Security & Compliance
UFME is designed for deployments where both biometric accuracy and security assurance are non-negotiable. Security controls are built into the pipeline architecture as structural constraints rather than policy overlays.
Input security
Section titled “Input security”Payload validation
Section titled “Payload validation”All inbound HTTP payloads are validated by the receive stage before any image processing begins:
- Payload size limit: 50 MB maximum. Requests exceeding this are rejected with HTTP 413 before parsing.
- XXE protection: XML prolog parsing is capped at 64 KB. Billion-laughs amplification patterns are detected and rejected before entity expansion. The parser never evaluates external entity references.
- Image format: Only JPEG and PNG are accepted. Inputs are decoded to raw pixel arrays before passing to the detection stage — no format-specific parsers reach the pipeline interior.
Biometric security
Section titled “Biometric security”ISO 30107-3 — Presentation Attack Detection
Section titled “ISO 30107-3 — Presentation Attack Detection”Model: MiniFASNetV2.onnx (INT8, ~600 KB)
Every biometric request passes through PAD before an embedding is computed. The model runs on the aligned 112×112 crop and produces three output classes:
| Class | Description |
|---|---|
| Real | Genuine live face |
| 2D spoof | Print attack or screen replay |
| 3D spoof | 3D mask or sculpted replica |
A spoof_score > 0.85 (configurable) causes the request to be rejected with HTTP 451 Unavailable For Legal Reasons — the HTTP status code designated for requests blocked for policy/compliance reasons.
MiniFASNetV2 is ISO 30107-3 Level 1 compliant for print and replay attacks.
Known limitation: Sophisticated 3D silicone mask attacks are detected at lower accuracy. High-security deployments should consider upgrading to CDCN (Central Difference Convolution Network) via the model path configuration.
Morphing Attack Detection
Section titled “Morphing Attack Detection”Model: mad_selfmad_hrnet_w18.onnx (HRNet-W18 SelfMAD, ~85 MB)
Morphing attacks blend two face images to produce a document photo that matches two different individuals. UFME detects morphed document photos at enrolment using single-image, reference-free detection.
- Enrolment requests with
morph_score > 0.75(configurable) are rejected with HTTP 422. - Detection runs on the aligned crop — no trusted reference image is required.
- D-EER < 5% on FRGC-Morph benchmark.
The MAD stage is positioned after PAD and before quality and extraction, ensuring morphed images never enter the gallery.
Deepfake detection [optional]
Section titled “Deepfake detection [optional]”Model: deepfake_vit_q.onnx (ViT-base INT8, ~90 MB)
When the deepfake model file is present, a binary genuine/deepfake classifier is wired into the pipeline after MAD. The model is fine-tuned on a diverse dataset of real and AI-generated face images.
- Requests with
fake_score > 0.50(configurable) are rejected with HTTP 422. - Useful for deployments where AI-generated synthetic faces are a threat model.
Quality gating
Section titled “Quality gating”Model: ediffiqa_tiny.onnx (eDifFIQA Tiny, ~2 MB)
Face image quality is measured before embedding extraction. This serves both accuracy and security goals: low-quality images are more susceptible to spoofing and produce unreliable embeddings.
- Images with
quality_score < 0.40(configurable) are rejected with HTTP 422. - ISO/IEC 29794-5 aligned quality measurement.
Head pose gate [optional]
Section titled “Head pose gate [optional]”When the head pose model is present, extreme-profile faces (default: |yaw| > 45°) are rejected before PAD and quality stages. Profile faces are both unprocessable by the biometric pipeline and commonly associated with partial-face spoofing attempts.
Data privacy
Section titled “Data privacy”No raw imagery on disk
Section titled “No raw imagery on disk”Raw image bytes are held in volatile memory only for the duration of pipeline processing. The align stage drops image_bytes from the pipeline context after producing the 112×112 aligned crop; the extract stage drops crop after producing the embedding. Neither the raw image nor the aligned crop is written to disk at any point.
This is enforced by structure — the pipeline context/payload split means downstream stages never receive keys that were dropped upstream. There is no configuration flag or policy to bypass this; the architecture makes persistence impossible.
Embedding storage only
Section titled “Embedding storage only”The gallery stores 512-dim float32 L2-normalised embeddings (2 KB each). Embeddings cannot be reversed to reconstruct the original face image. Subject metadata (subject ID, partition, custom metadata fields) is stored separately from the embedding vector.
Epochal index model
Section titled “Epochal index model”FAISS indexes are immutable snapshots. Mutations (enrolment, deletion) are recorded as events via EventLogPort and applied during compaction to produce a new index version. There is no in-place mutation of a live index. Deletion events are honoured in the next compaction cycle; the event log is the authoritative record.
API security
Section titled “API security”Authentication
Section titled “Authentication”UFME’s REST gateway enforces API key authentication on all biometric endpoints. The key is passed as the Authorization: Bearer <key> header. Invalid or absent keys receive HTTP 401.
The demo server (make demo) runs without authentication for local development. Authentication is enforced in production deployments via the gateway configuration.
Transport security
Section titled “Transport security”All external traffic must use TLS. Internal gRPC traffic between the API gateway and FAISS shards is confined to the cluster network (no external IP addresses). In Kubernetes deployments, service-to-service communication uses cluster-internal DNS.
In the GCP benchmark configuration, VMs have no external IP addresses. All outbound internet access routes through Cloud NAT; SSH access is tunnelled through Identity-Aware Proxy (IAP).
Security gate summary
Section titled “Security gate summary”| Gate | Stage | Default threshold | HTTP status on reject | Standard |
|---|---|---|---|---|
| PAD | 6 | spoof_score > 0.85 | 451 | ISO 30107-3 |
| MAD | 7 | morph_score > 0.75 | 422 | — |
| Deepfake | 8 (optional) | fake_score > 0.50 | 422 | — |
| Quality | 9 | score < 0.40 | 422 | ISO 29794-5 |
| Head pose | 5 (optional) | |yaw| > 45° | 422 | — |
All thresholds are configurable at deployment time. See Configuration Reference for the full threshold reference and environment variable overrides.
Compliance notes
Section titled “Compliance notes”| Standard | Scope | Status |
|---|---|---|
| ISO/IEC 30107-3 | Presentation attack detection | Level 1 (print/replay) — MiniFASNetV2 |
| ISO/IEC 29794-5:2025 | Face image quality | Aligned — eDifFIQA(T) inline; OFIQ adapter available for offline compliance reporting |
| GDPR / data minimisation | No raw imagery persisted | Enforced by architecture, not policy |
For offline ISO 29794-5 compliance reporting (e.g., audit exports), the OfiqQualityAdapter in src/adapters/outbound/ofiq_adapter.py wraps the BSI OFIQ CLI binary and produces standards-aligned quality reports.