dmj.one

Work / Bharat-First / BioVault

No. 10 · Bharat-First · Identity

Stop asking who.
Start measuring how sure.

Passwords are the weakest link in 81% of breaches. A single biometric falls to a single spoof. BioVault fuses four signals (face, voice, keystroke, WebAuthn passkey) into one calibrated trust score. Raw biometric data never leaves the browser. The backend stores embeddings, not media, and forgets them after thirty minutes.

Try the live demo View source How it fuses

0.85

t ≥ 0.85 Confident enough to let in Allow
0.65 – 0.85 Step up with another factor Step up
t < 0.65 Refuse and audit Deny

Decision policy · weights face 0.35 · passkey 0.30 · voice 0.20 · keystroke 0.15

81%Breaches involve weak credentials
4Signals fused per decision
<25 msFace verify p95
30 minTemplate TTL · then erased
₹0Idle cost on Cloud Run

Act I · Every Single Factor Loses

Pick one and you lose.
The fix is not a new factor. It is a new sentence.

Passwords are guessed.

Eighty-one percent of confirmed breaches involve stolen, reused or guessed credentials. The user is not the problem. The model is.

OTPs are stolen.

SIM swap is industrial. SS7 interception is real. A code in a text message is no longer a second factor in any meaningful sense.

A single biometric is spoofed.

A photo defeats face. A recording defeats voice. A 3D-printed finger defeats most fingerprint readers in consumer phones.

The honest sentence is not “is this user authenticated.” It is “how sure am I, given everything I just observed.” A trust score fits that sentence. A pass-or-fail check does not.

Act II · The Fusion

Four signals.
One number. Zero raw media on the wire.

All four models run in the browser. The backend sees only one-way embeddings, a public key and a sign counter. There is nothing in storage that can be replayed against the user later.

Signal 01

Face

float[128] · cosine + euclidean

face-api.js produces a 128-dimension descriptor. A blink challenge defeats the trivial photo replay. The frame never leaves the device.

w = 0.35
Signal 02

Voice

float[18] · z-score cosine

Web Audio extracts an 18-dimension feature vector of aggregate spectral statistics. The audio buffer is discarded after the descriptor is computed.

w = 0.20
Signal 03

Keystroke

float[2N-1] · manhattan

Dwell and flight times across the user's typed phrase. Behavioural by nature, hard to forge, and silent to the user.

w = 0.15
Signal 04

Passkey

WebAuthn · public key + counter

Phishing-resistant by design. Origin-bound by the browser. The single hardest signal to spoof and the only one bound to a hardware authenticator.

w = 0.30

trust = (Σ wi · scorei) / Σ wi   × 0.9 if single factor   × cap 0.5 if any hard-fail

Act III · The Server Sees Almost Nothing

The browser does the maths.
The server holds the policy.

FastAPI on Cloud Run, asia-east1, min-instances=0. Stateless. In-memory. One container image at around 85 MiB. The endpoints are deliberately small.

EndpointVerifiesp95
/api/face/verify128-D descriptor against enrolled vector< 25 ms
/api/voice/verify18-D z-score cosine< 8 ms
/api/keystroke/verify(2N-1)-D Manhattan distance< 6 ms
/api/passkey/authWebAuthn assertion + sign counterbrowser-bound
/api/risk/scoreWeighted fusion + decision banddeterministic
/api/eventsAudit ring buffer with correlation IDsstructured JSON

Act IV · The Stack

In-browser ML, stateless backend.
Privacy by architecture, not policy.

Templates evict after thirty minutes or whenever the Cloud Run instance scales to zero. There is no database to forget to wipe. DPDP Act 2023 and GDPR alignment are consequences of the design, not retrofits.

  • FastAPI · Python 3.11
  • Pydantic v2
  • NumPy
  • face-api.js · 128-D
  • Web Audio API
  • WebAuthn · passkey
  • Cloud Run · asia-east1
  • Container ~85 MiB
  • min-instances = 0
  • Cold start 250·350 ms
  • In-memory store · 30 min TTL
  • JSON audit · correlation IDs
  • DPDP Act 2023 aligned
  • GDPR aligned · India residency
  • OpenAPI / Swagger UI

Act V · Proof

Live. Documented. Cap-stoned.

Production demo

Enroll any subset of factors. Verify. Watch the trust meter compute the band live. No persistence, no replay attack surface.

https://biovault.dmj.one

Pitch deck and capstone report

A keyboard-driven twelve-slide deck and the full capstone report live on the same domain. OpenAPI lives at /api/docs.

/pitch · /report · /report.docx · /api/docs

Capstone author

Lakshika Tanwar, GF202220476, B.Tech CSE Cloud Computing, Shoolini University, Solan. Mentored as part of the dmj.one capstone programme.

One-shot deploy

PROJECT=dmjone REGION=asia-east1 bash scripts/deploy.sh. Cloud Run from zero to live in a single command. CI/CD pipeline shipped in .github/workflows/deploy.yml.

If a thirty-minute trust score is enough for the user, it is enough for you.

I architect identity and security MLPs that ship on free-tier serverless without a single raw biometric on the wire. Capstone-quality on the inside. Production-quality on the outside.

Hire me Back to work