Secure File Management System using Facial Biometrics

Abstract

Digital data has increased in volume and sensitivity, and thus a reliable way for people and businesses to store their files on- or off-line securely is necessary as there are many different options (both good and bad) that exist today. The System for File Management Secured with Facial Biometrics (SFMS-FB) integrates AES-256-GCM encryption with face recognition for authentication. Using either the FastAPI backend written in Python or a front end built in React, the SFMS-FB system follows the strictest zero-knowledge principles possible, allowing neither the storage of any encryption keys nor any record of their existence. Secure file management is accomplished using 2 methods: i) Per-file encryption keys through the use of PBKDF2-HMAC-SHA256 with a 600,000 iteration count and variable-length HKDF-derived keys from a single pass of PBKDF2-HMAC-SHA256; and ii) Authentication is based on an embedded vector of each user\'s facial image (i.e., deep face representations via ArcFace (512 dimensions)), as well as by using the MediaPipe Persistent Detection Engine for real identity authentication during user login (to prevent fake \'spoof\' attacks). Our experiments demonstrate strong overall security characteristics, including effective protection against replay and fast file operation responses (< 1 second) when using the system. This paradigm for securely storing and managing files locally meets the many limitations of cloud-based solutions by providing an experience that is entirely local, auditable, and very performant.

Introduction

The SFMS-FB (Secure File Management System using Facial Biometrics) is an offline, biometric-based encryption platform designed to protect sensitive local files without relying on passwords or cloud services. It addresses modern cybersecurity threats such as ransomware and data breaches by combining facial recognition authentication with AES-256-GCM encryption and a zero-knowledge key management design.

The system replaces password-based access with face recognition (ArcFace/DeepFace) and strengthens security using liveness detection via MediaPipe face mesh (blink and head-movement checks) to prevent spoofing. It uses a hierarchical encryption model where a master key is derived through PBKDF2 and individual file keys are generated using HKDF, ensuring strong isolation between files. A multi-vault structure supports secure file organization and includes decoy vaults for plausible deniability.

The architecture consists of a Python FastAPI backend and a React frontend, with SQLite for storage. Key modules handle authentication, encryption, vault management, and file operations through REST APIs. Security features include JWT-based session control, account lockout after failed attempts, and in-memory token revocation.

Performance results show high encryption/decryption throughput and stable key derivation times. The system achieved strong authentication accuracy with a 97.5% true acceptance rate and very low false acceptance rate, while successfully detecting spoofing attempts.

Conclusion

This paper has presented Secure File Management System using Facial Biometrics, a comprehensive offline encrypted file management system that demonstrates how modern biometric authentication can be effectively combined with state-of-the-art symmetric encryption. The zero-knowledge key architecture ensures that no sensitive key material is ever persisted to disk, while the PBKDF2/HKDF key hierarchy provides strong cryptographic isolation between files. The MediaPipe-based liveness detection effectively prevents presentation attacks without requiring specialized hardware. Future work will explore threshold secret sharing for multi-factor recovery, hardware security key (FIDO2) authentication as a complement to face recognition, and a distributed vault mode for secure file sharing over local area networks.

References

[1] I.Matousec,\"VeraCrypt Security Analysis,\" VeraCrypt Documentation, 2020. [Online]. Available: https://www.veracrypt.fr/en/Security%20Requirements%20and%20Precautions.html [2] J. Deng, J. Guo, X. Niannan, and S. Zafeiriou, \"ArcFace: Additive Angular Margin Loss for Deep Face Recognition,\" in Proc. IEEE/CVF CVPR, 2019, pp. 4690-4699. [3] Z. Zhang, J. Yan, S. Liu, Z. Lei, D. Yi, and S. Z. Li, \"A face antispoofing database with diverse attacks,\" in Proc. 5th IAPR Intl. Conf. Biometrics, 2012, pp. 26-31. [4] C. Fruhwirth, \"New Methods in Hard Disk Encryption,\" Technical Report, Vienna University of Technology, 2005. [5] National Institute of Standards and Technology, \"Recommendation for Password-Based Key Derivation,\" NIST SP 800-132, Dec. 2010. [6] H. Krawczyk and P. Eronen, \"HMAC-based Extract-and-Expand Key Derivation Function (HKDF),\" IETF RFC 5869, May 2010. [7] S. Gomez, \"DeepFace: A facial recognition library for Python developers,\" GitHub, 2021. [8] Google LLC, \"MediaPipe Face Mesh,\" MediaPipe Documentation, 2023.

Copyright

Copyright © 2026 Ganesh P, Sankara Narayanan S T. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.