While “passwordless” is the keyword of the current era, relying solely on a particular approach to authentication without passwords, such as camera-based facial biometrics, might be short-sighted, result in missed business opportunities, and expose an organization to unnecessary risk.
Camera-based facial biometrics boomed during the pandemic due to the increased need for efficient remote identity verification, especially in highly regulated online financial services. Indeed, it is an excellent way to authenticate people in various situations, such as account opening, access recovery, or authentication. The access is fast and highly convenient, as scanning the face with a modern smartphone is easy.
Despite all the benefits, we recommend resisting the temptation to make face the only key to banking services. The approach cannot efficiently address specific areas and may open the organization to hard-to-solve issues. We recommend combining camera-based facial biometrics with other user authentication techniques to achieve a better user experience and improve organizational resilience.
On an organizational level, we recommend coordinating the discussion between product owners and cybersecurity architects.
Issues of Camera-Based Facial Biometrics
While working with camera-based solutions for facial biometrics, we have identified several areas where these solutions may fall short.
Twins and Doppelgangers
No matter what your biometric provider says during the sales pitch, recognizing twins apart is not easy and presents a challenge even for the best facial biometric solutions.
The advanced security measures implemented in such systems aim to prevent injection attacks or deep-fakes. There are limited options for blocking real people (in front of a real camera) who are very similar to the original reference person, which will hence produce a match in the face-matching step.
Zero-Day Deepfake Attacks
While many solutions for facial biometrics actively fight synthetic deepfakes, the principal weakness of remote biometric authentication is simple: The attacker must only generate so many pixels right, only so fast. With facial data commonly available, such as social media profile pictures or recordings of online calls, planning and executing attacks targeting a specific person is easier than ever.
Even if you and your vendor can theoretically solve the new attack vector by introducing new countermeasures, it may take some time. If fraudsters can bypass an organization’s biometric verification, and the vendor can deliver a fix in two weeks, what should the organization do for those two weeks? Leave the systems open to fraud, or temporarily suspend electronic channels? Switching to a fallback method sounds like a much better option.
People’s Lives and Devices
Some practical limitations on the user's side are also hard to avoid.
People use smartphones at any time of day, including at night or in poor lighting conditions. Using a camera in such situations may challenge everyone, especially people with darker skin tones. Enforcing facial biometrics may also exclude people who cover their faces in public, such as those who cover their faces for religious reasons, or who wear medical masks to protect people around them during the flu season. In turn, not having an alternative introduces the risk of failing to provide inclusive services to organizations and missing out on acquiring and efficiently engaging new customers.
There are also less severe reasons people might be unable to use facial biometrics: a broken camera due to the infamous spider-web crack on the display, anxiety about their current looks, or a situation they would prefer not to capture on camera.
Available Modes of Authentication
Financial organizations should adopt strong customer authentication that can leverage distinct authentication modes to mitigate the above risks and offer services to a broader range of customers. In modern banking, several suitable options for phishing-resistant multi-factor authentication can serve well alongside camera-based facial biometrics.
Local Device Biometrics
Local device biometrics, such as Face ID or Touch ID, might provide weaker credence to the user’s identity than camera-based biometrics. However, they are still very secure and familiar to users. In other words, people expect to use Face ID for their logins. These methods provide excellent privacy protection as the biometric data never leaves the device. Due to extended hardware scanner support (such as infra-red camera tracing tens of thousands of dots), they can even work in suboptimal lighting conditions.
In mobile banking, the local device biometrics are typically initialized just after the initial device binding, and strongly linked to the current set of locally stored biometric data. As a result, if someone tries to add new fingerprints or a face, the banking app will invalidate the biometric access based on local device biometrics.
Device-Bound PIN Code
People believe all passwords must be long and complex, and are susceptible to phishing. However, this is not the case. Having a secure, financial-grade PIN code (or password) linked to the specific device mitigates this issue because users can use such a PIN code only on the device where they initially set it. Sound solutions achieve this through advanced cryptographic methods. These are designed to ensure zero PIN code storage (the PIN code only exists in the user’s head) and prevent local brute-force attacks on the PIN code, including attempts to extract the PIN code using forensic techniques.
Among all authentication methods, the device-bound PIN code is the most universal. It works on any smartphone model, and any user can use it. We recommend always making a device-bound PIN code available as a backup authentication option.
In combination with in-app protection that prevents leaking the PIN code via screen sharing or accessibility features or intercepting the PIN code using advanced hacking techniques, we believe that the device-bound PIN code is also an extremely secure option and provides a firm assurance of the user’s intent to confirm the operation.
Palm Verification
If strong, server-enforced identity is required, there are also excellent alternatives to facial biometrics, such as palm verification. Instead of authenticating people by their faces, palm verification examines the shape of the palm and measures features such as finger length ratio or flexure lines in the skin and fingers. As a result, it is an excellent and accurate option for situations where capturing the face specifically might prove problematic.
While reference data for palm verification is unavailable on ID documents or in various government databases, the initial capture after the first user enrolment in the mobile application can be user-friendly and fast.
FIDO2 Hardware Token
While distributing additional hardware devices just for authentication might seem cumbersome, it is the preferred alternative for some customers due to its ultimate security and independence from their primary smartphone devices. With the USB-C standardization on the hardware level and FIDO2 universally supported in most modern software, a compatible hardware token will work for accessing web and mobile banking applications and might serve as a backup SCA method for later access recovery.
Our Recommendations for Banking in 2025
We recommend a balanced multi-modal approach to identity verification and authentication for organizations deciding on their new solutions. While the digital banking landscape evolves dynamically, we do not assume that our recommendations will need significant revisions in the next few years.
New-To-Bank Customers: Account Opening
To ensure secure and compliant customer onboarding (a process of identity verification while opening a new bank account), we recommend:
- Implementing online identity verification using ID document capture (prefer NFC over optical capture) and facial biometrics that compares the person in front of the camera with the person from the document (ideally, the photo comes from a government database or NFC-scanned document, not from the document’s optical capture).
- Using a compliant third-party solution, such as BankID or a digital identity wallet (EUDI-W), that offers sufficient identity assurance in compliance with the local regulatory requirements.
Of course, customers can still open a bank account offline by visiting a branch or point of sale, and this process does not require any presence in your mobile digital channels.
Existing Customers: Setting Up Account Access
For your existing customers, you can ensure gaining access to mobile banking services (the first login in the app, or app access recovery) using the following methods of strong customer authentication (SCA):
- Enrollment via Multi-Factor Authentication: A combination of username (with optional password), SMS OTP, and facial biometrics. This approach offers a multi-factor authentication where facial biometrics provides a step resistant to credential phishing. While the SMS OTP is generally discouraged, using it as one of the multiple factors in a longer process is still possible.
- Backup SCA Element: A backup SCA element, such as an active FIDO2 hardware token, is a convenient option for access setup or recovery, assuming the bank offers such a backup element.
- In-Person Enrollment: Scanning the QR code at the branch or other physical point of sale to activate the mobile banking app, for example, just after the in-person account opening. This option is also great for customers with problematic devices that do not allow enrollment using online methods due to hard-to-debug issues. The physical location is required to ensure the QR code appears in a secure environment.
Strong Customer Authentication: Logins and Payments
For strong customer authentication beyond the first login, we recommend:
- Use local device biometrics (Face ID, Touch ID) as the primary method for logins and payment approvals. Assuming users can carry out the app setup securely, most implementations of local device biometrics are secure and offer your users the fastest and most familiar access.
- Offer a device-bound PIN code as a backup for people who cannot use local device biometrics, or as an option for specific transactions where using a PIN code provides a stronger assurance of the user’s explicit intent.
Authentication Step-Up
For sensitive transactions where additional identity assurance is beneficial, such as loan initiation or high-value transactions, we recommend adding facial biometric authentication or another form of server-side biometry (e.g., palm verification) as the additional authentication step.
Unified Approach with Multiple Modes
Putting all your eggs in one basket is rarely a good strategy, and using just face for everything is no exception. Having multiple options for smartphone-based strong customer authentication is not a system defect, but the contrary: a good design.
Such an approach improves the user experience, ensures inclusivity for people of all skin colors and religions, and accounts for various life situations, yet it comes with minimal cost overhead.
.webp)