Capstone · B.Tech CSE Cloud Computing · 2022–2026

Who you are
beats what you know.

BioVault is a multi-modal biometric security application that fuses face, voice, keystroke rhythm, and a hardware-backed passkey into a single risk-adaptive trust score.

Lakshika Tanwar · GF202220476 · Shoolini University

The problem

Passwords are the weakest link.

81%

of breaches

involve weak or stolen passwords (Verizon DBIR).

23B+

credentials leaked

circulate on the dark web today.

$4.88M

average breach cost

per IBM Cost of a Data Breach 2024.

SMS OTP is phishable. TOTP is shareable. Even most "biometrics" are a single factor with no liveness check.

The insight

Identity isn't one signal — it's a chorus.

Faces can be spoofed, voices can be deepfaked, keystrokes can be observed, and even passkeys can be lost. But all four together, weighted and calibrated to context, make a much harder target.

BioVault treats each factor as evidence, fuses them into a continuous trust score, and adapts the action — allow, step-up, or deny — based on the situation.

The solution

Four factors. One trust score. Three actions.

Face + Liveness

128-D descriptor with blink challenge — runs in your browser. w=0.35

Voice biometrics

Spectral + mel features from a 3-sec passphrase. w=0.20

Keystroke rhythm

Dwell + flight times for a fixed phrase. w=0.15

Passkey (WebAuthn)

Phishing-resistant hardware factor. w=0.30

Trust ≥ 0.85 → ALLOW · 0.65–0.85 → STEP-UP · < 0.65 → DENY

Architecture

Stateless, scale-to-zero, local-first.

Browserface-api.js · Web Audio · WebAuthn · keystroke timing

→

FastAPI on Cloud Runasia-east1 · min=0 · in-memory store · structured logs

All ML inference runs in the browser; raw frames never leave the device.
Server stores only the 128-D face descriptor, an 18-D voice vector, a timing vector, and a passkey public key.
Templates evict in 30 minutes. Nothing is persisted.

Stack

Boring tech, deployed well.

Frontend

Vanilla HTML/CSS/ESM JS · face-api.js · Web Audio API · WebAuthn · zero build step

Backend

Python 3.12 · FastAPI · Pydantic v2 · NumPy · py_webauthn · uvicorn

Infra

Cloud Run · asia-east1 · Cloud Build · Artifact Registry · GitHub Actions OIDC

User flow

Three taps. Sub-second decision.

Enroll

1. Pick a name → 2. Look at the camera, blink → 3. Speak the phrase → 4. Type the phrase → 5. Touch ID / Windows Hello.

Verify

Same factors, any subset. The aggregate trust score updates live, and the adaptive policy decides allow / step-up / deny.

Onboarding under 30 seconds. Verification under 3 seconds. Works on a slow phone with a flaky 3G link.

Security & privacy

The data we don't store can't be stolen.

Face descriptors are one-way embeddings — you cannot reconstruct a usable image.
Voice features are aggregate spectral statistics, not audio.
Liveness blink defeats trivial photo-replay attacks.
WebAuthn passkeys are origin-bound and phishing-resistant by design.
HSTS, GZip, structured JSON audit logs, correlation IDs on every request.
DPDP Act 2023 / GDPR-aligned: explicit consent, real deletion, India data residency.

Performance

Numbers that matter.

~250ms

Cold start

Cloud Run min=0, 256 MiB.

<30ms

API p95

per modality verify.

2.8s

Voice capture

16 kHz, FFT in JS.

128-D

Face descriptor

L2-normalized.

Live demo

Open / in another tab.

Grant camera + microphone access. Create a user, enroll all four factors, then verify any subset — watch the trust meter and audit log update in real time.

Source · github.com/divyamohan1993/biovault

Report · /report · API docs · /api/docs

What's next

From MVP to product.

Persistence

Postgres with pgvector + envelope-encrypted templates.

Anti-spoofing

3D depth + texture analysis · deepfake detection on voice.

Continuous auth

Behavioral session signals: gait, scroll, mouse, app context.

SDK

Drop-in JS SDK for any web/mobile app to add BioVault auth.

Compliance

SOC 2, ISO 27001, DPDP DPO console.

Pricing

Free under 1k MAU · ₹2 per verification beyond.

Thank you

Questions?