Preventing hijack / ensuring single-user completion for a Face ID flow

[Victor1890]

Hi @vladmandic — I’ve been following your work for a couple of years and really appreciate the effort you’ve put into this project. Thank you!

Context:
I’m designing a Face ID–style experience from scratch — focusing both on the technical implementation and the overall UX flow (like Apple’s Face ID).

After running some tests, I’m wondering if there’s a way to ensure that once a Face ID process starts for a user, another person can’t complete or interfere with that same session.

Question:
Does the library (or a related pattern) provide any method to “lock” a recognition session to a specific user — for example, through session tokens, challenge binding, or built-in liveness checks?

Any guidance on how to approach this from both a security and UX perspective would be greatly appreciated. 🙏

[vladmandic]

afaik, all of the internal variables are in local scope and main model requests should be parallel-safe.
only issue might be if you're changing global config for each session while session is running.
if you really need to change global config per-user, then its best to create a separate instance of human for each user (yes, single app can use multiple instances, there are even multithreading examples provided)

if there is an issue, please provide a reproduction and i'll take a look.

[Victor1890]

I understand, so let me rephrase my question:

Have you encountered a situation where Person 1 starts the Face ID process, but Person 2 ends up finishing it?
If so, is there an efficient way to ensure that only the same person who starts the process can complete it — perhaps using a custom validation function or some business logic to enforce that rule?

[vladmandic]

i haven't and that should not be possible. if you encounter that please create an issue with code to reproduce and i'll fix it.

[Victor1890]

Hi @vladmandic, you don't understand me, the library doesn't have any issue, I'm talking about if are you had a similar situation about identify on the same process if Person 1 begin and complete the Face ID flow, I'll again the library doesn't have any problem

[vladmandic]

that's what I'm saying - no, I did not experience such issue. is this hypothetical or do you have a problem?

[Victor1890]

No, it's hypothetical, it's more curiosity than anything else