Skip to content

USER-ID-1: user identity resolution and authentication level specification #53

Description

@JarbasAl

Summary

Define the bus-protocol contract for user identity resolution: the session fields that carry recognized identity, per-signal enrollment evidence, and authentication strength. Skills use session.auth_level to gate sensitive operations without coupling to any specific recognition technology.

Motivation

OVOS currently has no identity concept at the bus level — every session is anonymous. The user-id codebase implements biometric recognition but with no normative contract for how results flow into the pipeline or how skills consume them. This spec formalizes that contract.

What USER-ID-1 defines

Session fields (all opaque strings, all optional):

  • user_id — consolidated resolved identity
  • voice_id, face_id, name_id, passphrase_id — per-signal enrollment record IDs
  • default_user_id — bridge/deployer-configured fallback identity
  • auth_level — integer 0–5 summarising evidence strength

Authentication levels:

Level Evidence
0 Anonymous
1 Configured default (bridge/site assumption)
2 Self-declared name (unverified)
3 Single passive biometric (voice or face)
4 Multiple passive biometrics agree
5 Explicit credential (passphrase)

Four enrolled signal types:

  • Voice print (audio transformer, pre-STT)
  • Face print (out-of-band camera plugin; site_id selects camera; liveness detection SHOULD be employed)
  • Name declaration ("I am Alice" — utterance transformer, post-STT)
  • Secret phrase (utterance transformer, post-STT)

Resolution: a user recognition plugin writes the fields it resolves to the session before the utterance enters the pipeline. Implementation is deployer-defined (metadata transformer, standalone service, or combination). Layer-2 bridges may inject all fields directly.

Identity persistence: recognition plugin SHOULD carry identity forward within a session; auth_level may upgrade but SHOULD NOT downgrade without a positive disconfirming signal.

Re-authentication: skills requiring a higher level SHOULD prompt and use CONVERSE-1 response_mode to capture the credential utterance.

Companion changes

  • ovos-session-1.md — seven new fields added to the §2.1 field registry (user_id, voice_id, face_id, name_id, passphrase_id, default_user_id, auth_level)
  • ovos-audio-in-1.md (PR OVOS-AUDIO-IN-1: Audio Input Service Specification #51) — §4 cross-references USER-ID-1 §3.1 for voice-print as audio-transformer use case

Out of scope

Recognition algorithms, enrollment procedures, credential storage, audio/video acquisition.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions