Device Authentication Isn’t Identity Verification: Why Organizations Need Step-Up
Ralph Rodriguez
President & Chief Product Officer
Ralph A. Rodriguez is President, Chief Product Officer (CPO), and a member of the Board of Directors for Daon. He is accountable for defining the go-to-market vision, strategy, and roadmaps for Daon’s products and technology.
Ralph was most recently an Executive-in-Residence at Summit Partners, a Boston-based private equity firm. Previously he was a Research Scientist and Head of Identity Verification at Facebook, where he oversaw Applied Identity Intelligence. Ralph was also the co-founder and chief technology officer of Confirm.io, an identity verification and authentication company acquired by Facebook in March 2018. Ralph founded Blue Hill Research, Delfigo Security, Invenio, and NTA before Confirm.io. In addition, he was the CTO/CIO of public companies Brooks Automation (NASDAQ: BRKS), C-bridge Internet Solutions (NASDAQ: CBIS), and Excelon Corporation (NASDAQ: EXLN).
As the longest-serving Fellow at the Massachusetts Institute of Technology (MIT), Ralph pioneered research on artificial intelligence (AI), cloud, mobile, neural science, and security technologies at the MIT Media Lab and Harvard-MIT Health Sciences and Technology (HST) departments.
Ralph studied for an Sc.D. in information systems and is a graduate of the management program GPMD-MBA at IESE Business School, Barcelona, Spain. He served in the United States Army during the Persian Gulf War in 1990 and was named Soldier of the Year by the 10th Mountain Division (Light Infantry) in 1987. Ralph holds a portfolio of 65 patents globally, including 30 issued U.S. patents, 4 additional U.S. patents pending, 2 international patents issued, and 29 other international applications pending. His innovations span identity verification, biometrics, deepfake detection, and quantum-enhanced fraud prevention.
January 22, 2026
Travelers departing internationally from Orlando International Airport can now board flights without touching their passports. Facial recognition technology scans their faces, matches them against passport photos, and clears them for departure in seconds. The New York Times reports passengers may be “surprised to zoom right onto a future international flight” as this technology rolls out across major airports. What once required manual document inspection now happens automatically, securing international borders through biometric verification rather than paper or NFC credentials.
If facial recognition provides sufficient assurance to clear passengers onto international flights, why do financial institutions still rely on smartphone manufacturers to verify identity for high-value transactions? The same technology trusted by border security exposes a fundamental gap in how organizations authenticate their customers. When someone initiates a $50,000 wire transfer from their iPhone, most banks verify that the phone is unlocked, not that the actual account holder is present. Device authentication confirms possession. It doesn’t confirm identity.
This distinction matters enormously for transactions requiring elevated assurance. Banks, healthcare providers, and government agencies have grown dangerously comfortable treating the convenience of unlocking a smartphone as equivalent to verifying identity for high-stakes operations. At Daon, we call this “lazy biometrics“—outsourcing security to device manufacturers who optimize for user experience across millions of use cases rather than financial-grade protection for specific high-risk scenarios.
The gap isn’t a technological capability; it’s an architectural choice. Organizations need authentication systems that scale security proportionally to risk, maintaining institutional control over verification standards rather than delegating that authority to Apple, Google, or Samsung. Step-up authentication using facial recognition addresses this requirement directly, providing risk-calibrated verification that distinguishes between routine access and transactions demanding higher certainty. Does your authentication architecture actually verify identity when it matters most, or does it just confirm someone unlocked the right device?
The Lazy Biometrics Trap
Most smartphone users unlock their devices dozens of times daily with a glance or fingerprint. This convenience has created dangerous institutional complacency. Financial institutions, healthcare providers, and government agencies now routinely treat device biometrics as sufficient verification for high-value transactions (wire transfers, prescription changes, benefits distribution) without questioning what they’re authenticating. Device-based biometrics confirm that someone unlocked the phone. They don’t confirm that the person is the legitimate account holder.
This distinction exposes a fundamental security flaw. Stolen phones with bypassed biometrics, borrowed devices, and compromised hardware all create scenarios where device access doesn’t equal identity verification. A teenager using a parent’s authenticated phone can transfer funds. An employee accessing a colleague’s unlocked laptop can modify records. A thief with a stolen device and enough social engineering can reset security settings. In each case, the device biometrics function exactly as designed, but the wrong person is authenticated.
The deeper problem is institutional control. When banks rely on Face ID or Android facial recognition, they outsource their security architecture to manufacturers who design these systems for general usability, not high-grade identity assurance. Organizations don’t control the enrollment process, don’t manage the biometric templates, and critically, can’t calibrate the matching thresholds that determine whether verification succeeds. Apple, Google, and Samsung set those parameters for their broader product ecosystems. Financial institutions must accept whatever standards the manufacturers choose.
For unlocking a smartphone to check email, this arrangement works fine. For approving a prescription for controlled substances, it represents a dangerous abdication of security responsibility. Device biometrics authenticate possession, but organizations need systems that authenticate identity.
Step-Up Authentication: Risk-Proportional Security
Not all transactions warrant the same authentication rigor. A routine account login presents different risk than initiating a high-value transfer or accessing sensitive records. Step-up authentication scales security proportionally to transaction risk, applying stronger verification only when circumstances demand it.
This approach matters across industries. Financial services deploy step-up for large transfers, new payee additions, and account modifications. Healthcare organizations use it for prescription changes, sensitive record access, and telemedicine consultations where providers need to confirm patient identity remotely. Government agencies implement step-up for benefits distribution, license renewals, and access to classified documents. Enterprise IT teams require elevated authentication for privileged system access, data exports, and administrative changes that could compromise organizational security.
Regulatory frameworks are converging around these requirements. PSDIII mandates specific authentication standards for payment transactions. Privacy regulations like GDPR and BIPA require demonstrable control over biometric data handling and consent. Age verification laws demand liveness detection that distinguishes real people from synthetic media. Each framework approaches the problem differently, but all point toward the same conclusion: organizations must verify identity proportionally to risk, with institutional oversight rather than outsourced device authentication.
Architecture Matters: Server-Side vs. Device-Side
The architectural distinction is straightforward. Device-based biometrics perform matching on the smartphone or tablet—the organization receives only a pass/fail signal with no visibility into how that decision was reached. Server-side biometrics store templates in environments controlled by the institution, with matching occurring within organizational infrastructure where security teams maintain full oversight.
This architectural difference determines whether step-up authentication is genuinely possible. Server-side implementations give organizations institutional control, allowing them to calibrate authentication thresholds according to their specific risk models rather than accepting manufacturer defaults. The same facial verification works across a customer’s primary phone, a new tablet, a web browser, or a public kiosk, creating device-agnostic verification that follows the individual rather than being tethered to specific hardware. Organizations can apply granular risk calibration, requiring lower confidence thresholds for routine access while demanding higher certainty for sensitive operations. Complete audit trails provide visibility into every authentication event, supporting compliance requirements and incident response investigations that device-based systems can’t deliver.
Liveness detection represents another critical architectural component. Presentation Attack Detection (PAD) ensures the captured image represents a live, physically present person rather than a photograph, video, mask, or deepfake. ISO 30107-3 certification provides independent validation of these anti-spoofing capabilities, confirming systems can defend against injection attacks and synthetic media. Device manufacturers don’t expose their PAD thresholds or allow institutions to calibrate them for specific use cases. Organizations implementing server-side architectures maintain direct control over these security parameters.
Template storage raises important data governance questions. Encrypted biometric templates stored separately from personally identifiable information allow organizations to maintain cryptographic control rather than trusting vendor key management. This addresses data sovereignty requirements and compliance mandates that device solutions can’t satisfy.
Deployment flexibility matters for organizations with diverse regulatory obligations. Server-side platforms support SaaS delivery, managed hosting, or self-managed infrastructure depending on jurisdictional requirements. These systems scale to thousands of authentications per second, operating across mobile apps, web interfaces, contact centers, and physical locations through unified architecture.
Regulatory Convergence Demands Step-Up
Multiple regulatory frameworks are converging around the same requirement: organizations must verify identity proportionally to risk with demonstrable institutional control.
Instant payment regulations like PSDIII illustrate the speed challenge. When transactions settle in 10 seconds, traditional fraud detection windows disappear. Facial recognition provides immediate identity confirmation that scales to payment velocity—the only authentication factor capable of verifying the actual account holder before irreversible settlement occurs.
Privacy frameworks like BIPA and GDPR demand demonstrable control over biometric data handling and user consent. Server-side architectures allow organizations to implement proper consent mechanisms, enforce storage limits, and execute deletion protocols when required. Device biometrics outsource these privacy obligations to manufacturers with no institutional oversight, creating compliance gaps that auditors increasingly flag.
Age verification mandates for online safety require risk-proportional approaches. Organizations can deploy lightweight checks for routine access while triggering facial verification for age-restricted content or transactions. This balances privacy concerns (minimal data collection for low-risk interactions) with safety requirements (strong verification when it matters).
Fraud prevention standards are evolving rapidly as deepfake technology proliferates. Regulators increasingly expect organizations to prove they verified users through demonstrable liveness detection rather than simply checking that a device unlocked successfully. PAD certification provides auditable evidence that verification systems can detect synthetic media and presentation attacks.
Compliance isn’t just a legal obligation—it reflects customer expectations. Users understand that certain transactions warrant additional verification, and they expect organizations to implement appropriate safeguards.
The Friction Paradox
Organizations often assume customers want authentication to be invisible. An Australian bank discovered otherwise. Their team developed a payment journey so seamless that customers felt unsafe. Users abandoned transactions not because the process was difficult, but because it felt insufficiently protected. The absence of visible security measures registered as negligence rather than convenience.
Strategic friction builds trust when deployed at moments that matter. Confirmation prompts before large transfers (“Are you sure? Would you like to reconfirm?”) demonstrate that protection is active. Step-up authentication at genuine risk points signals that the organization takes security seriously. Customers expect and appreciate verification when circumstances warrant it.
Transparency is a critical factor. Organizations should explain why step-up occurs: “We noticed this payment is larger than usual and going to a new recipient. Let’s confirm that it’s really you.” This messaging frames friction as responsive protection rather than arbitrary obstruction. When customers understand the logic behind additional verification, they recognize it as safeguarding their interests rather than creating unnecessary barriers.
Frontloading verification solves the long-term friction problem. Strong initial enrollment combining biometrics with document validation establishes multi-factor authentication from day one. A single robust verification during enrollment unlocks frictionless access for subsequent interactions. NIST guidance reinforces this approach, recommending organizations bind multiple authenticators during enrollment to minimize account recovery needs while maintaining security throughout the customer relationship.
Rethinking Authentication Architecture
Facial recognition securing international borders at Orlando International Airport signals mainstream acceptance of biometric verification for high-stakes operations. The technology clearing passengers onto international flights demonstrates what’s possible when organizations prioritize identity assurance over convenience alone.
Organizations must move beyond device-based authentication for high-risk transactions, implementing risk-proportional security that scales with transaction value and sensitivity. This requires establishing institutional control over biometric verification rather than outsourcing authentication standards to device manufacturers. Systems should be designed so that strong enrollment enables frictionless ongoing access while maintaining the ability to trigger step-up verification when circumstances demand elevated assurance.
Step-up authentication functions as one critical layer in defense-in-depth strategies. No single authentication method provides complete security. Effective architecture combines server-side biometrics with device-specific factors, behavioral analysis, and transaction monitoring. Organizations need multiple verification methods working together, with step-up providing the elevated assurance that certain operations require.
Security leaders face a straightforward choice: continue treating device biometrics as sufficient for all transactions, or architect authentication systems that verify identity proportionally to actual risk. As threats evolve and regulations tighten, step-up authentication is shifting from a competitive advantage to a baseline requirement.
