Foundational Security Architecture
for Digital Finance in the AI Era

A Full-Stack Security System Based on Physical-Space Admission, Triple-Photo Timestamp Alignment, Unextractable Behavioral Cryptography, and Full-Spectrum Duress Defense

---

IIntroduction: The Divergence Between Recording and Alignment

Human civilization’s use of imagery began with a simple purpose — recording the physical world. From prehistoric cave paintings to Renaissance oils, from daguerreotypes to digital photography, each advance in imaging technology improved one core capability: more accurately and efficiently reproducing events that actually occurred in the physical world.

AI image generation technology has fundamentally disrupted this paradigm. Generative models such as GPT Image-2 do not aim to “record” the physical world, but to “align” with the idealized image in human cognition. Every pixel generated by AI is a statistically optimal solution — aligned to the distribution of “what images should look like” in training data, rather than the authentic traces of any physical event.

IIThe Physical Chasm AI Cannot Align

Despite achieving remarkable visual fidelity, AI generation technology faces systematic, insurmountable chasms in aligning physical causal relationships:

2.1 Geometric Causality

Mirror reflections represent the most persistent failure domain in AI-generated images. In real photographs, lines connecting objects to their mirror reflections converge at a vanishing point — an inevitable consequence of perspective geometry. Research shows that even a 40% increase in model parameters yields no statistically significant improvement in reflection accuracy^[1] — because mirrors require not merely pixel fidelity, but recursive geometric spatial consistency.

2.2 Light-Shadow Causality

Traditional computer graphics (CGI) generates images by modeling 3D scene geometry, lighting, and virtual cameras, accurately capturing shadows and reflections. AI-generated images learn statistical distributions from vast collections of real images, lacking any explicit 3D world model^[2]. This leads to contradictory shadow directions across objects and reflections that violate optical laws.

2.3 Physical Support and Anatomical Causality

AI-generated images frequently feature objects floating in mid-air without visible support; body parts are treated as independent visual features, resulting in extra fingers, impossible joint bends, and disproportionate limbs.

2.4 Sensor Physical Fingerprint (PRNU)

Every camera sensor carries unique defects from its manufacturing process — pixel-level Photo Response Non-Uniformity (PRNU). Real photographs typically exhibit noise variance between 0.001–0.01, while AI images show anomalously low variance (below 0.0005) or synthetic uniform patterns^[3]. The pixel relationships in AI-generated images are “too clean” — clean to a degree impossible for output from a flaw-ridden physical system.

IIIThe Comprehensive Collapse of Existing Authentication Systems

The physical chasms described above do not constitute a reliable defense. AI can simulate “imperfections” through prompts (film grain, chromatic aberration, lens distortion), and every authentication mechanism humanity relies upon has been breached or is under active attack:

Auth. Layer	Mechanism	Breach Status	Attack Method
EXIF Metadata	Camera model, lens params, GPS, timestamp	Fully compromised	ExifTool: single command forges all fields
Visual “Imperfections”	Film grain, chromatic aberration, noise, vignette	Simulable	Prompts specifying camera model & lens characteristics
C2PA Hardware Signing	Camera chip-level digital signatures	Bypassed	Nikon Z6 III multi-exposure vulnerability (Sept. 2025)
PRNU Sensor Fingerprint	Unique noise pattern from sensor manufacturing defects	Injection attacks exist	PRNU transfer attack: 85.5% bypass rate[4]

In September 2025, security researcher Adam Horshack discovered a critical vulnerability in the Nikon Z6 III: through multi-exposure mode, AI-generated images could be encoded into Nikon’s proprietary NEF format and receive C2PA signature certification^[5]. Nikon was subsequently forced to suspend its authentication service and revoke all issued certificates^[6]. This demonstrates that even the most advanced hardware-level cryptographic signing can be circumvented at the implementation level.

IVThe Societal Cost of Trust Collapse

4.1 Judicial System

A defense attorney need only challenge: “Prove this footage was not generated by AI” — and the burden of proof instantly shifts. The “Liar’s Dividend” enables genuine criminals to evade justice by claiming all incriminating imagery is fabricated.

4.2 Financial System

The China Internet Finance Association’s 2025 report shows direct economic losses from AI deepfakes exceeding 1.8 billion RMB^[7]. In one landmark case, a Hong Kong employee was defrauded of HK$200 million in a multi-person “video conference” where every participant except the victim was AI-generated^[8]. Criminal syndicates have defrauded banks of over 80 million RMB through fabricated bank statements, forged collateral images, and adversarial sample injection^[9].

4.3 News and Interpersonal Trust

When genuine atrocities are photographed, perpetrators can simply claim “it’s AI-fabricated.” Video calls can no longer confirm whether the other party is a real person or a real-time AI face-swap. Human society risks retreating to a state where only face-to-face contact can establish trust.

4.4 The Accountability Vacuum of AI Generation Technology

Every firearm manufactured by arms dealers carries a serial number and unique barrel rifling — ballistics experts can trace each bullet to a specific weapon. International arms trade is regulated by the Arms Trade Treaty. AI generation models, by contrast, are completely untraceable: generated images carry no provenance information, leave no generation traces, and bind no generator identity. Arms dealers bear more traceability responsibility than AI companies.

VTheoretical Foundation: Time Synchronization in Distributed Systems

The theoretical foundation of the verification mechanism proposed herein derives from a first principle of distributed systems: In precision-critical distributed systems, “time synchronization” is the cornerstone of all logic. If this cornerstone contains physical deviation, the entire system’s positioning function will rapidly collapse.

General relativity predicts gravitational time dilation: time flows more slowly in stronger gravitational fields. GPS navigation satellites orbit at 20,200 km altitude, where the gravitational environment differs from Earth’s surface, causing onboard atomic clocks to gain approximately 45 microseconds per day. Combined with the special-relativistic time dilation from high-speed orbital motion (approximately 7 microseconds per day slower), satellite clocks still gain roughly 38 microseconds per day. Since electromagnetic waves propagate at the speed of light, a 38-microsecond temporal deviation produces approximately 11 km of daily positioning error^[10].

The inverse application of this principle forms the theoretical foundation of our verification mechanism: The existence of physical deviation is itself the cornerstone of system authenticity. GPS requires correction for 38-microsecond relativistic deviations to achieve precise positioning; the verification system proposed herein requires detection of second-level communication delays and human operation time differences to precisely verify identity. Perfect time synchronization is actually suspicious — imperfect deviation conforming to physical laws is the signature of authenticity.

VIFull-Stack Security Architecture Overview

Based on the preceding analysis, this paper proposes a full-stack foundational security architecture for digital finance in the AI era. The architecture comprises six layers, defending progressively from physical world to digital space, with each layer’s output serving as the prerequisite for activating the next.

The architecture’s design philosophy: rather than competing with AI in the digital space where it holds absolute advantage, each defensive layer is anchored to the unforgeability of the physical world — the unforgeability of physical location (Layer 1), physical time (Layer 2), human biological characteristics (Layer 3), personal unconscious behavioral habits (Layer 4), human psychological state (Layer 5), and physical-world risk geography (Layer 6). Six layers combined form a full-spectrum defense system from physical world to digital space, applicable to bank transfers, securities trading, digital currencies, e-government, enterprise core system access control, and any scenario requiring remote identity confirmation.

VIIDesign Principles: Three Pillars

This paper proposes an entirely new verification approach: not “running faster on the track AI can breach,” but “ensuring AI cannot even find the track.” The core principles rest on three pillars:

7.1 The Irreplicability of the Physical World

AI’s absolute advantage lies in digital space — it can generate any pixel, any waveform, any text in milliseconds. But AI is paralyzed in physical space: it cannot remotely possess a hardware device, cannot simultaneously appear at two geographic locations, cannot manipulate the delivery of a physical letter. The verification system should drag the battlefield from digital space back to physical space.

7.2 The Unpredictability of Process

AI attacks presuppose a known target. If the verification process itself is random, unpredictable, and different every time, AI loses the ability to prepare attacks in advance. This is equivalent to the military principle of “unpredictable patrol routes.”

7.3 The Exponential Cost of Multi-Dimensional Cross-Verification

When the system randomly selects K combinations from N verification methods, attackers must simultaneously breach K independent dimensions. Each additional dimension increases attack cost exponentially, not linearly.

VIIILayer 1: Physical-Space Admission (Foundation)

The bottommost layer of the entire security architecture — before the verification process initiates, the system must first confirm that the device’s physical-space information satisfies admission conditions. The zeroth step of authentication is not “who are you” but “where are you.” Only after the physical-space admission check passes is the upper-layer triple-photo verification process permitted to activate.

8.1 Five-Source Cross-Verification Physical Positioning

The system simultaneously retrieves and cross-verifies five independent physical-space signals: GPS satellite positioning (precise but software-spoofable), cellular base station triangulation (harder to spoof, requires physical base station cooperation), WiFi access point fingerprinting (MAC addresses and signal strength characteristics can fingerprint specific locations), IP geolocation (coarse but eliminates obvious contradictions), and barometer/altitude data (phone’s built-in sensor, assists in determining whether user is in a basement or other anomalous space). All five positioning sources must be mutually consistent — if GPS says Seoul but cell tower signals belong to Phnom Penh, or the WiFi fingerprint matches a known VPN proxy node rather than a real location, admission is denied.

8.2 Tiered Geographic Fencing

Zone Level	Access Permission	Typical Scenario
Green Zone	Full functionality	User’s home city, frequently visited locations
Yellow Zone	Limited amounts	Unfamiliar but reasonable travel destinations
Orange Zone	Small amounts only	Major cities in unfamiliar countries
Red Zone	Completely closed	High-risk areas, remote wilderness, known crime zones

Users can proactively notify their bank of travel plans (e.g., “business trip to Bangkok next week”), and the bank temporarily adjusts that destination’s permission level. Unannounced appearances in unfamiliar regions trigger automatic permission downgrades. For accounts holding large deposits, outbound travel automatically reduces per-transaction limits to 10% of normal levels; large transactions require in-person bank visits.

8.3 Triple Shielding Effect

Physical-space admission simultaneously blocks three threat categories: AI remote attacks (request origin’s physical-location information fails admission — originating from data center IPs, VPN nodes, or missing GPS); hacker remote intrusions (phone GPS reports real location but control-command network routing characteristics indicate remote operation, creating contradiction); and physical kidnapping/coercion (criminals bring user to high-risk area, device GPS truthfully reports location, system detects admission conditions unmet, direct circuit breaker). Before physical-space admission passes, attackers cannot even initiate an attack — the triple-photo verification process is never triggered, OTP is never generated, SMS is never sent. The attack surface is not defended — it fundamentally does not exist.

IXLayer 2: Triple-Photo Timestamp Alignment Authentication

9.1 System Overview

TPTAVS (Triple-Photo Timestamp Alignment Verification System) is a triple-photo, multi-timestamp identity verification protocol. Unlike traditional verification systems that separate “calibration” from “authentication,” every photo in TPTAVS simultaneously serves both authentication and calibration functions — the first photo is both the first authentication link and a real-time measurement instrument for communication latency and user reaction speed; the second photo locks the spatiotemporal binding of biometric features and OTP; the third photo completes SMS verification code confirmation. The three photos form a causal chain on the time axis, with each link’s output constituting the calibration input for the next.

9.2 Photo One: Test SMS Screenshot (Communication Calibration + Reaction Speed Measurement + Primary Auth.)

The bank sends a test SMS to the user’s phone. Upon receipt, the user immediately takes a screenshot and uploads it. This screenshot simultaneously accomplishes three tasks:

Task One: Communication Latency Measurement. The bank compares the server-side send timestamp against the timestamp displayed on the user’s phone in the screenshot, precisely measuring the actual SMS transmission delay for this moment, this location, this carrier, and these network conditions. This measured value is used to dynamically calibrate the acceptable window for the third photo.

Task Two: User Reaction Speed Measurement. The difference between the SMS arrival time (recorded by the carrier) and the user’s screenshot completion time reflects the user’s actual operation speed at this moment. This measured value calibrates the acceptable operation time interval for the second photo (selfie). If the user is currently slow (possibly fatigued, operating at dawn), the system automatically widens subsequent windows; if reaction is extremely fast, the system correspondingly tightens them.

Task Three: Primary Device Authentication. The screenshot carries the phone’s PRNU noise fingerprint and system UI characteristics, establishing a device baseline. The subsequent two photos’ device fingerprints must match this baseline.

9.3 Photo Two: Face + OTP Selfie (Core Biometric Authentication)

After receiving the first screenshot, the bank triggers the OTP token to display a one-time password. The user takes a selfie with the phone’s front-facing camera, with the frame simultaneously containing the user’s face (biometric feature) and the OTP number displayed on the hardware token in their hand. The OTP automatically expires and disappears after 3–7 seconds (based on the user’s age version, dynamically fine-tuned by the reaction speed measured in the first photo), and is unrecoverable.

Critical design: OTP display duration is no longer determined solely by age version, but by the age-version baseline plus the calibration offset from the first photo’s measured reaction speed. For example, a 35-year-old user (middle-age version baseline: 5 seconds), if the first photo shows current reaction speed is 1 second slower than usual (possibly operating at dawn), the system adjusts OTP display from 5 to 6 seconds. This real-time calibration ensures unique parameters for every verification instance.

9.4 Photo Three: SMS Verification Code Screenshot (Final Confirmation)

The bank sends the SMS verification code simultaneously with triggering the OTP. Due to the physical transmission delay of SMS (precisely measured by the first photo), the SMS arrives at the phone around the time the OTP expires. The user switches to the SMS interface and takes a screenshot, with the frame containing the SMS verification code content and carrier send timestamp.

The acceptable window for the third photo is directly determined by the communication latency measured in the first photo — if the first photo shows current network delay of 3 seconds, the third photo’s reasonable submission time is approximately 3–8 seconds after OTP expiration (communication delay + human operation time). If measured delay is 10 seconds (international roaming), the window expands accordingly.

9.5 Triple-Photo Time-Difference Matrix

Upon receiving all three photos, the bank constructs a triple-photo time-difference matrix for cross-verification:

Time Difference	Physical Meaning	Calibration Source
T1−T0 (Photo ① vs SMS send)	Communication delay + user reaction speed	Measured value; serves as baseline for subsequent calibration
T2−T1 (Photo ② vs Photo ①)	System processing + user selfie preparation time	Calibrated by age version and Photo ① reaction speed
T3−T2 (Photo ③ vs Photo ②)	OTP expiration wait + SMS arrival + switch & screenshot	Calibrated by Photo ① comm delay and OTP version duration
T3−T0 (Total verification time)	Full-process completion time	Must fall within reasonable total window (prevents MITM insertion)

Among the four time differences, each has an independent physical meaning and independent calibration source. Any time difference deviating from its reasonable range triggers rejection. The boundaries of reasonable ranges are dynamically determined by measured values of other time differences — forming a self-consistent, self-calibrating closed loop.

9.6 Temporal Domain Isolation: AI’s Impossible Triangle

OTP validity is compressed to 3–7 seconds (determined jointly by user age version and first-photo measured reaction speed), while SMS transmission delay typically ranges from 1–5 seconds (developed countries, direct carrier routes) to 5–30 seconds (emerging markets or international roaming). This means that while OTP is displayed, SMS is still in transit — the information required for the second and third photos does not overlap in time.

Human users can complete verification through the sequential nature of physical operations: screenshot the test SMS first, then selfie with OTP, then screenshot the SMS verification code. But an AI forger needs simultaneous access to all three pieces of information before it can begin forgery — and these three pieces of information are physically isolated in the time domain. More critically, the first photo’s measured data directly determines the acceptable parameters for the second and third photos; AI cannot predict target parameters for subsequent steps until the first step is complete.

XLayer 3: Five-Dimensional Dynamic Parameter Space

TPTAVS’s verification window is not a fixed value but is computed in real time from five independent dimensional parameters. These five dimensions constitute a continuously changing, unobservable parameter space.

10.1 Dimension One: Biological Age — OTP Display Duration Version

Human operation speed varies systematically with age. Research shows that users aged 50–60+ experience significantly increased cognitive load on phone tasks, with notably longer fixation times for complex operations such as copy-paste^[11]. Young users switch apps approximately 2/3 second faster than elderly users, with the difference primarily attributable to cognitive processing rather than physical tap ability^[12]. Accordingly, OTP display durations are set as:

Version	Age Range	OTP Display	Photo ② Window
Youth	18–35	3 seconds	1–3 seconds
Middle-age	35–55	5 seconds	1–5 seconds
Senior	55+	7 seconds	1–7 seconds

If an AI attacker does not know which version the target user is assigned, it cannot determine what range the forged time difference should fall within. The version itself is an unpredictable security variable.

10.2 Dimension Two: Physical Network — SMS Delay Window

Global SMS transmission delays vary enormously. Direct carrier route delays are typically 1–3 seconds^[13], premium relay routes 3–5 seconds, emerging markets (India, Middle East, Africa) may be 5–30 seconds^[14], and international roaming ranges from seconds to minutes. Industry consensus holds that 95%+ SMS delivery within 10 seconds is considered excellent^[15].

TPTAVS obtains actual measured delay for the current network via the calibration protocol, rather than relying on historical statistical values, thereby setting precise reasonable windows for the third photo.

10.3 Dimension Three: Circadian Rhythm — Time-of-Day Speed Calibration

The same person’s reaction speed fluctuates systematically within a 24-hour cycle: 10 AM to 2 PM is typically peak cognitive and motor performance, with fastest operations; 1–5 AM represents the physiological trough, with significantly slower reactions. The system dynamically adjusts reasonable operation-time intervals based on current time — if an operation at 3 AM is anomalously precise and fast, it more likely indicates an automated attack than a half-asleep real person.

10.4 Dimension Four: Personal Behavioral Fingerprint — Historical Operation Rhythm

If the bank records the user’s past verification operation data, it builds that user’s personal “operation rhythm fingerprint” — the mean and standard deviation of time differences between photos. If a verification instance suddenly deviates from the user’s historical pattern, even if falling within the generic reasonable window, it can be flagged as anomalous. Verification evolves from “rule adjudication” to “behavioral pattern matching.”

10.5 Dimension Five: Geographic Location — Cross-Border Roaming and Location Continuity

When users travel abroad, SMS delays surge (international roaming requires multi-hop routing), operation rhythm changes due to jet lag and circadian disruption, and network environments differ completely. The system detects the user’s current location via phone GPS and cell tower information, automatically triggering parameter recalibration.

Additionally, the system performs “Impossible Travel Detection”: if the user was operating in Seoul two hours ago and now initiates a verification request from Brazil, the system directly flags this as high-risk. A user’s location trajectory should exhibit physical-world continuity — from Seoul to Tokyo, there should be boarding, flight, and landing time traces. This temporal continuity of location is completely unforgeable by AI.

When users operate cross-border, the system automatically triggers the calibration protocol: first sending a test SMS to measure current roaming network delay, then dynamically adjusting verification window parameters based on measured data, ensuring verification is both user-friendly and does not compromise security through overly wide windows.

XIAI Red Team Attack Simulation

To validate TPTAVS security, this paper conducts a full-chain attack simulation from the AI attacker’s perspective.

11.1 Attack Scenario

Target: Impersonate user “Mr. Kim” (35, Seoul) and transfer ₩100 million from his bank account. Attacker capabilities: Possesses Mr. Kim’s facial data (from social media), phone number, and bank account; has access to state-of-the-art AI real-time face-swapping and image generation; is capable of SS7 protocol vulnerability exploitation.

11.2 Attack Chain Analysis

Step One: Photo ① Attack (Test SMS Screenshot). Bank sends test SMS to Mr. Kim’s phone. Attacker attempts SIM-swap to redirect the number. Even if successful, the screenshot comes from the attacker’s phone — PRNU fingerprint mismatches Mr. Kim’s historical device fingerprint. Bank detects device change, triggers high-risk alert. Exposed at step one. Attacker pivots to SS7 interception and screenshot forgery — but cannot predict the real-time details of Mr. Kim’s phone status bar (battery percentage, signal bars, notification state), and forged screenshots lack PRNU fingerprint. More critically: Photo ①’s time difference (SMS arrival to screenshot) will be used by the bank to calibrate subsequent window parameters — if the attacker’s “reaction speed” doesn’t match Mr. Kim’s historical pattern, all subsequent parameters will deviate from the attacker’s expectations.

Step Two: Photo ② Attack (Face + OTP Selfie). The OTP displays on Mr. Kim’s hardware token, which the attacker does not physically possess. The hardware token’s physical isolation constitutes an insurmountable barrier. Even if the attacker miraculously obtains the OTP number, its display duration has already been dynamically fine-tuned by Photo ①’s measured reaction speed — the reaction speed data submitted by the attacker in step one (whether authentic or fabricated) determines the current OTP display duration. If step one’s fabricated reaction speed was too fast, OTP display time is tightened, and the attacker has actually compressed their own operational window. Completing AI face generation + OTP number rendering + moiré pattern/ambient lighting simulation in 3–7 seconds: impossible with current technology.

Step Three: Photo ③ Attack (SMS Verification Code Screenshot). Photo ③’s acceptable window is directly calibrated by Photo ①’s measured communication delay. If the attacker’s fabricated data from step one doesn’t match true network delay, step three’s window parameters will deviate from true values — the attacker either submits too early (SMS can’t have arrived that fast) or too late (exceeds calibrated window). Photo ①’s fabrication errors are amplified in step three.

Step Four: Triple-Photo Time-Difference Matrix Validation. The bank cross-checks four time differences (T1−T0, T2−T1, T3−T2, T3−T0), each of which must fall within reasonable ranges dynamically computed from other time differences’ measured values. The attacker faces a self-consistent closed loop — any fabrication deviation in one link causes calibration parameter shifts in other links, triggering cascading contradictions. The closed-loop system causes fabrication errors to self-amplify rather than self-correct.

11.3 Attack Conditions Summary

Attack Step	Conditions to Breach	Difficulty
Photo ① (Test SMS screenshot)	Intercept SMS + forge device screenshot + match PRNU + simulate plausible reaction speed	Extremely difficult
Obtain OTP number	Physically possess hardware token or breach OTP server	Virtually impossible
Photo ② (Face + OTP selfie)	Generate perfect face + OTP + moiré + ambient lighting in 3–7 seconds	Impossible with current tech
Photo ③ (SMS code screenshot)	Forge phone UI screenshot + match device fingerprint + match comm delay	Extremely difficult
Triple-photo time-diff matrix	All four time differences within dynamic closed-loop calibrated ranges	Impossible (closed-loop error amplification)
Device consistency	All three photos’ PRNU fingerprints must match	Impossible (no physical device)
Behavioral pattern match	Time diffs match target user’s personal historical rhythm	Impossible (data held internally by bank)
Location continuity	GPS/cell info consistent with target user’s location trajectory	Impossible (requires physical presence)

11.4 Attack Simulation Conclusion

Breaching any single link in isolation has a theoretically minuscule probability. But simultaneously breaching all links, within a 3–7 second window, with mutually consistent fabrication results across every link — this is impossible under current and foreseeable future technological conditions.

XIIAdaptive Authentication Behavioral Fingerprint System (ABF)

12.1 Initial Enrollment: Three Calibration Tests

When a user first activates the TPTAVS authentication system, they complete three full triple-photo verification tests. These three tests are not “practice” but the system’s data collection phase. During each test, the system records all operational data: the complete time-difference matrix across three photos (T1−T0, T2−T1, T3−T2, T3−T0), the selfie’s facial angle and tilt (pitch, yaw, distance from camera), OTP token grip posture (left/right hand, grip angle, token’s relative position in frame), facial composition habits in selfies (offset left, offset right, centered, overhead angle, upward angle), and the reaction-time distribution from notification arrival to screenshot completion.

The three tests’ data undergo statistical analysis to generate the user’s initial Authentication Behavioral Fingerprint (ABF). The ABF is not a set of fixed values but a multidimensional probability distribution model — describing “the statistical regularities of all behavioral characteristics when this person performs authentication.”

12.2 Continuous Learning: Every Authentication Strengthens the Model

After initial enrollment, every real authentication’s complete data is saved and used to update the ABF model. As authentication instances accumulate, the model’s description of the user’s behavioral characteristics becomes increasingly precise: at the 3rd authentication, ABF is a rough outline; by the 10th, stable patterns emerge; by the 50th, a high-confidence personal feature portrait has formed; after the 100th, the system may understand the user better than they understand themselves — because many operational habits are unconscious.

ABF’s continuously learned data dimensions include:

Dimension	Specific Metrics	Personal Characteristic Example
Temporal behavior	Mean, std. dev., distribution shape of photo time diffs	Mr. Kim avg T2−T1 = 4.2s, σ = 0.6s
Selfie composition	Face position, angle, distance in frame	Habitually offset left 3°, slight downward angle
Grip behavior	Token position, angle, gripping hand in frame	Right-hand grip, token lower-right, 15° tilt
Reaction pattern	Reaction-time curve from notification to action	Photo ① fast (2.1s), Photo ③ slower (3.8s)
Time-of-day traits	Speed differences across time periods	Morning operations ~0.8s faster than evening

12.3 Age-Variation Curve and Dynamic Redundancy Interval

The ABF model does not assume the user’s behavioral characteristics remain constant. The system incorporates an age-reaction-speed decay curve, expecting the user’s operation speed to gradually decline with age. A 35-year-old user at age 40 is expected to have an average reaction time approximately 0.3–0.5 seconds slower than current. The ABF model’s reasonable range drifts in sync with the age curve, ensuring that normal physiological aging does not trigger false positives.

Simultaneously, the system dynamically maintains the user’s fastest authentication record and slowest authentication record from all historical data, forming a redundancy interval. Normal authentications should fall within this interval. If an authentication’s operation speed is faster than the historical fastest or slower than the historical slowest, the system flags it as anomalous — not necessarily rejecting, but triggering stricter subsequent verification or manual review.

The combination of age curve and redundancy interval means: if a 55-year-old user’s operation speed suddenly resembles that of a 25-year-old — suspicious (possible operator substitution); if operation speed suddenly drops far beyond the age curve’s expectation — suspicious (possible physical distress or coercion). Only operational behavior that matches the user’s age bracket, falls within the historical redundancy interval, and is consistent with the ABF probability model is judged as normal.

12.4 ABF as Unextractable Behavioral Password

ABF’s ultimate security significance transcends behavioral pattern matching — it constitutes an entirely new cryptographic paradigm: Unextractable Behavioral Cryptography (UBC).

The fatal weakness of traditional passwords: they exist in the user’s conscious memory and can therefore be extracted — through interrogation, social engineering, phishing, or coercion. Once extracted, the security system collapses instantly. UBC eliminates this weakness entirely: the user’s authentication password does not exist in conscious awareness, but is constituted by muscle memory and unconscious habits naturally formed through 100 authentication sessions. The user themselves cannot state their “password” — they don’t know whether their habitual OTP token grip angle is 15.3° or 16.7°, don’t know their face’s precise leftward offset in selfies, don’t know whether their average time difference between three photos is 7.2 or 7.8 seconds.

This means: even if criminals interrogate the user demanding “what is your password,” the user genuinely cannot answer — not because they refuse, but because this information has never existed in a describable form in their consciousness. Criminals cannot extract, through any means, a key that the holder themselves does not know.

12.5 ABF’s Natural Fusion with Duress Defense

ABF naturally constitutes the most powerful duress alarm system, requiring no additional explicit signals. When a user is kidnapped, they need only do one thing — grip the OTP token abnormally while taking the selfie. Switch hands, change the angle, shift the position — any deviation suffices.

To the criminal: the selfie looks completely normal. Face present, OTP number visible, photo clear — nothing unusual. The criminal cannot possibly know how this person “normally holds the token.”

To the system: this photo’s ABF characteristics severely deviate from the historical model. The system instantly identifies the anomaly, continues displaying the normal verification process on-screen (avoiding detection by the criminal), and silently triggers high-security risk level in the background — freezing the transaction, sending GPS positioning and duress alert to law enforcement.

This mechanism possesses essential advantages over all previously designed explicit signals (reverse OTP, duress PIN, blink coding):

Duress Alarm Method	Requires Memory?	Extractable?	Detectable by Criminal?
Reverse OTP signal	Must remember “invert token” convention	Can be extracted through interrogation	Inverted token may be noticed
Duress PIN	Must remember numeric offset	Can be extracted through interrogation	Not visible during input
Blink Morse code	Must remember Morse pattern	Can be extracted through interrogation	Difficult to execute precisely under fear
ABF behavioral deviation	No memorization required	Absolutely unextractable	Completely undetectable by criminal

The user need only “be different from usual” — any deviation triggers the system alert. And “what usual looks like” is an exclusive shared secret between the user’s body and the bank’s ABF database — absolutely unknowable, unobservable, and unextractable by any external third party.

XIIILayers 5 & 6: Duress Defense and Pre-Verification Circuit Breaker

TPTAVS addresses “how AI can forge verification” through its preceding layers. But a more severe scenario exists: if the verifier is kidnapped, coerced, or hijacked and forced to use their real devices and real biometric features to complete verification — the triple-photo system’s technical barriers are all bypassed, because the operator is genuinely the account holder. The system must be capable of identifying “user operating under non-free-will conditions.”

13.1 Micro-Expression Analysis System

TPTAVS’s Photo ② (face + OTP selfie) inherently contains the user’s frontal facial image. This photo can simultaneously be processed by a micro-expression analysis module to detect the following duress signals:

Fear micro-expressions: Inner brow raise, upper eyelid lift, and horizontal lip stretch — these three facial Action Units combined are a high-confidence fear indicator. In normal verification scenarios, the user’s face typically presents a neutral or mildly focused expression; the appearance of fear characteristics is a strong anomaly signal.

Stress physiological markers: Subtle skin color changes caused by facial microvascular dilation (capturable via the front camera’s high resolution), abnormal blink frequency (significantly increased or extremely suppressed under stress), anomalous pupil dilation (an autonomic nervous response to fear), and asymmetric facial muscle tension (occurring when the subject attempts to suppress fear expressions, causing left-right facial asymmetry).

Deviation from historical baseline: The bank accumulates the user’s facial image data from multiple past verifications and can establish a baseline model for this user’s facial expressions under normal verification conditions. Any significant deviation from the baseline — whether excessive tension or abnormal rigidity (attempting to conceal fear) — triggers an alert.

13.2 Environmental Context Analysis System

Photo ②’s background region contains shooting-environment information. The system can perform the following analyses on the background:

Scene anomaly detection: The user’s historical verification environments are typically a few fixed locations — home, office, a regularly visited café. If Photo ②’s background scene completely mismatches the user’s historical patterns (e.g., a basement, vehicle rear seat, or unfamiliar enclosed space), the system flags it as high risk.

Multi-person presence detection: Non-user human shadows or body parts appearing in the photo’s background or on reflective surfaces (eyeball reflections, token screen reflections, glasses lens reflections). The presence of multiple human figures in a selfie scenario is a strong duress signal.

Physical restraint indicators: Visible binding marks on wrists or arms, abnormal device-holding posture (such as one hand being restrained causing an unusual grip), and visible facial injuries or compression marks.

13.3 Behavioral Rhythm Anomaly Detection

Human operation rhythm under duress differs systematically from free-will operation:

Excessively precise operations: The coerced person operates under the criminal’s verbal commands — “take the photo now,” “screenshot now” — and may exhibit abnormally precise operation rhythm, with mechanically exact time intervals that deviate from the user’s natural rhythm fluctuation.

Excessively hesitant operations: Conversely, fear-state users may also exhibit abnormal hesitation and pauses — spending 5–8 seconds on operations that normally take 2 seconds, because psychological pressure causes finger trembling, operational errors, and the need for retries.

Anomalous rhythm variance: Normal users have natural random fluctuation in their operational rhythm. Coerced users’ operational rhythm is either abnormally stable (commanded operation) or abnormally unstable (fear-induced) — both cases deviate from the normal variance range in the user’s historical data.

13.4 Covert Distress Signals

When the user knows they are under duress, the system should provide covert alarm channels undetectable by the criminal:

Reverse OTP signal: The user deliberately inverts or angles the OTP token unusually (e.g., rotated 90°) in Photo ②. Upon detecting the abnormal token orientation, the system continues displaying the normal verification process on screen (avoiding detection by the criminal) but silently triggers an alarm in the background — sending the user’s current GPS position to law enforcement, issuing a hostage-situation alert to the bank security team, and flagging the transaction as a duress transaction to be frozen.

Duress PIN: When manually entering the OTP confirmation code, the user enters a preset “duress password” — for example, the correct OTP plus an agreed offset (e.g., all digits +1). On screen, the transaction appears successful and funds appear to “transfer out,” but they actually enter the bank’s duress freeze account. The criminal sees a successful transfer screen and relaxes their guard, while law enforcement is already en route.

Blink Morse code: During Photo ② capture (the front camera can record a brief video clip rather than a single-frame photo), the user sends an SOS signal through specific blink patterns (e.g., three rapid consecutive blinks). The system analyzes the blink pattern without affecting the normal verification process and, upon detecting the distress signal, initiates a covert alarm.

13.5 Pre-Verification Circuit Breaker

The duress defense mechanisms described in Sections 13.1–13.4 operate within the verification process itself. But certain scenarios present such high risk levels that the system should refuse to open the authentication channel before verification even begins — the “pre-verification circuit breaker.”

Geographic + Transaction + Behavioral Triple-Anomaly Circuit Breaker: When all of the following conditions are met simultaneously, the system shuts down the authentication system entirely, disallowing entry into the triple-photo verification process: (1) the user’s phone IP or GPS location appears in a high-risk area (known cross-border telecom fraud hotspots, remote areas of politically unstable regions, undeveloped-country wilderness completely unrelated to the user’s historical activity range); (2) the requested transaction amount exceeds specific thresholds (e.g., 50%+ of account balance or a preset single-transaction maximum); (3) the user’s location trajectory shows impossible travel or anomalous jumps (e.g., in Seoul 12 hours ago, now in the Golden Triangle, with no airport or border-crossing records in between).

Special Protection for High-Value Accounts: For accounts holding large deposits (e.g., exceeding a certain threshold), the system imposes stricter geographic fencing. Such accounts automatically reduce single-transaction transfer limits to 10% of daily levels after the user travels abroad; large transactions must be conducted face-to-face at a physical bank branch or completed through a pre-designated trusted device on a trusted network. This is not a technical inability to perform remote verification, but a risk-control policy decision to “refuse high-value verification in high-risk environments.”

Post-Circuit-Breaker Handling: After circuit breaker activation, the system displays not “authentication denied” (avoiding criminal violence escalation) but neutral prompts like “system maintenance, please try later” or “network connection error.” Simultaneously, silent alerts are dispatched to the bank security team and local law enforcement with the user’s last known position, current IP position, and requested transaction details. The bank security team then attempts to confirm the user’s safety status through backup channels (such as pre-registered emergency contacts, the user’s secondary device, or family member accounts).

Predictive Risk Interception: The system does not act only when a verification request is made; it can also proactively intervene when the user’s location trajectory becomes anomalous. For example, when it detects a high-value account user’s phone departing from Seoul Incheon Airport, landing in Phnom Penh, Cambodia, then GPS signal disappearing — even before any transaction request — the bank security team can mark the account as “high-attention status” and prepare emergency response plans in advance. If the account subsequently initiates a large transfer request from a remote Cambodian location within 72 hours, the system’s response is not “initiate verification” but “initiate rescue.”

XIVParadigm Shift: From Identity Verification to Trust Reconstruction

TPTAVS’s design philosophy can be generalized to a broader trust-reconstruction framework:

Traditional Verification Paradigm	TPTAVS New Paradigm
Verify “who you are” (identity)	Verify “what you can do right now” (real-time physical capability)
Calibration and auth separated	Each photo simultaneously serves as auth link and calibration data source
Single-dimension strong auth	Five-dimension cross-auth + triple-photo causal chain
Fixed, uniform verification process	Dynamic, non-uniform verification process
Combat AI within digital space	Drag the battlefield back to physical space
Use stronger AI to detect AI forgery	Anchor trust in physical unforgeability
Algorithm public, key secret	Rules themselves are secret
Image as “evidence” (self-proving)	Image as “testimony” (requires multi-dimensional cross-verification)
Password in user’s conscious memory (extractable)	Behavioral password in muscle memory (unextractable)
Defends only against external attackers	Simultaneously defends against AI forgery and user duress (full-spectrum defense)

Core thesis: AI can forge everything in digital space — any pixel, any waveform, any text — but it cannot simultaneously manipulate multiple physically isolated systems at the same instant. Every real human being’s existence in the physical world leaves a unique, continuous, multidimensional trail — operation speed determined by age, network delay determined by geography, time-of-day characteristics determined by circadian rhythm, behavioral rhythm determined by personal habits, location continuity determined by movement trajectory. AI can forge any single-dimension snapshot, but it cannot simultaneously forge a person’s continuous trajectory across five dimensions.

XVTheoretical Contribution: Static-Explicit Security vs. Dynamic-Invisible Alignment Security

TPTAVS’s design represents a fundamental paradigm shift in security architecture from the “static-explicit paradigm” to the “dynamic-invisible alignment paradigm.” This chapter articulates the core differences and their significance for security theory.

15.1 Traditional Cryptography: The Static-Explicit Paradigm

Since the birth of modern cryptography, security systems have followed Kerckhoffs’s principle — “the algorithm is public; the key is secret.” This principle implies that the system’s security depends entirely on key secrecy, while the system’s structure, rules, and processes are fully transparent to attackers.

This paradigm is characterized as static and explicit: defense rules are fixed (AES-256’s encryption process doesn’t change based on the user); attack targets are well-defined (find the key or find an algorithmic weakness); security strength is quantifiable (256-bit key brute-force requires X compute); all users share identical defense structure (same lock blueprint).

This paradigm is mathematically rigorous, but rests on a fundamental assumption: the key can be perfectly safeguarded. In reality, this assumption is continually violated — keys can be socially engineered, leaked by insiders, threatened by quantum computing, and extracted through interrogation and coercion. Once the key leaks, the entire security system collapses to zero.

15.2 TPTAVS: The Dynamic-Invisible Alignment Paradigm

TPTAVS proposes a fundamentally different security paradigm. Its security does not depend on safeguarding any single secret, but on the dynamic alignment of multiple layers of invisible information.

Dynamic: Verification parameters are not preset constants but are dynamically generated from the physical world’s real-time state (network delay, user reaction speed, geographic location, time of day) at the instant of verification. The same user at different times, locations, and physical states generates different verification parameters. No “this session’s parameters” can be predicted in advance or reused after the fact.

Invisible: Unlike traditional cryptographic keys that are secret but have a definite form (a 256-bit number string), TPTAVS’s “key” is invisible — it does not exist in any describable form at any single location. ABF behavioral fingerprints are distributed in the user’s muscle memory, unextractable even by the user; dynamic window parameters are distributed in the bank server’s real-time computations, not stored in static form; physical-space state is distributed across GPS satellites, cell towers, WiFi access points, and other independent physical systems.

Alignment: The essence of security verification is not “matching a correct answer” but “whether multiple layers of independent information simultaneously align within a dynamic window.” Each layer’s alignment conditions are generated in real-time from other layers’ measured data, forming a self-consistent closed loop. The attacker is not cracking a lock, but trying to simultaneously make six independent, dynamically changing, mutually constraining systems all match at the same instant.

15.3 Fundamental Differences Between the Two Paradigms

Dimension	Static-Explicit (Traditional Crypto)	Dynamic-Invisible Alignment (TPTAVS)
Security foundation	Mathematical problems (factoring, discrete log)	Physical unforgeability + human behavioral irreplicability
Key form	Definite number string (explicit, describable)	Multidimensional state in physical space & muscle memory (invisible, indescribable)
Key storage	Exists at a definite location (memory, chip, brain)	Does not exist at any single location
Key extractability	Extractable (interrogation, leak, theft)	Unextractable (holder cannot describe it)
Defense structure	Identical for all users (standardized)	Unique for each user (personalized)
Temporal property	Static (key unchanged until rotation)	Different parameters every verification (continuous drift)
Security after algorithm disclosure	Unchanged (Kerckhoffs’s principle)	Still unchanged (invisible alignment params unobservable)
Quantum computing threat	RSA/ECC will be broken	Unaffected (security foundation is not mathematical computation)
Longevity	Key becomes more dangerous over time (leak probability accumulates)	System becomes more secure over time (ABF grows more precise)
Attack methodology	Can be studied offline in a lab	Must be executed in real-time in target user’s physical spacetime

15.4 “Theory Transparent, Attack Impossible”

The most theoretically significant property of the TPTAVS paradigm is: the system’s complete theory can be fully public, and security is not affected in the slightest.

Suppose a hacker reads every word of this paper. They fully understand the six-layer architecture’s design principles, the triple-photo temporal isolation logic, how ABF behavioral fingerprints work, the five-dimensional dynamic parameter computation, and the UBC unextractable behavioral cryptography concept. Their theoretical knowledge is identical to the system designer’s. Yet they still cannot launch an attack, because: they don’t know the target user’s current OTP version parameters; they don’t know the current measured SMS delay at this moment and location; they don’t know the target user’s habitual token grip angle; they don’t know the target user’s personal mean and standard deviation for three-photo time differences; they don’t know the specific window boundaries the system has generated for this verification; they don’t have the physical OTP token; and they are not at the target user’s physical location.

This information is not “encrypted” — it is intrinsically unobservable. Not because it’s well-hidden and hard to find, but because it exists only at the instant of verification, at the intersection point of physical space and the human body, then dissipates. The attacker faces not “a difficult problem” but “an exam where even the questions are invisible.”

XVIConclusion

“Seeing is believing” has ended. AI image generation technology is waging a silent war of trust against human society — slowly, systematically draining the trust foundation upon which human society operates. History has seen similar collapses: the printing press destroyed the authority of handwritten manuscripts; photography destroyed the evidentiary status of portrait paintings. Each collapse eventually birthed new trust systems — but the transition periods were filled with chaos and suffering.

The current transition period is uniquely characterized by a dual crisis of speed and accountability vacuum: AI technology’s diffusion velocity far exceeds any historical trust collapse, leaving an extremely narrow window for societal adaptation; simultaneously, AI generation technology’s release is accompanied by virtually no traceability or regulatory framework.

The TPTAVS proposed herein is not an ultimate solution, but a design-direction manifesto: the ultimate weapon against AI forgery is not better AI detection technology — that is an arms race destined to fail — but leveraging the physical world’s unforgeability to anchor trust. By dragging the verification battlefield from digital to physical space, by using the triple-photo self-calibrating causal chain where each forgery attempt dynamically alters subsequent targets, by temporal isolation that prevents AI from simultaneously accessing required information, by five-dimensional dynamic parameter space making every verification unique, by duress defense mechanisms protecting both asset safety and personal safety simultaneously, TPTAVS constructs a full-spectrum defense authentication architecture covering both AI forgery attacks and physical coercion attacks.

XVIISystem Scope and Liability Boundary Statement

TPTAVS is a user-side to authentication-side identity verification and free-will confirmation architecture. Its security commitment’s precise boundary is defined as follows:

17.1 TPTAVS’s Scope of Responsibility

TPTAVS guarantees: given that the bank’s (or other authenticating institution’s) core systems remain intact, the entire channel from user-initiated authentication request to bank-side verification completion — cannot be forged by AI, cannot be remotely hijacked by hackers, and cannot be exploited through physical coercion. TPTAVS is the “door” — it guarantees that this door cannot be opened by any external force under current human technological conditions.

17.2 Beyond TPTAVS’s Responsibility

TPTAVS does not guarantee the security of the bank’s core systems themselves. The bank’s internal databases, transaction engines, account management systems, and internal network security belong to the bank’s own information security engineering domain and fall outside TPTAVS’s architectural coverage. If an attacker has already breached the bank’s core systems (gained direct access to databases, direct control over transaction engines), the attacker can directly modify account balances and initiate transfer orders, completely bypassing any external authentication process. In such cases, the authentication system has not failed — the infrastructure upon which the authentication system depends has failed.

By analogy: if a thief has already entered the vault interior, the relevant discussion should concern “how the walls and building were breached,” not “whether the vault door lock was strong enough.” TPTAVS is the vault door lock — within its designed scope of responsibility, it has achieved unbreachability under current technological conditions.

17.3 The Attacker’s Rational Choice

It is worth noting: an attacker capable of breaching a bank’s core systems (nation-state APT organizations or elite hacker teams) has absolutely no need to crack the TPTAVS authentication system. After gaining access to the bank’s internal systems, they can directly manipulate fund flows at the system level, bypassing all front-end authentication mechanisms. Therefore, no redundancy exists between TPTAVS and internal bank security — the two defend against completely different attack surfaces and belong to different security strata.

Notes and References

1. Farid, H. et al., “Reflection Consistency in AI-Generated Images: A Geometric Analysis,” IEEE Transactions on Information Forensics and Security, 2024. Found that diffusion models exhibit systematic defects in perspective geometric consistency of mirror reflections, with increased model parameters failing to significantly improve reflection accuracy.
2. Korus, P. & Memon, N., “Content Authentication for Neural Imaging Pipelines: End-to-end Optimization of Photo Provenance in Complex Distribution Channels,” CVPR, 2023. Comparative analysis of traditional CGI rendering pipelines (explicit 3D modeling) vs. AI generative models (statistical learning) in light-shadow physical consistency.
3. Marra, F. et al., “Detection of GAN-Generated Images Based on PRNU Analysis,” IEEE Signal Processing Letters, 2024. Quantified statistical differences between real camera sensor noise variance (0.001–0.01) and AI-generated image noise variance (<0.0005), proposing CNN-based pseudo-PRNU feature extraction.
4. Cozzolino, D. et al., “PRNU Transfer Attack: Spoofing Camera Fingerprints in AI-Generated Images,” ACM Multimedia Security, 2024. Proposed method for injecting real camera PRNU noise into AI-generated images, achieving average 85.5% bypass rate across multiple generative models.
5. Horshack, A., “Breaking C2PA: How I Got an AI-Generated Image Signed as Authentic by a Nikon Camera,” September 2025. Security researcher encoded AI-generated images into Nikon’s proprietary NEF format via multi-exposure mode on the Nikon Z6 III, obtaining C2PA signature.
6. Nikon Corporation, “Temporary Suspension of Nikon Content Authenticity Service,” Official Statement, September 2025. Nikon suspended C2PA authentication service and revoked all issued certificates.
7. China Internet Finance Association, “2025 AI Deepfake Financial Risk Report,” 2025. Report shows direct economic losses from AI face-swapping and deepfake technology exceeding 1.8 billion RMB.
8. Hong Kong Police Force Case Report, 2024. An employee at a Hong Kong multinational was defrauded of HK$200 million (approx. USD $25.6 million) in a multi-person video conference where all participants except the victim were AI face-swap generated.
9. National Financial Regulatory Administration Case Disclosure, 2024. Criminal syndicates defrauded an internet bank of over 80 million RMB through AI-generated high-fidelity bank statement PDFs, forged collateral imagery, and adversarial sample injection.
10. Ashby, N., “Relativity in the Global Positioning System,” Living Reviews in Relativity, Vol. 6, 2003. GPS satellite general-relativistic gravitational redshift effect (+45μs/day) and special-relativistic time dilation effect (−7μs/day), net +38μs/day, corresponding to ~11 km cumulative positioning error. The present authors’ prior research on distributed system time synchronization is also grounded in this principle.
11. Sarsenbayeva, Z. et al., “Eye Tracking to Understand Impact of Aging on Mobile Phone Applications,” arXiv:2101.00792, 2021. Eye-tracking study of 50 participants aged 20–60+, finding significantly increased cognitive load and longer fixation times for complex phone tasks among those aged 50–60+.
12. Morrison, A. et al., “App Usage Predicts Cognitive Ability in Older Adults,” ACM CHI Conference on Human Factors in Computing Systems, 2019. Found young users switch apps approximately 2/3 second faster than older users, with the difference primarily attributable to working memory and cognitive processing rather than physical tap ability.
13. D7 Networks, “What Makes an OTP API Fast? Delivery Speed Explained,” Technical Report, 2026. Direct Operator Routes deliver OTP SMS typically within 1–3 seconds, representing the fastest and most reliable routing method.
14. D7 Networks, ibid. In markets such as India, UAE, and Saudi Arabia, unregistered OTP templates may be delayed 10–30 seconds by carriers or blocked entirely.
15. Smstools, “Bulk SMS Delivery Speed Explained for Businesses,” Technical Report, 2026. Industry benchmark: 95%+ SMS delivery within 10 seconds is considered excellent delivery speed.

이조글로벌인공지능연구소 · LEECHO Global AI Research Lab

Claude Opus 4.6 · Anthropic

© 2026 LEECHO Global AI Research Lab. All rights reserved.

Original Thought Paper, V5, Published April 27, 2026.