SCORING · WEIGHTS · THRESHOLDS

The variables behind
every decision

Every score that gates an authentication is a number you can read. This is the full set — what each one means, what it's set to, and whether you can change it in your tenant.

SNAPSHOT 2026-06-26 · SOURCE: LIVE ENGINE CONFIG · GET /v1/engine/config
TENANT-TUNABLE OPERATOR DEFAULT HARD FLOOR — LOCKED
ENGINE 1 · VAC BIOMETRIC — HOW A VERIFICATION PASSES

Each row produces a 0–1 score; the composite is their weighted sum and must clear the threshold for the action's risk level — higher-risk actions demand a higher composite. These four are the composite's weighted inputs, not the full modality list: VAC's biometric engine runs seven modalities in all (face liveness, deepfake, speech match, lip-sync, challenge, finger gesture, duress — see standards), captured chiefly through the video-liveness and voice inputs above.

ModalityWeightConfigurable
Video liveness — live human on camera0.35
TENANT
Voice — spoken-digit match0.25
TENANT
OTP — possession factor0.20
TENANT
Geolocation — corroborating signal0.20
TENANT
composite = Σ (modality_score × weight) · main.py · weights sum to 1.00
Geolocation is a corroborating signal, not a standalone gate. Today it scores 0.8 when coordinates are present and 0.3 when absent — "present" currently means non-zero coordinates, not an allow-region check. An enforced geo-fence (allowed jurisdiction passes; out-of-policy steps up or denies) is the build that turns this rail into a first-class assurance input. The haversine distance primitive is already proven in group-presence voting; wiring it into the auth decision is on the roadmap.
aligns with

NIST SP 800-63-4 risk-based controls. The standard contemplates exactly this: authentication from an unexpected geolocation may prompt additional risk-based controls — while being explicit that such fraud indicators do not by themselves change the assurance level or substitute for a factor. VAC treats geo the same way: a signal that can trigger step-up, never a standalone factor.

PASS THRESHOLDS BY RISK LEVEL

The composite must reach this bar. The action's risk level is set server-side, so a client cannot understate it.

Low
0.30
view / open credential
Medium
0.50
default
High
0.70
elevated actions
Critical
0.85
mint / spend / seal
thresholds = {low:0.3, medium:0.5, high:0.7, critical:0.85} · main.py
maps to

NIST SP 800-63-4 (July 2025) assurance model. These graduated tiers are structured to map onto the standard's risk-based assurance levels (IAL / AAL / FAL). Under 800-63, an assurance level is a property of the whole authentication ceremony and deployment, determined formally with your auditor — not a value any vendor self-declares. The structure here is designed to support that determination, not assert it.

note

In NIST's strict vocabulary, biometrics are a strongly-bound activation factor rather than a standalone authenticator. VAC binds the live-human check to the session and token accordingly — the binding the standard calls for.

ENGINE 1 · IDENTITY FLOORS — THE BARS THAT NEVER MOVE

Some values are deliberately not tenant-tunable. These are the identity floors: loosening them would let a look-alike through, so they're pinned in code even if an environment knob is widened.

FloorValueMeaningStatus
Face-embedding match≤ 0.50Euclidean distance vs enrolled 128-D template. Genuine clusters ~0.30; look-alikes near ~0.60.FLOOR
Fast-tier face cap0.50The light re-auth path drops the full video sweep, so its identity bar is pinned — never looser than full.FLOOR
Liveness / voice / lip-sync floor0.50Reject near-zero scores on each primitive; a real match scores above, a mismatch at or below.OPERATOR
Deepfake deny likelihood0.50Above this assessed likelihood, the verdict denies regardless of other scores.OPERATOR
FACE_EMBED_MATCH_THRESHOLD · FAST_REAUTH_MAX_FACE_DISTANCE · config.py · 0.50 also pinned literally at the decision site
certified

Liveness detection: ISO/IEC 30107-3. The presentation-attack-detection component is independently certified — iBeta Level 1 PAD, 0% attack-success across 360 attempts, NIST/NVLAP-accredited lab. Level 1 covers presentation attacks (print, screen, replay); injection resistance is defence-in-depth via cross-modal binding, with VAC's own 30107 certification planned for Q4 2026.

ENGINE 1 · FRESHNESS — WHEN A RE-VERIFICATION IS REQUIRED

A verification has a shelf life. Inside the window a recent pass still counts; outside it, the action forces a re-auth. The level of that re-auth — fast single-digit vs full tri-modal — is chosen by the risk engine, not by this clock.

SettingValueGovernsConfigurable
Action re-auth freshness300 sA biometric pass counts as fresh for an action for 5 minutes.TENANT
Full-baseline max age600 sA quick re-auth may stand in for a full one on a non-repudiable action only if minted off a recent full auth — never quick-from-nothing.FLOOR
Co-occurrence tolerance1200 msShown finger-pose and spoken digit must fall within this window — same human said and showed the digit in one clip.OPERATOR
maps to

NIST SP 800-63-4 reauthentication. The standard sets reauthentication-time requirements that tighten at higher assurance levels. This freshness window is that kind of control — tenant-tunable down to the interval your auditor or policy requires for each tier.

TRUST-DECAY TIERS

Confidence in a past verification decays with time. These tiers set the bands.

TierAgeRelative freshnessConfigurable
Full≤ 1 hour
TENANT
High≤ 24 hours
TENANT
Moderate≤ 7 days
TENANT
Aging≤ 30 days
TENANT
FRESHNESS_TIER_* · config.py
ENGINE 1 · ACTION SENSITIVITY — WHAT EACH ACTION IS WORTH

Each action carries an inherent sensitivity, declared server-side — one input to the risk engine. Context (repeated failures, unknown device, low trust, location) can still escalate a low-sensitivity action. An unrecognised action fails closed at critical.

ActionSensitivityTypical re-auth tier
View / open credentiallowFast — single-digit, no video sweep, ~2s
Approve spendcriticalFull tri-modal
Revoke delegation · export keyscriticalFull tri-modal
Delete account · change governancecriticalFull tri-modal
Mint · delegatecriticalFull tri-modal
Seal decision — binding, non-repudiablecriticalFull — explicitly declared, Law Society reviewable
Unknown actioncriticalFail-closed by two independent mechanisms
ACTION_SENSITIVITY · DEFAULT="critical" (literal, not env-configurable) · config.py
CONFIGURED TO YOUR REQUIREMENTS

Every tenant-tunable value above can be set for your purpose, applying to your tenant only. A regulated workforce might tighten freshness to 60 seconds and require an enforced geo-fence; a low-friction consumer flow might widen it. What you cannot do — by design — is move a hard floor, because that's the line that protects everyone on the platform, including you.

The config meets the requirement you declare. You state your own rule — "every privileged action re-verifies within 5 minutes," "this jurisdiction only," "critical actions demand full tri-modal" — and the live config is set to satisfy it. Your own compliance officer reads the numbers and confirms they meet your standard. That's the match that matters most: not our claim, your requirement.

Structured around NIST SP 800-63-4. The assurance tiers, reauthentication timing, and risk-based controls are designed to map onto the framework most high-assurance organisations already benchmark against. Formal assurance-level determination is made with your auditor, against your deployment — the structure here is built to support that, in the standard's own terms.

You're in control of how it scores. The scoring isn't a sealed box you trust on faith — it's a config you read, question, and request changes to. The floors stay locked; everything above them is yours to shape. That's what makes the decision defensible when a regulator, a court, or your own board asks how it was made.

SNAPSHOT OF LIVE ENGINE CONFIGURATION · 2026-06-26 · SESSION 119
Authoritative source is the running config (GET /v1/engine/config); values here are a dated read and may lag a live change.
Standards verified against current revisions (NIST SP 800-63-4, Jul 2025; ISO/IEC 30107-3). eIDAS / PSD2 SCA mapped on request.
VAC PROTOCOL · VIOLET SHORES