Developer Qualification Brief - POY Verify

Section 01

What This Project Is

POY Verify is a privacy-first human verification platform. It proves users are real humans online without collecting or storing personal data. Think of it as a universal "verified human" badge that works across every platform on the internet.

Current state: MVP live at poyverify.com with 10,000+ pages, 38 API endpoints, 37 serverless functions, 11 database tables, working biometric verification flow, content stamping system, and admin dashboard.

Where it needs to go: Native mobile apps, enterprise SDK, hardware Secure Enclave integration, voice biometrics, real-time APIs, browser extension, Coercion Resistance Protocol (CRP) for defense/enterprise, consent-based age verification, and scale to millions of users across every industry.

Defense / Enterprise Moat

POY Verify includes a 5-layer Coercion Resistance Protocol (CRP) - the only biometric platform with explicit anti-coercion architecture. This is a defensible moat in defense MRO, CMMC 2.0, and enterprise zero-trust procurement contexts.

Section 02

Current Tech Stack

Layer	Technology	Details
Frontend	Vanilla HTML/CSS/JS	10,000+ static pages, no framework
Hosting	Netlify	Static site + 37 serverless functions
Backend	Netlify Functions (Node.js)	Serverless, ~5,000 lines of backend code
Database	Supabase (PostgreSQL)	11 tables, REST API access
Biometrics	MediaPipe FaceLandmarker	Client-side, 468-point facial landmarks
Cryptography	Web Crypto API + Node crypto	SHA-256, HMAC-SHA256, ECDSA P-256, WebAuthn
Payments	Whop.com	Webhook-based subscription billing
Email	Resend	Transactional emails and notifications
Auth	API keys + WebAuthn/FIDO2 passkeys	Tiered access (free/creator/platform/enterprise)
Threat Intel	HIBP, NVD, RSS feeds	7 external data sources aggregated
SEO	Programmatic generation	seo-template.js generates thousands of pages

Section 03

What We Handle

The dev team does not need to worry about these areas - Mark handles them directly:

✓

SEO Strategy - Programmatic SEO, keyword research, page generation, indexing

✓

Content Marketing - Blog posts, case studies, landing pages, copywriting

✓

Visual Design - UI/UX design direction, brand identity, page layouts

✓

Marketing Ops - Email campaigns, social media, growth strategy, analytics

✓

Business Development - Partnerships, sales, enterprise outreach, pricing

✓

Product Direction - Roadmap priorities, feature scoping, market positioning

Section 04

Required Skills - Tier 1: Must Have

Biometric Engineering

Experience with facial landmark detection (MediaPipe, OpenCV, Dlib, or equivalent)
Understanding of liveness detection (blink, nod, micro-movement, depth sensing)
Knowledge of presentation attack detection (PAD) - defeating photos, video replays, deepfakes, 3D masks
Experience with on-device biometric processing (not server-side)
Understanding of biometric template protection (hashing, encryption, cancellable biometrics)

Questions to Ask

"Walk me through how you would detect a deepfake video attack against a liveness check."
"What is the difference between 2D liveness and 3D depth-based liveness? Which have you built?"
"How do you handle presentation attacks from injected camera feeds (virtual cameras)?"

Cryptography & Security

SHA-256 hashing and HMAC-SHA256 signatures
ECDSA (Elliptic Curve Digital Signature Algorithm) - specifically P-256 curve
WebAuthn/FIDO2 passkey implementation (registration + authentication flows)
Public key infrastructure (PKI) concepts
HD key derivation (BIP-32 style hierarchical deterministic keys)
Zero-knowledge proof concepts (not necessarily ZK-SNARKs, but the principle)
Secure Enclave / TEE programming (Apple Secure Enclave, Google Titan M2, Samsung Knox, ARM TrustZone)

Questions to Ask

"Explain how you would generate unlinkable platform-specific keys from a single master credential using HD key derivation."
"What is the difference between signing data in the Secure Enclave vs signing in userspace? Why does it matter?"
"How would you implement WebAuthn cross-device authentication (phone as authenticator for desktop)?"

Mobile Development (iOS + Android)

Swift/SwiftUI for iOS native development
Kotlin/Jetpack Compose for Android native development
OR React Native / Flutter with native module bridging for biometric APIs
Camera access and real-time video frame processing on mobile
iOS Secure Enclave API (SecKey, kSecAttrTokenIDSecureEnclave)
Android StrongBox / Titan M2 Keystore API
Biometric authentication APIs (FaceID, TouchID, Android BiometricPrompt)
App Store / Play Store submission experience

Questions to Ask

"Have you shipped a production app that accesses the Secure Enclave for key generation? Which platform?"
"How do you handle real-time camera frame processing at 30fps on a mid-range Android device without dropping frames?"
"What is your experience with biometric prompt APIs on both platforms?"

Backend / API Development

Node.js (current backend is 100% Node)
RESTful API design and implementation
PostgreSQL (Supabase uses Postgres)
Rate limiting, API key management, tiered access control
Webhook signature verification (HMAC-based)
Serverless architecture (Netlify Functions, AWS Lambda, or Vercel)
Database schema design for multi-tenant SaaS

Questions to Ask

"How would you design rate limiting for an API that handles 50,000 requests per minute at the enterprise tier?"
"Explain how you would migrate from Netlify Functions to a dedicated backend while maintaining API compatibility."
"How do you handle database connection pooling in a serverless environment?"

Privacy & Compliance Architecture

GDPR compliance (data minimization, right to erasure, lawful basis)
BIPA (Illinois Biometric Information Privacy Act) - biometric data handling
CCPA/CPRA (California privacy law)
HIPAA awareness (for healthcare vertical)
Understanding of data residency requirements (EU, UK, Australia, Brazil)
Privacy by design / privacy by architecture principles

Questions to Ask

"How do you build a biometric verification system that is GDPR-compliant without a data processing agreement?"
"What is the difference between 'privacy by design' and 'privacy by architecture'? Give an example."
"If a user requests data deletion under GDPR, what do you delete when you only store a SHA-256 hash?"

Coercion Resistance Protocol (CRP) - 5-Layer Anti-Duress Architecture

This is POY Verify's defensible moat. No other biometric platform has explicit coercion resistance. The dev team must understand and build a system that detects when a legitimate user is being forced to authenticate under duress.

Remote Photoplethysmography (rPPG) - extracting heart rate from facial video via skin color oscillations
Signal processing fundamentals - bandpass filtering (0.7-3.5 Hz cardiac range), ROI extraction from video frames
Micro-expression analysis - involuntary facial expressions (fear, distress) in 40-500ms windows
CNN training on micro-expression datasets (SAMM, CASME II)
Saccadic eye movement analysis - iris tracking, saccade velocity, fixation duration, blink rate patterns
WASM compilation of ML models for client-side inference (TensorFlow.js, ONNX Runtime Web)
Honeypot/decoy session architecture - parallel shadow environments with plausible fake data
Multi-party authorization flows (Two-Person Integrity rules)
Behavioral anomaly scoring (location, time, device, velocity, sequence, frequency signals)
Session continuity verification with randomized re-authentication intervals

The 5 CRP Layers

Physiological Stress Detection - rPPG heart rate monitoring, micro-expression classification, saccadic eye analysis. All client-side WASM. Produces a Composite Stress Score (CSS).

Duress Code System - User-enrolled silent distress gestures (blink patterns, gaze holds, micro-gestures). Auth appears to succeed while silently alerting command authority.

Multi-Party Authorization - Two-Person Integrity (TPI) for high-sensitivity actions. Two independently verified, CRP-clean users required within a time window.

Contextual Intelligence - Location, time, device, velocity, sequence, and frequency anomaly scoring combined with CSS into a CRP Risk Score.

Dead Man's Switch - Randomized re-verification check-ins (4-18 minute intervals) during active high-sensitivity sessions. Missed or failed check-in = session void + alert.

CRP Risk Score Tiers

0.00 - 0.29PASS

0.30 - 0.49WATCH

0.50 - 0.69ALERT

0.70+HONEYPOT

Questions to Ask

"What is remote photoplethysmography and how would you extract a cardiac signal from a standard webcam feed?"
"How would you build a honeypot session that is indistinguishable from a real session to an attacker watching over the user's shoulder?"
"Design a Two-Person Integrity system where neither user can authorize on behalf of the other and simultaneous coercion on the same device is prevented."
"How do you detect impossible travel velocity between two authentication events?"

Zero biometric transmission. All physiological analysis (rPPG, micro-expressions, eye tracking) runs client-side via WASM. Only event metadata (scores, flags, timestamps, hashed IDs) is transmitted. This is non-negotiable.

Age Verification (Consent-Based, Not Estimation)

POY Verify will offer consent-based age threshold verification - NOT age guessing/estimation. This distinction is legally critical.

Understanding of COPPA (Children's Online Privacy Protection Act) compliance requirements
Knowledge of state biometric privacy laws (BIPA, CCPA, Texas, Virginia) as they apply to age signals
First Amendment implications of age verification for content access
Consent-based verification flow design (the output is "user confirmed above threshold" not "user is X years old")
Document-backed age confirmation methods (ID scanning, database verification)
Understanding of disparate impact risks in facial age estimation (demographic bias in ML models)
Appeal/correction mechanism design for incorrect age determinations

Legal Boundaries the Team Must Understand

Age ESTIMATION (guessing from face) = high legal risk, technically inaccurate (+/- 5-7 years), discriminatory in practice, BIPA/GDPR exposure

Age VERIFICATION (consent-based threshold confirmation) = low legal risk, defensible, in-demand for COPPA/platform compliance

POY builds verification, NOT estimation. The dev team must understand why.

Questions to Ask

"What is the difference between age estimation and age verification from a legal perspective?"
"How would you build an age confirmation system that is BIPA-compliant and does not store biometric identifiers?"
"A user is incorrectly denied access due to age verification. What appeal mechanism would you design?"

Section 05

Required Skills - Tier 2: Strongly Preferred

Voice Biometrics

Speaker recognition / voice print technology
Voice anti-spoofing (detecting cloned voices from ElevenLabs, etc.)
Audio signal processing (spectrograms, MFCCs, formant analysis)
Experience with voice biometric SDKs or custom models

Device Fingerprinting

Hardware-based device identification
Browser fingerprinting techniques and limitations
Device attestation (Android SafetyNet/Play Integrity, Apple DeviceCheck/App Attest)
Fraud detection from device signals

SDK Development

Building and publishing npm packages (JavaScript/TypeScript SDK)
Building and publishing PyPI packages (Python SDK)
API client library design patterns
SDK documentation and developer experience (DX)
Versioning, backwards compatibility, deprecation strategies

Content Authenticity / Provenance

C2PA (Coalition for Content Provenance and Authenticity) standard
EXIF/XMP metadata manipulation for images
MP4 metadata atoms for video
Digital watermarking (steganographic methods)
Content hashing and tamper detection

Real-Time Systems

WebSocket implementation for real-time trust score updates
Server-Sent Events (SSE) for live data feeds
Event-driven architecture
Pub/sub messaging (Redis, NATS, or equivalent)

Section 06

Required Skills - Tier 3: Nice to Have

Machine Learning / AI

Deepfake detection models
Anomaly detection for fraud signals
Model deployment (TensorFlow Lite, ONNX, Core ML)
On-device ML inference

Browser Extension Development

Chrome Extension Manifest V3
Firefox WebExtension API
Content script injection and page analysis
Extension store publishing

Blockchain / Web3

Decentralized identity (DID) standards
Verifiable credentials (W3C VC)
Smart contract basics (for potential future on-chain verification proofs)

Section 07

Architecture Decisions

The dev team should have informed opinions on these questions:

Native vs cross-platform mobile

Should we build native iOS/Android or use React Native/Flutter? Secure Enclave access is critical - can cross-platform frameworks access it reliably?

Serverless vs dedicated backend

Current stack is Netlify Functions. At what scale do we migrate to a dedicated backend (ECS, Kubernetes, Railway)? What triggers that decision?

Database scaling

Supabase PostgreSQL works now. At what user count do we need connection pooling, read replicas, or a different database architecture?

Biometric model hosting

MediaPipe runs client-side. Should we build custom liveness models? Where do we host inference - on-device only, or hybrid with server-side validation?

Multi-region deployment

Users in the EU need data processed in the EU. How do we architect multi-region without duplicating infrastructure?

SDK distribution

We need SDKs in JavaScript, Python, Go, Swift, Kotlin, and Rust. Build from scratch or auto-generate from an OpenAPI spec?

Trust score computation

Currently computed at query time. At scale, should trust scores be pre-computed and cached? What invalidation strategy?

Content stamp storage

Currently in Supabase. At millions of stamps, do we need a purpose-built content-addressable store or blockchain-anchored timestamps?

CRP physiological model accuracy

rPPG heart rate estimation from webcam has inherent noise. What confidence threshold do we need before acting on a stress signal? How do we handle false positives (user had coffee, just exercised, is naturally anxious)?

Honeypot data generation

Shadow environments need plausible fake data. Do we generate synthetic data at deployment time, maintain it manually, or use an AI pipeline to keep decoy records realistic?

CRP deployment tiers

Not every customer needs 5 layers. How do we architect CRP as modular layers that can be enabled/disabled per deployment without forking the codebase?

Age verification method selection

Document-based (ID scan) vs database verification vs biometric-adjacent signals. Which methods do we support, and how do we handle jurisdictions where ID scanning triggers biometric privacy laws?

CMMC 2.0 audit trail format

Defense contracts require specific non-repudiation evidence formats. Do we build a generic audit export or target CMMC 2.0 specifically from the start?

Section 08

Roadmap

Phase 1: Mobile MVP Months 1-3

Native iOS app with Secure Enclave integration
Native Android app with Titan M2/StrongBox integration
Real biometric liveness with 3D depth sensing
QR-code bridge for desktop-to-mobile verification
Push notifications for verification alerts

Phase 2: Enterprise SDK Months 3-5

JavaScript SDK (@poyverify/sdk) published to npm
Python SDK (poyverify) published to PyPI
Webhook system for real-time verification events
Embeddable verification widget (iframe + web component)
Admin dashboard for enterprise customers
Multi-tenant API key management

Phase 3: Multi-Signal Expansion Months 5-7

Voice biometric verification (anti-clone protected)
Device attestation integration (Play Integrity, App Attest)
Social account OAuth verification (Twitter, LinkedIn, GitHub)
Phone verification via SMS (Twilio or equivalent)
Email verification with branded templates

Phase 4: Content Stamping at Scale Months 7-9

C2PA metadata integration
Bulk stamping API for enterprise content pipelines
Browser extension for automatic content verification
Creator dashboard with stamp analytics
Revocation and dispute resolution system

Phase 5: CRP Foundation Months 9-11

rPPG heart rate extraction engine (client-side WASM)
Baseline enrollment flow (3-session average across separate days)
Micro-expression CNN model (trained on SAMM/CASME II, quantized for WASM)
Saccadic eye movement baseline and deviation scoring
Composite Stress Score (CSS) computation and admin visibility
crp_events and crp_duress_events database tables

Phase 6: CRP Duress & Multi-Party Months 11-13

Silent duress gesture enrollment and detection
Honeypot session architecture with shadow data
Command authority alert dispatch (Resend + webhooks)
Two-Person Integrity (TPI) authorization flow
Action sensitivity tier configuration (Standard/Elevated/High/Critical)
Consent-based age threshold verification module

Phase 7: CRP Context Engine & Defense Tier Months 13-15

Context Anomaly Engine (6-signal scoring: location, time, device, velocity, sequence, frequency)
CRP Risk Score computation (CSS + CAS weighted composite)
Dead Man's Switch - randomized session re-verification
Tamper-evident audit log export (CMMC 2.0 non-repudiation format)
Full CRP deployment for defense MRO pilot customers

Phase 8: Platform Scaling Months 15-18

Multi-region deployment (US, EU, APAC)
Real-time WebSocket API for live trust scores
Advanced fraud detection (ML-based anomaly detection)
SOC 2 Type II certification preparation
FIDO Alliance certification for biometric verification

Section 09

Interview Scorecard

Category	Weight	Score (1-5)	Notes
Biometric engineering	20%
CRP / physiological signal processing	15%
Cryptography & security	15%
Mobile development (iOS/Android)	15%
Backend/API architecture	10%
Privacy/compliance/age verification	10%
ML model development (WASM/on-device)	5%
SDK/developer experience	5%
Communication & documentation	5%
Weighted Total	100%

Minimum passing score: 3.5 weighted average | Strong hire threshold: 4.0+ weighted average

Section 10

Red Flags (Immediate Disqualifiers)

✗Cannot explain the difference between hashing and encryption

✗Has never worked with biometric data or liveness detection

✗Suggests storing raw biometric data on a server

✗No experience with mobile Secure Enclave / hardware security

✗Cannot articulate GDPR implications for biometric processing

✗Has never built or consumed a production API

✗Suggests using blockchain as the primary database

✗Cannot explain WebAuthn at a conceptual level

✗Proposes transmitting video frames or physiological signals to a server (violates zero-transmission constraint)

✗Does not understand the difference between age estimation and age verification

✗Has no concept of coercion/duress in authentication contexts

✗Suggests facial age guessing as a primary age verification method

Green Flags (Strong Positive Signals)

✓Has shipped a biometric authentication feature to production

✓Has worked with FIDO2/WebAuthn in a real product

✓Has experience with privacy-by-design architecture

✓Has published SDKs or developer tools

✓Has worked in identity verification, security, or fintech

✓Understands the difference between liveness detection levels (ISO 30107)

✓Can discuss C2PA, content provenance, or digital watermarking

✓Has opinions on the Worldcoin/World ID approach and its trade-offs

✓Has experience with signal processing, rPPG, or physiological computing

✓Has worked with WASM-compiled ML models running in-browser

✓Has built multi-party authorization or approval workflows

✓Understands CMMC 2.0 or has worked in defense/government tech

✓Can articulate why age estimation is legally different from age verification

✓Has experience with honeypot/decoy systems in security contexts

✓Mentions ISO 30107 (PAD testing) or NIST SP 800-63 without prompting

Section 11

Technical Assessment

Option A

Take-Home (4-6 hours)

Build a minimal liveness detection flow:

Access device camera
Detect a face using any library
Implement one liveness challenge (blink detection)
Hash the result with SHA-256
Store the hash via a REST API
Provide a verification endpoint that checks the hash

Evaluate: code quality, security awareness, error handling, documentation.

Option B

Live Coding (90 minutes)

(30 min) Implement WebAuthn passkey registration and authentication
(30 min) Design a trust scoring API with tiered rate limiting
(30 min) Architecture whiteboard: how would you build multi-device verification where a phone authenticates a desktop session?

Option C

CRP-Specific Assessment (For senior/specialized candidates)

(30 min) Design a system that extracts heart rate from webcam video using rPPG. What ROIs do you use? What filtering? What frame rate?
(30 min) Whiteboard the duress code system. User enrolls a blink pattern. How do you store it securely? How do you detect it during auth without false positives? What happens on detection?
(30 min) Design the honeypot session architecture. How do you generate plausible fake data? How do you prevent the attacker from detecting they are in a decoy environment? How do you log their actions forensically?

Section 12

Team Structure Recommendation

Minimum Viable (4 people)

1 Full-stack engineer (Node.js + React Native, leads backend + mobile)
1 Biometric/ML engineer (liveness detection, rPPG, micro-expressions, voice biometrics)
1 Security/crypto engineer (Secure Enclave, WebAuthn, PKI, CRP architecture)
1 Frontend/WASM engineer (client-side ML inference, signal processing, camera APIs)

Ideal Team (7-8 people)

1 iOS engineer (Swift, Secure Enclave, Core ML, camera frame processing)
1 Android engineer (Kotlin, StrongBox, TensorFlow Lite, camera frame processing)
1 Backend engineer (Node.js/Python, PostgreSQL, API design, webhook systems)
1 Biometric/ML engineer (rPPG, micro-expressions, eye tracking, voice biometrics, deepfake detection)
1 Security/CRP architect (cryptography, coercion resistance, honeypot systems, compliance)
1 Frontend/WASM engineer (TensorFlow.js, ONNX Runtime Web, real-time signal processing)
1 DevOps/SRE (CI/CD, multi-region, monitoring, SOC 2, CMMC 2.0 audit)
1 QA/Security tester (penetration testing, PAD testing, CRP red teaming)

Section 13

CRP Competitive Matrix

No other platform has this. This is what wins defense contracts.

Capability	Face ID	Worldcoin	Veriff	POYVerify CRP
Hardware-free auth	NO	NO	YES	YES
No biometric data transmitted	PARTIAL	NO	NO	YES
Physiological stress detection	NO	NO	NO	YES
Silent duress trigger	NO	NO	NO	YES
Honeypot session routing	NO	NO	NO	YES
Multi-party authorization	NO	NO	NO	YES
Context anomaly scoring	NO	NO	PARTIAL	YES
Dead man's switch re-verification	NO	NO	NO	YES
CMMC 2.0 non-repudiation	NO	NO	PARTIAL	YES
Consent-based age verification	NO	NO	PARTIAL	YES

Section 14

CRP Database Schema (New Tables)

crp_events - Every authentication event with physiological data
event_id, user_id, timestamp, baseline_hr, live_hr, hr_delta,
stress_flag, alert_tier (none/watch/alert/honeypot), context_hash

crp_duress_events - Triggered duress incidents
event_id, user_id, timestamp, trigger_type (duress_gesture/auto_css/multi_flag),
device_id, location_lat, location_lng, session_type (honeypot/live),
alert_sent_to, css_score

Section 15

Current Codebase Stats

38API Endpoints

37Serverless Functions

11+2Database Tables

11Integrations

10K+Frontend Pages

5Crypto Algorithms

4Subscription Tiers

6Trust Score Signals

ECDSAContent Stamps

5CRP Layers

ConsentAge Verification

0-100Trust Score Range