · iOS · Desktop AppAuth OIDC Third-Party App External · relying party Tenant app · redirective OIDC via FivucsasAuth SDK Traefik v3.6 · Reverse Proxy TLS (Let's Encrypt) · routing · rate-limit · admin-IP allowlist Biometric Processor FastAPI · Python 3.12 · :8001 ⚠ INTERNAL ONLY · X-API-Key Face/voice embeddings · liveness · anti-spoof · NFC eMRTD passive-auth CPU-only (ALLOW_HEAVY_ML=false) Identity Core API Spring Boot 3.4.7 · Java 21 · :8080 Auth · OAuth2 / OIDC · MFA · RBAC Multi-tenancy · Hibernate @Filter 30 controllers · hexagonal Twilio SMS OTP + Verify Hostinger SMTP smtp.hostinger.com:587 email OTP · guest invites Local File Storage biometric_uploads vol. LocalFileStorage adapter PostgreSQL + pgvector pgvector/pgvector:pg17 Identity · tenant · audit + IVFFlat vector store Redis 7.4 redis:7.4-alpine OTP · MFA · rate-limit TOTP replay · ShedLock LEGEND Internal container (our code) External system / SaaS Database / Docker volume Person (actor) Relationship (protocol) Security-critical note
Tenant-Configurable Verification
One platform, infinite flows
Each tenant builds its own flow: which steps run, in what order, and with which thresholds. Everything is assembled at runtime, with no code changes.
Bank KYCNFCFaceOTP
EducationLivenessFace
AccessFaceHardware Key
GPU-Free Face Pipeline
Production biometrics, zero GPU
The full face pipeline runs CPU-only on one commodity server (Hetzner CX43). Self-host with a single docker compose up.
Detect
Align 468
Embed 512-D
Verify 1:1
Search 1:N

5-Stage Hybrid Liveness Detection

Mitigates presentation attacks within FIVUCSAS · pre-process → 2 concurrent channels → anti-spoof → fusion → challenge.
1
PRE-PROCESSING
Facial regions extracted from the raw frame.
Two concurrent channels
2A
PASSIVE w=0.40
Composite score from four weighted signals — texture · colour · frequency · Moiré.
Threshold: score ≥ 60.0
2B
ACTIVE w=0.60
Active liveness via eye + mouth landmark ratios.
Threshold: ≥ 70.0 · eyes+40 · smile+30 · range+30
Weighted fusion · 0.40 passive + 0.60 active
3
SCREEN REPLAY ANTI-SPOOF
Penalised weighted mean of five anti-spoof signals; hard-veto on extreme lows.
Fusion: 0.65·Σ(wᵢ·sᵢ) + 0.35·min · Veto: score ≤ 22 ∧ FFT<24 ∧ Gabor<35
PASSES ANTI-SPOOF
4
FUSION DECISION
Weighted fusion of passive + active channel scores.
Combined = 0.40×Passive + 0.60×Active  ≥  65.0 ?
PASS ≥ 65.0
5
CHALLENGE-RESPONSE
Five-challenge active protocol; per-frame micro-tremor + brightness monitoring.
5 random × 20% = 100%
ALL STAGES PASSED ▼
LIVE ✓
▼ ANY STAGE REJECTED
SPOOF ✗
03

Benchmarking

Feature FIVUCSAS Auth0 / Okta AWS Rekog. Azure Face Apple Face ID FaceTec
Active Liveness
Passive Livenessoptional
On-Device Livenessactivecloudcloudfullhybrid
OAuth 2.0 / OIDC
NFC Document
Composable MFA✓ 10 factors6 factors
Voice Biometrics
Self-Hosteddevice only✓ (SDK)
Multi-Tenant SaaS
No GPU Requiredn/acloud GPUcloud GPUneural engineCPU/GPU
04

Key Innovations

The Biometric Puzzle
Active LivenessMediaPipe · CNN-free
At each verification the server draws 3–5 random actions from a 23-action library; the client performs them while landmarks are scored frame-by-frame under a strict temporal contract. Pre-recorded video, deepfake injection and replay all fail, because the action set is unpredictable and timestamped per attempt.
1
Random Sequence
3–5 from 23 · nonce
2
Face Landmarker
468 lmk · EAR/MAR · brow Δ
3
Hand Tracking
21 lmk · gesture engine
4
Encrypt
Fernet · OTT (one-time token)
Hand gesture engine · MediaPipe Hands
21
landmarks
9
actions
≥30
FPS · CPU
rᵢ = (‖W−Tipᵢ‖ − ‖W−PIPᵢ‖) ⁄ ‖W−MidMCP‖
Face engine · MediaPipe Face Landmarker
468
landmarks
14
face actions
5 s
per challenge
deviation = nose.x − ½(earL.x + earR.x), |dev| > 0.15
The 23-Action Library
• 14 face · MediaPipe Face Landmarker · 468 lmk• 9 hand · MediaPipe Hands · 21 lmk what the server can ask of you · per-attempt nonce · thousands of ordered sequences
3Eyes
EAR < τblink
  • Blink
  • Close left eye
  • Close right eye
2Mouth
MAR > 0.60
  • Smile
  • Open mouth
3Brows
Δ(brow,eye) ⁄ IPD ↑
  • Raise both brows
  • Raise left brow
  • Raise right brow
4Head pose
yaw · pitch (Euler)
  • Turn left
  • Turn right
  • Look up
  • Look down
2Head motion
pitch·yaw·roll Euler Δt
  • Nod
  • Shake
9Hand gestures & tasks
21×3D landmark vector-distance
  • Finger count
  • Wave
  • Flip palm
  • Finger tap
  • Pinch
  • Peek-a-boo
  • Shape trace
  • Trace template
  • Finger math
Ten Composable Authentication Factors
Password
BCrypt · cost 12
Email OTP
6-digit · 5 min
SMS OTP
single-use
TOTP
RFC 6238
QR Code
cross-device
Face
Facenet-512 · puzzle
Voice
Resemblyzer · 256-D
Fingerprint
WebAuthn
Hardware Key
FIDO2 · WebAuthn
NFC Document
ICAO 9303
Shipped templates Fintech KYC Healthcare Basic Education Age Telecom Onboarding Simple Document Roadmap Banking KYC Government e-KYC
NFC

Reading the chip in your wallet

FIVUCSAS reads the contactless chip in Turkish national ID cards and biometric passports — documents following the ICAO 9303 standard, now used by 150+ issuing states. The chip carries a signed photo, MRZ and a tamper-evident hash of every data group.

  • Mobile, native NFC. Android client (Kotlin Multiplatform) runs a custom ICAO 9303 reader on BouncyCastle — performs BAC, reads DG1 / DG2 (MRZ + chip photo) and verifies the signed document hash (passive authentication).
05

Results

We ran a thorough, hands-on evaluation across recognition accuracy, cross-dataset robustness, real-time performance, liveness, and resistance to attacks. Tested on 1,342 enrolled face images across 100 identities and 12,062 verification pairs across three independent public benchmarks (LFW, AgeDB-30, CFP-FP).

Production-grade · CPU-only · multi-tenant
A full identity platform measured end-to-end
99.43%
Face AUC
<0.5s
P95 LATENCY
0
GPU required
10/10
MFA factors
Face Recognition
0.9943 AUC
LFW · 5,600 pairs · FaceNet-512
  • EER 1.93 % equal-error rate
  • FAR 0.27 % @ threshold 0.45
  • TAR 95.6 % genuine accept rate
State-of-the-Art
Cross-Dataset Robustness
0.9845 AUC
CFP-FP · 1,378 pairs
  • Pose Frontal ↔ 90° profile
  • AgeDB-30 AUC 0.9475 (30-yr gap)
  • Scale 100 identities · 12 k+ pairs
Generalisable
OAuth & Identity API
~66ms
OIDC Discovery (warm) · production-measured
  • JWKS ~62 ms · 6 live URLs all up
  • Endpoints 208 REST · 29 controllers
  • MFA 10 / 10 factors implemented
Production-Live
Production Pipeline
~410ms
P95 end-to-end verification latency
  • P50 ~380 ms · P99 ~450 ms
  • Host Hetzner CX43 · 8 vCPU · 16 GB · 0 GPU
  • Target <1 500 ms ✓ PASS
Sub-second
Latency budget

End-to-end face verification on commodity CPU

~410ms
Median (P50)
~380 ms
P95 ✓ PASS
~410 ms
P99
~450 ms
Liveness PAD
~114 ms
Vector search
~345 ms
By the numbers
An entire identity platform on commodity CPU
GPU-less · CPU-only
82
Flyway migrations
V0 → V75 · production-applied schema evolution
208
REST endpoints
29 controllers · Identity Core API
41
database tables
+ 12 audit partitions · @Filter · pgvector IVFFlat
06

Conclusion & Future Work

FIVUCSAS shows that production-grade, KVKK / GDPR-compliant biometric authentication can run on ordinary, CPU-only hardware, and ships both as self-hostable open-source and as a managed SaaS.

A. Harder problems solved

  • CPU-only ML at sub-second latency on one 8-vCPU host.
  • Frozen OIDC contract while ML iterates weekly.
  • Custom ICAO-9303 BAC reader on BouncyCastle.
  • Tenant MFA flows by JSON + Hibernate @Filter, no redeploy.
  • Spoof Detector: standalone session-based passive PAD (13 analyzers · ISO/IEC 30107-3 harness · paper + public demo).

B. Future work

  • Voice upgrade. Resemblyzer → ECAPA-TDNN with replay-detection.
  • Edge AI build. Raspberry Pi / Jetson endpoints on the same OIDC contract.
  • ISO/IEC 30107-3 conformance. Accredited PAD audit.
Register once. Verify everywhere. Every time.
The domain map: every link behind one QR
links.fivucsas.com QR
links.fivucsas.com
fivucsas.comLanding · live demo
verify.fivucsas.comOAuth2 / OIDC hosted login
app.fivucsas.comAdmin dashboard · independent UI
api.fivucsas.comREST · OpenAPI 3.1
demo.fivucsas.comSample scenario · functional test
status.fivucsas.comAPI & server uptime / health
links.fivucsas.comQR aggregator (scan target)
github.com/Rollingcat-SoftwareMIT-licensed monorepo
07

Technologies Used

Spring Boot Java 21 FastAPI Python 3.12 Kotlin Multiplatform Jetpack Compose React 18 Android · ICAO 9303 PostgreSQL 17 · pgvector HNSW Redis 7.4 OpenCV MediaPipe TensorFlow · Facenet-512 PyTorch · UniFace MiniFASNet Traefik Gateway Docker · Compose Linux · Hetzner CX43 JWT · RS256 · OAuth2 · OIDC · PKCE OpenAPI 3.1 Git · GitHub Actions IntelliJ IDEA
08

References

  1. Verizon, 2024 Data Breach Investigations Report (DBIR). [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/. Accessed: Jan. 2026.
  2. F. Schroff, D. Kalenichenko, and J. Philbin, “FaceNet: A unified embedding for face recognition and clustering,” Proc. CVPR, 2015, pp. 815–823.
  3. J. Deng, J. Guo, N. Xue, and S. Zafeiriou, “ArcFace: Additive angular margin loss for deep face recognition,” Proc. CVPR, 2019, pp. 4690–4699.
  4. Y. Taigman, M. Yang, M. Ranzato, and L. Wolf, “DeepFace: Closing the gap to human-level performance in face verification,” Proc. CVPR, 2014, pp. 1701–1708.
  5. S. I. Serengil and A. Ozpinar, “HyperExtended LightFace: A facial attribute analysis framework,” Proc. ICEET, IEEE, 2021, doi: 10.1109/ICEET53442.2021.9659697.
  6. C. Lugaresi et al., “MediaPipe: A framework for building perception pipelines,” arXiv:1906.08172, 2019.
  7. T. Soukupová and J. Čech, “Real-time eye blink detection using facial landmarks,” Proc. CVWW, 2016.
  8. ISO/IEC 30107-3:2023, Information technology — Biometric presentation attack detection — Part 3: Testing and reporting, 2nd ed., Geneva: ISO, Jan. 2023.
  9. PostgreSQL Global Development Group, pgvector: Vector similarity search for Postgres. [Online]. Available: https://github.com/pgvector/pgvector. Accessed: Jan. 2026.
  10. Redis Ltd., Redis Documentation. [Online]. Available: https://redis.io/docs/. Accessed: Jan. 2026.
  11. Docker Inc., Docker Documentation. [Online]. Available: https://docs.docker.com/. Accessed: Jan. 2026.
  12. Python Software Foundation, Python Language Reference. [Online]. Available: https://docs.python.org/. Accessed: Jan. 2026.
  13. A. Cockburn, “Hexagonal Architecture (Ports and Adapters),” Alistair Cockburn. [Online]. Available: https://alistair.cockburn.us/hexagonal-architecture/. Accessed: Jan. 2026.
  14. C. Richardson, Microservices Patterns. Shelter Island, NY: Manning, 2018.
  15. ICAO Doc 9303, Machine Readable Travel Documents, Part 11: Security Mechanisms for MRTDs, 8th ed., Montréal: ICAO, 2021.
  16. D. Hardt, Ed., The OAuth 2.0 Authorization Framework, IETF RFC 6749, Oct. 2012.
  17. N. Sakimura et al., OpenID Connect Core 1.0, OpenID Foundation, 2014; D. M’Raïhi et al., TOTP: Time-Based One-Time Password Algorithm, IETF RFC 6238, May 2011.
FIVUCSAS links.fivucsas.com · github.com/Rollingcat-Software/FIVUCSAS · MIT