The New Limits of FaceID: Why Banks Need a Better Solution

24 March 2025

Authors: Dean Stevenson, Director of Pre-Sales, Tobin Broadfoot, Director of Product
In recent conversations with prospects and customers, we’ve observed some changes in how banks and fintechs are handling local biometric authentication. We wanted to share our insights on these shifts so that others considering biometrics for authentication can better understand these developments.
Before we begin it’s worth revisiting the three primary biometric authentication models. You can find more information here.

Overview of the Three Models

  1. Local Biometrics (e.g., FaceID, Fingerprint Unlock): These are biometric systems in which biometric data is stored on a user’s device and never leaves it. When an app requires authentication, it asks the device to verify the user’s identity. While this ensures that biometric data stays private, it also creates security risks and usability concerns, as it is tied to the operating system and lacks an external verification layer.
  2. Centralized Biometrics: Third-party providers store biometric data on a cloud server, making authentication independent of a specific device or operating system. However, storing biometric data in the cloud increases risk - hashed biometric data is still vulnerable to breaches.
  3. Decentralized Biometrics: The latest approach in biometrics, this model aims to combine the security, privacy, and user experience benefits of both previous methods. Reliant on the cloud, it does not have the security and usability concerns of local biometrics, and it differs from the centralized model in that there is a greater emphasis on protecting cloud-based data.

How Attackers Exploit FaceID’s Weaknesses

One of the major security flaws of FaceID (or any local biometric system) is that when a new face is registered banks cannot tell whether it’s the original user or a fraudster. 
Imagine this scenario - we’ll use an iOS phone as an example, but this applies to any operating system: An attacker steals your phone after observing you enter your PIN. They then access FaceID settings, re-register their own face, and log into your bank account. That same FaceID is then used to authenticate a payment, so the fraudster transfers money out of your account - and the bank is none the wiser.

Family Fraud: A Growing Concern

A common use of this type of fraud is amongst family or friends, where a trusted person who knows the user’s phone PIN updates FaceID to their own face. Since many banks will protect transactions with the local biometric (FaceID), a family member can drain an account without the rightful owner noticing until it's too late.
Another example is with TouchID, where it is very common for family devices to have a fingerprint from multiple family members enrolled. While a different use case, you can imagine the damage a child can accidentally do with access to their parent’s app store.
Gartner also highlights this in their 2025 Innovation Insight on Biometric Authentication:
Banking clients have expressed concerns that a customer’s spouse or child might have enrolled their fingerprints on the customer’s phone, thus enabling that other person to masquerade as the customer. There is no technical way to restrict this, but banks typically ask a customer setting up biometric authentication to assert that no one else has enrolled their fingerprints.

Operating Systems Are Catching On

To overcome this issue, both iOS and Android have introduced features that detect changes to local biometrics.
Barclays (UK) now verifies changes to local biometrics before allowing transactions:
Nationwide (UK) prompts step-up authentication when it detects a biometric update:
Many fintechs, however, prioritize seamless user experience over security, allowing transactions to proceed even after biometric credentials change.

The Unintended Consequences for Banks

While this is a step in the right direction, the bank has only detected that the biometrics have changed - they still do not know if the new biometric belongs to the original user or a fraudster. Someone could have changed the finger they use to authenticate - it is not necessarily fraud.
So when a local biometric change is detected, banks still fall back on alternative authentication methods:
  1. PINs and Passwords: Weak and often known to the family member. What’s more, the banking password used as a fallback mechanism for a changed biometric is more often than not the same one used to unlock the phone.
  2. SMS OTPs: Which will be sent to the phone that has been accessed.
  3. Call Center Verification: Expensive and frustrating for customers.
  4. Re-KYC (Know Your Customer) Process: Requires users to re-verify their identity with official documents, which is secure but highly inconvenient.
Each fallback method has trade-offs - either poor security, high costs, or a frustrating user experience.

The Core Issue: Banks Still Have No Control Over FaceID

Ultimately, the core issue remains unresolved: Banks relying on local biometrics still have no control over which face or fingerprint is associated with an account. Once a user passes the initial KYC process, the bank assumes that all subsequent biometric logins are from the same person - without any way to verify this assumption.
This is because the problem with any credential like FaceID, or even PINs, passwords, and OTPs is that there is no link between the credential and the actual real life user. Any authentication-based solution that does not address this is merely a sticking plaster.
Resolving the problem requires linking the user’s credentials to the person behind them, every time they enroll or authenticate on an app - something that decentralized biometrics can do.
Read Next
Blog
Keyless Wins “Best of Show” at FinovateEurope 2025
The Keyless Demo has been awarded "Best of Show" at FinovateEurope 2025. Watch our Product Director Tobin give the demo and showcase how privacy-preserving biometrics are changing the authentication industry.
Read More
Blog
Digital Identity Verification: Complete Guide 2025
Identity verification is crucial for tasks like opening a bank account or boarding a flight. Once manual, this process has long been digital, involving ID scans and document uploads for account creation.
Read Now
Blog
What Does Customer Due Diligence Mean for Banks
Explore the critical role of CDD in modern banking, including its importance in compliance, risk management, and customer onboarding.
Read Now
Consumer SolutionsWorkforce SolutionsTechnologyIndustriesResourcesCompanySupport Center
PSD2/SCA CompliantPSD2/SCA Compliant
GDPR CompliantGDPR Compliant
CCPA CompliantCCPA Compliant
FIDO2 CertifiedFIDO2 Certified
FIDO Biometrics CertifiedFIDO Biometrics Certified
ISO 27001 CertifiedISO 27001 Certified
ISO 9001 CertifiedISO 9001 Certified
ISO/IEC 30107-3 CertifiedISO/IEC 30107-3 Certified
© 2025 Keyless. All rights reserved.
Cookie Settings