ReachTech Identity Architecture
1. Purpose and Scope
This document specifies the technical architecture for ReachTech's Human-Centric Authentication (HCA) framework. It serves as the engineering companion to "Your Name Is Your Name" (Document A), which presents the philosophical and economic case for contextual identity.
HCA is designed for deployment across three initial ReachTech products: EnRoute (corridor-based delivery and rideshare), Jackson AI (personal AI companion), and Ghost Mobile (privacy-first mobile phone service).
This specification acknowledges that risk-based authentication, adaptive MFA, behavioral biometrics, and on-device biometric processing are established fields with significant prior art. ReachTech's contribution is not the invention of these components but their integration into a cohesive, human-centric system that prioritizes user dignity, transparency, and zero data extraction.
1.1 Design Principles
Principle 1: The system recognizes the human. The human does not authenticate to the system.
Principle 2: Your face opens the door. Your voice confirms you walked through it willingly.
Principle 3: Biometric data never leaves the device. This is an architectural constraint, not a policy choice.
Principle 4: Every signal collected is disclosed to the user. There is no covert data collection.
Principle 5: Security rigor scales with the value at risk. A delivery ride does not require the same posture as a wire transfer.
Principle 6: The system must work for a 72-year-old who has never heard the word "keychain" and a 22-year-old who has never carried cash.
1.2 Proportional Security
A fundamental critique of modern authentication is that it applies uniform security regardless of what is being protected. A login to check a delivery ETA requires the same friction as a wire transfer. This is disproportionate.
HCA implements proportional security: authentication rigor scales with the value at risk. An EnRoute account with a cash-loaded credit balance does not contain credit card numbers, bank account details, Social Security numbers, or advertising profiles. The maximum financial exposure is the credit balance, loaded with cash. A compromised EnRoute account gives the attacker access to a ride they must pay for in person.
Furthermore, the data ReachTech collects has no extraction value. The system may know that a customer prefers Coke Zero, that their father recently passed away and conversations should be handled gently, or that they typically travel the Wichita-to-Salina corridor on Thursdays. This is relational context — data that exists to make the service more human. A hacker who steals it has stolen nothing worth selling.
1.3 Prior Art: The Gaming Industry
Nobody asks for your password when you arrive at a casino.
The technology HCA describes is not theoretical. It has been in production for over twenty years — in casinos.
Las Vegas casinos and tribal gaming operations such as the 7 Clans Casino in Oklahoma have deployed the most sophisticated real-time facial recognition, behavioral tracking, and contextual personalization systems in the world. They identify patrons the moment they walk through the door. They track location across the floor. They model behavior in real time. They dynamically adjust slot machine payout rates based on individual behavioral patterns. They time the arrival of complimentary drinks to the exact moment a patron's resolve is weakening. They calibrate the patron's emotional state so precisely that when they leave, they feel unlucky rather than exploited.
This is relevant to HCA for one reason: the gaming industry proved that face recognition, voice identification, behavioral modeling, and real-time contextual analysis work at scale, across thousands of simultaneous users, in noisy and visually complex environments, with extremely high accuracy. The core technology underlying HCA is not a research project. It is a mature, battle-tested capability that has been commercially deployed for decades.
The reason banks and technology platforms have not adopted similar systems for customer authentication is not a technology limitation. It is an incentive misalignment. The gaming industry uses contextual identity to optimize extraction: how much can we take from this person before they leave? HCA proposes to use the same signals to optimize dignity: how can we recognize this person, protect their identity, and make every interaction feel like being known rather than interrogated?
The extraction economy and the dignity economy use the same tools. The only difference is which direction they point.
2. The Face-First Authentication Flow
Version 0.1 used a name-first flow: the user typed their name, the system searched for candidates, and the face resolved among them. Peer review identified a fundamental flaw: how do candidate face embeddings reach the device without a privacy violation?
Version 0.2 inverts the flow. The face comes first. The device already knows who you are because your face was enrolled on this specific device. No candidate set is needed. No server is involved.
2.1 The Three-Step Sequence
Step 1 — Face: The user opens the app or device. The camera performs a face match against enrolled profiles stored on-device. This is a 1:1 match (single user) or 1:N where N is the number of profiles on this device (typically 2-5 in household scenarios). No data leaves the device.
Step 2 — Voice ("Name, please"): The system prompts: "Name, please." The user speaks their name. Three things happen simultaneously: (a) confirmation that a living human is present — a thief holding the phone to an unconscious face cannot pass this step; (b) voice biometric match against the stored voice embedding; (c) duress analysis comparing cadence, pitch, rhythm, and stress markers against the user's baseline.
Step 3 — Contextual Scoring: Device fingerprint, geolocation, time of day, and behavioral consistency combine with face and voice scores to produce a composite confidence score. Access is granted, challenged, or denied based on the score and the user's security tier.
2.2 Per-Device Enrollment
Each device is enrolled separately. When a user accesses HCA on a new device:
EnRoute (Community Tier): A pace car driver or verified user confirms identity in person. Face and voice enrollment occur on the user's device during this interaction.
Jackson AI (Standard Tier): The user authenticates on the new device via password or push notification to an existing trusted device. Face and voice enrollment follow.
Ghost Mobile (Protected Tier): Enrollment occurs in person at an activation point or via video verification. Government ID is checked by a human (not scanned or stored).
After enrollment, the device knows exactly whose face and voice to expect. It simply recognizes the person it has already met — the same way a friend recognizes you when you walk into a room.
3. Tiered Security Model
Users select their tier during enrollment and can change it at any time. Each tier adjusts duress detection sensitivity, confidence thresholds, and available response options.
3.1 Community Tier — "Show Me Your Face, Tell Me Your Name"
Designed for users like Regi — a 72-year-old who does not know what a keychain password is. Open the app, the system sees your face, say your name, you are in.
The system learns the voice baseline from the first login. Duress detection is passive — the system monitors for anomalies but takes no automatic action. If a significant voice anomaly is detected, it may ask: "Everything okay today?"
3.2 Standard Tier — Active Verification
Active voice biometric matching and real-time duress analysis on every login. Users may configure a duress phrase — a specific way of saying their name that triggers restricted access and a silent alert to a trusted contact. The restricted view is visually indistinguishable from a normal login.
3.3 Protected Tier — Maximum Control
For users facing active legal, political, or personal threats. Configurable kill phrases trigger immediate defensive actions:
Lock: Device locks. Biometric authentication disabled. Password (Fifth Amendment-protected) required to reopen.
Wipe: Specified data categories are securely erased. Silent. Instantaneous. User pre-configures what gets wiped.
Decoy: Device presents a clean environment — innocuous apps, separate contacts, no access to protected data. The real environment is encrypted until the correct password is entered.
Kill phrases are processed on-device, stored as hashed embeddings, and cannot be recovered through forensic examination.
4. Dynamic Confidence Scoring
Version 0.2 replaces static weights with context-aware dynamic scoring. Signal weights shift based on environmental conditions.
| Signal | Base Weight | Dynamic Adjustment |
|---|---|---|
| Face Match | 0–35 | Reduced in low light, partial occlusion, or degraded camera. Reports confidence level, not binary yes/no. |
| Voice Match | 0–25 | Reduced in noisy environments. Increased on high-confidence match. |
| Device | 0–20 | Known = 20. Recent = 10. Unknown = 0. Jailbroken = reduced by 10. |
| Location | 0–10 | Home = 10. Usual city = 7. Traveling = 3. New country = 0. |
| Behavior | 0–5 | Consistent patterns = 5. Anomalous = 0. Supplementary only. |
| Password | Override | Not a weighted signal. Correct password serves as threshold override in low-confidence scenarios. |
5. Threat Model
5.1 Adversary Tiers
Tier 1 — Opportunistic: Casual thief, nosy acquaintance. HCA defends fully.
Tier 2 — Targeted: Ex-partner, identity thief. HCA defends substantially through dual biometric requirement and duress detection.
Tier 3 — Sophisticated: Organized crime, state actor. HCA raises the cost of attack significantly but does not claim full defense. High-value accounts should supplement with hardware keys.
5.2 Attack Vectors
5.2.1 Stolen Device
5.2.2 Presentation Attack (Deepfake / Photo)
5.2.3 Coercion
5.2.4 SIM Swap
5.2.5 Model Poisoning
5.2.6 Session Hijacking
5.3 Impact on Identity Theft
HCA substantially increases the cost and reduces the scalability of remote credential-based attacks, which represent the overwhelming majority of identity theft today. An attacker cannot use a stolen SSN to generate a matching face and voice. The attack surface is collapsed from "type stolen data into a form" to "produce a real-time deepfake while physically present." These are fundamentally different threat levels.
5.3.1 The Farmer State Bank Model
On April 3, 2026, a ReachTech founder called Farmer State Bank in Oakley, Kansas, to request a $900 wire transfer. The teller processed the wire based on five contextual signals: the caller's name, his voice, his father's presence at the bank that morning, the same wire recipient as the preceding months, and community knowledge. No password. No code. No second device.
HCA digitizes this process. Small-town banks have been running human-centric authentication for a century. The problem is not that nobody knows how to do this. The problem is that when banking went digital, the teller's judgment was replaced with a password field and called progress.
6. Continuous Biometric Evolution
Both face and voice embeddings evolve with every high-confidence authentication (score 70+). The blend rate is conservative: less than 2% influence per session. Gradual changes — aging, weight change, vocal shifts — are absorbed without hitting a recognition cliff.
A Biometric Health dashboard shows last update date and model confidence. Through Jackson AI, the system may optionally acknowledge visible changes ("New haircut — looks good."). This is configurable.
Anti-drift protections: updates only on 70+ sessions; 2% blend cap; drift beyond threshold triggers password-only access; all checkpoints signed and tamper-evident; 90-day rollback window.
7. Account Lifecycle
7.1 Enrollment
Per-device and tiered by product. Face and voice enrollment occur simultaneously during setup. Community Tier requires in-person vouching. Standard requires password or trusted device push. Protected requires in-person verification with government ID.
7.2 Account Recovery
Path 1 — Password: Primary fallback when biometrics fail.
Path 2 — Trusted Contact: 1-3 designated contacts initiate recovery with mandatory 24-72 hour waiting period. Account holder is notified immediately and can cancel.
Path 3 — In-Person: Re-verify identity at a ReachTech-affiliated location with a human.
Path 4 — Physical Key: Printed one-time recovery code. ReachTech does not retain a copy.
7.3 Device Transfer
New device: authenticate via password → enroll face and voice → old device deprecated after 30 days. If password is unknown: Trusted Contact or In-Person recovery. No verification codes sent to phone numbers.
7.4 Legacy Contact
A designated person who can access the account after the user's death or incapacitation. Requires: their own authentication, 7-day waiting period, no cancellation by the account holder. Grants read-only access and ability to close the account. No transactions.
8. Accessibility and Shared Devices
Visual impairment: Voice becomes primary biometric. Face optional. Authentication: voice + device + location + password if needed.
Facial differences or progressive conditions: Continuous biometric evolution tracks gradual changes. Acute changes use Trusted Contact or In-Person recovery.
Cultural or religious objections: Opt out of face and voice. Authenticate via password + device + location. No penalty.
Shared devices: Multiple enrolled profiles. Face match at Step 1 identifies which user is present. Household mode (PIN toggle) available at Community Tier.
Hardware failure: Camera or microphone unavailable → password + device + location. System explains: "We can't see or hear you right now. Please enter your password."
9. Regulatory Compliance
9.1 BIPA (Illinois)
Explicit written consent for biometric collection from all users, regardless of state, as a matter of policy. Biometric data never leaves the device. Retention: deleted on device wipe, account deletion, or user opt-out. Legal counsel review required.
9.2 GDPR and CCPA/CPRA
Face and voice data are special category / sensitive personal information. Legal basis: explicit consent. Users may opt out at any time. Biometric-free path available at all tiers.
9.3 Password Policy
No complexity requirements. Passwords are never the sole factor. Advisory warnings for very short or common passwords. When used outside full multi-signal context (e.g., Panic Mode), stronger password is recommended for that scenario. ReachTech maintains cyber liability insurance.
10. FIDO2 and Passkey Compatibility
HCA is built on top of FIDO2/WebAuthn. The device signal is a passkey stored in the secure enclave. Face and voice provide the human proof. The user never sees or manages the passkey.
On devices without camera or microphone, authentication falls back to passkey + password — standard WebAuthn with an additional identity layer.
11. Limitations and Non-Goals
Nation-state adversaries: Beyond scope. Supplement with hardware security keys.
Server-side breaches: HCA secures authentication. Infrastructure requires separate controls.
Enrollment fraud: Fake ID during verification can create a fraudulent account. HCA does not solve identity proofing beyond human judgment.
Universal biometric accuracy: Non-zero false rejection and acceptance rates. Phase 1 calibration establishes baselines.
Devices without sensors: HCA degrades gracefully but cannot provide full posture on hardware lacking biometric capability.
12. Implementation Roadmap
Phase 1 — EnRoute MVP (Q2-Q3 2026)
Community Tier. Face + spoken name. Voice baseline learning. Confidence scoring logging-only for 90 days to calibrate thresholds on real-world data.
Phase 2 — Jackson AI + Standard Tier (Q3-Q4 2026)
Active voice matching and duress detection. Continuous biometric evolution. Biometric Health dashboard. Behavioral signals with explicit consent.
Phase 3 — Ghost Mobile + Protected Tier (2027)
Full HCA at OS level. LiDAR for face PAD. Kill phrases. FIDO2 passkey layer. BIPA/GDPR compliance review with counsel.
Phase 4 — Open Protocol (2028+)
Publish HCA as open specification. Third-party adoption. Decentralized identity compatibility. The goal: HCA becomes a standard, not a proprietary feature.