Carried-phone physics.
Motion, activity, steps, floors, pressure, magnetic field, brightness, battery, thermal state, charging, and discharge behavior.
Physics inputs
What the phone actually checks.
Pulse is not a QR code, OTP, CAPTCHA, or KYC wrapper. It is a carried-phone proof: bounded signals from the iPhone, fused on device, used to answer whether a real phone is present for one protected action.
Inventory
Fourteen signal lanes, not one magic signal.
Every single sensor can be weak in isolation. The value is the pattern: a real phone produces power, motion, radio, display, place, and time-of-day context that agrees with itself. A fraud script, emulator, SIM swap, or relayed browser session has to fake the whole day, not just one token.
Network and service context.
Path status, Wi-Fi/cellular class, constrained or expensive path, coarse radio generation, SIM visibility, cellular data state, Bluetooth state, and media route class.
Life context without a trail.
Coarse place familiarity, dwell, daily light, weather consistency, Focus/quiet state, projection, device surface, receipt chain, and App Attest posture.
Signal matrix
What each lane tells us.
This is the working inventory behind Pulse. The lender does not need raw readings. Pulse turns them into bounded evidence such as coverage, freshness, confidence bands, and reason codes for the protected action.
Battery / thermal
Power has rhythm.
Charge windows, long discharge cycles, low-power mode, thermal state, and charging while connected to a car route help distinguish real carry, rest, commute, and stale-device patterns.
Motion / activity
Phones move like carried objects.
Motion, stillness, activity class, steps, and floors support walking, transit, rest, powered-lift, and active-stationary reads without exporting raw IMU streams.
Magnetic field
Places have magnetic texture.
Field range and motifs help spot settled places, boundary crossings, vehicle shells, powered lifts, and environmental change when fused with motion and pressure.
Pressure / weather
Elevation tells a quiet story.
Pressure and relative altitude support floor changes, stairs, lifts, slopes, and weather/place consistency checks.
Connectivity
Path shape matters.
Pulse can see network path status, Wi-Fi/cellular/wired class, constrained or expensive path, gateway/interface counts, and salted Wi-Fi continuity. It does not export SSID, BSSID, IP, DNS, tower, or RF data.
Phone service
A SIM swap is not the whole story.
Coarse radio generation, service visibility, SIM visibility where iOS exposes it, cellular data state, CallKit aggregates, and optional carrier assertions support service continuity without exposing phone numbers or call details.
Bluetooth / media / projection
Accessories are life signs.
Bluetooth authorization/state, car or headphone route class, media route changes, screen capture/mirroring, and external display counts help identify commute, docked vehicle, leisure, remote-guidance, and observation context.
Place / light / quiet
Context makes motion meaningful.
Coarse location, dwell, familiar or unknown place, sunrise/sunset phase, weather, brightness, and Focus/quiet state help separate sleep, desk work, travel, evening leisure, and low-connectivity isolation.
Device surface
The phone has to be a real iPhone.
Platform, system version, idiom, simulator flag, device-held signing key, Merkle receipt chain, and App Attest posture raise the floor against emulators and replay.
Touch and local auth
Current-session presence matters.
Pulse may use bounded app-local interaction timing and local-auth pass/fail as support signals. It does not collect raw touch paths, keystrokes, biometric templates, Face ID data, or interactions in other apps.
Why it matters
The problem is not “can the user receive a code?”
Fraud teams already have passwords, OTP, device fingerprints, KYC vendors, document checks, CAPTCHA, and bureau files. Those validate fragments. Pulse is for the gap between the fragments: whether the protected action is being performed with a real, carried, current phone that has coherent physical context.
OTP / 2FA
Proves message access.
A code can be forwarded, phished, SIM-swapped, socially engineered, read from email, or relayed in real time. It does not prove a phone has been carried through ordinary life.
Pulse
Proves a carried device is present.
The phone signs a challenge for this action and supports it with current device, radio, motion, power, and context evidence.
CAPTCHA / bot score
Scores the browser.
CAPTCHA asks whether a browser interaction looks automated. It does not know whether the applicant has a real phone, a real day, or a coherent device history.
Pulse
Checks the phone beside the browser.
Pulse moves the trust boundary from page behavior to a carried iOS device with signed receipts and bounded sensor coherence.
KYC / document checks
Validate identity artifacts.
KYC can say a name, document, phone number, address, or bureau file matches policy. It cannot by itself prove that the person behind this action is physically present with a continuous device.
Pulse
Does not replace KYC because it is not KYC.
Pulse supplies presence and continuity evidence. The institution still owns KYC, CIP, underwriting, fraud policy, adverse-action notices, and final decision authority.
Privacy boundary
Hard reality also means hard limits.
Pulse is allowed to inspect deeper local device state than it should ever export. The discipline is the boundary: raw diagnostics can help the phone understand itself; the lender gets a minimal proof summary.
No raw location trail.
No precise GPS path, address history, speed history, or raw coordinate feed is sent to the lender.
No network or phone identifiers.
No Wi-Fi names, IP addresses, tower data, phone numbers, contacts, carrier account IDs, or device serials are exposed.
No content from the phone.
No audio, screenshots, screen contents, notification contents, app list, or call history leaves as raw data.
Verifier output
What leaves the phone is deliberately small.
Never the default
Raw phone feed.
No raw sensor streams, location trails, Wi-Fi names, IP addresses, tower data, contacts, phone numbers, carrier account IDs, screen contents, audio, app text, touch paths, or biometric templates.
Production proof shape
Signed, bounded facts.
Receipt id, challenge binding, App Attest posture, Merkle root, signal coverage, freshness, maturity band, current-session assertion band, and reason-code classes such as motion present or carrier assertion fresh.
Limits
Pulse is a liveness floor, not a fraud oracle.
Phones do not expose every signal people imagine, and permissions can change. Pulse treats missing support as missing support, not as proof of fraud. A fully compromised real device can fake many local APIs. A consenting or coerced human can carry a real phone. That is why Pulse is fused with App Attest, server challenges, carrier assertions where available, CID/KYC binding, and the institution’s own policy.