How Server-Side Biometrics Are Reshaping Digital Banking
Clive Bourke
President, EMEA & APAC
Clive Bourke is President of EMEA and APAC for Daon and is a member of Daon’s Board of Directors. His team are responsible for all Daon’s business activities across Europe, the Middle East, Africa and Asia Pacific. They deliver and support biometric and identity solutions in banking, payment, public sector, aviation, telecommunication, gaming, online markets and fintech sectors.
Clive has been intimately involved in the development of Daon from start-up to an established global business with market leadership in biometrics and identity. With over 25 years of international technology experience, Clive brings a track record in taking multiple first-of-a-kind initiatives from concept to realization. He earned his Electronic Engineering degree from University College Dublin in Ireland.
In his free time, Clive enjoys going to the gym, running, hanging with family and socializing, reading and playing golf.
June 24, 2025
Modern financial services place your customers perpetually at the intersection between convenience and risk. Each day, millions log into their financial apps with a casual swipe or tap, moving money and making decisions that required an in-person bank branch visit just a decade ago. Beneath this veneer of simplicity lies an elaborate framework of security protocols, carefully calibrated risk assessments, and invisible guardrails—all designed to protect customers from threats they’d rather not contemplate over their morning coffee.
The paradox facing financial services companies today is both philosophical and practical: How do you make something simultaneously more secure and more frictionless? Conventional wisdom suggests these goals exist in opposition—that every additional layer of security comes at the cost of user experience, and every simplification creates new vulnerabilities. This zero-sum thinking has led to a banking landscape filled with frustrating compromises—rigid transaction limits, cumbersome authentication processes, and complex escalation measures that create an illusion of security while inconveniencing legitimate customers and simply redirecting determined fraudsters.
Server-side biometrics, particularly facial authentication, has emerged as an innovative and easy-to-use solution to this conundrum. By moving beyond device-based security to authenticate the individual rather than their hardware, this technology is enabling a fundamental recalibration of what’s possible in digital banking. The results speak volumes: NatWest Bank recently increased its online transaction limit from £4,000 to £100,000 after implementing server-side facial biometrics—a staggering 2,400% increase—without experiencing a corresponding rise in fraud.
This new approach isn’t just about higher limits. It represents a philosophical shift in how financial services companies address customer empowerment. By anchoring security to unique biological identifiers rather than knowledge factors (e.g., passwords or PINs) or possession factors (e.g., smartphones, USB Keys, or OTPs) that can be compromised, stolen, or forgotten, banks can finally deliver on the dual promise of enhanced protection and expanded capabilities. Even recent innovations like passkeys fall short of this ideal—despite utilizing biometrics, because passkeys remain outside organizational control, they may not be suitable for higher-risk banking scenarios. The future of digital financial services lies not in asking customers to choose between security and convenience, but in technologies that seamlessly deliver both.
The Customer Experience Challenge
Anyone who has attempted a large money transfer while traveling abroad knows the special frustration that comes with being locked out of your own money. It usually unfolds like this: You attempt the transaction, receive a cryptic error message about exceeding limits, and then navigate a labyrinthine-like process involving separate devices, one-time passwords sent to phones that might not have service, or perhaps worse—the dreaded card reader or USB key that inevitably remains at home.
These friction points represent the visible symptoms of an invisible struggle within financial institutions between security departments and customer experience teams. The resulting compromises manifest in ways both large and small:
Transaction limits that feel arbitrary and inflexible—£1,000 here, €5,000 there—calibrated not to a customer’s financial needs but to the institution’s risk tolerance. A customer who needs to make a down payment on a house or purchase a vehicle finds themselves unexpectedly constrained, forced into multiple transactions or branch visits.
The “new payee problem” is another vexing concern faced by financial institutions. Banks, understandably cautious about misdirected funds or authorized push payment fraud, implement waiting periods or verification procedures that can delay time-sensitive payments. Exasperation compounds when these procedures vary across channels—as what’s possible on a laptop might be impossible on a smartphone.
What financial institutions need isn’t another security patch or isolated feature enhancement. They need authentication systems that scale with risk while remaining consistent across devices and accessible to all customers. Most importantly, they need solutions that authenticate the individual, not just the device or channel through which a transaction is initiated. This is the gap that server-side biometrics has emerged to fill.
A Question of Control: Server-based vs. Device-based Biometrics
Most smartphone users have grown accustomed to the convenience of unlocking their devices with a glance or a fingerprint. Device-based biometric systems have undoubtedly streamlined daily digital interactions for millions of users, but they harbor a fundamental limitation that is problematic for high-stakes financial transactions: they authenticate the device, not the person.
This distinction matters. When a financial institution relies on device-based biometrics—whether Apple’s Face ID, Android’s facial recognition, or any fingerprint system—they effectively outsource their security architecture to device manufacturers. The bank doesn’t control the enrollment process, doesn’t manage the biometric templates, and crucially, cannot calibrate the threshold that determines whether a match is sufficient. They cede control to Apple, Google, or Samsung, who design these systems for general usability rather than financial-grade security.
Device-based biometrics function primarily as a proxy for identity, confirming only that the person attempting a transaction has access to a previously authenticated device. While this provides a meaningful security layer, it falls short of actually verifying the specific account holder’s presence. This fundamental limitation creates a critical distinction between device possession and a confirmed identity.
Server-side biometrics invert this relationship, putting financial institutions back in control. When biometric templates reside in an environment controlled and secured by the bank rather than individual devices, authentication becomes device-agnostic. The same facial or voice authentication works whether the customer is on their primary phone, a new tablet, a borrowed laptop, or a public kiosk. This universal availability enables truly cross-channel experiences where security follows the customer rather than being tethered to specific hardware.
A significant advantage of server-side biometrics is that it allows financial institutions to calibrate authentication thresholds according to risk models they develop internally. A routine balance check might require a lower confidence threshold than a large international wire transfer. This granular control allows for security that scales with transaction risk rather than applying blunt, one-size-fits-all limitations.
The higher assurance levels provided by server-side biometrics ultimately enable expanded service offerings that would be ill-advised under device-based authentication: instant approval for new payees, dramatically higher transaction limits, and streamlined processes for high-value services that would otherwise require branch visits.
Behind xFace: Security Without Sacrificing Customer Experience
Unlike facial recognition optimized for convenience, Daon’s facial biometric authentication solution xFace is built specifically for high-security financial transactions where false positives pose significant risks.
The technology works through a deceptively simple user interface that masks considerable computational complexity. When a customer initiates a protected transaction, they’re prompted to capture a selfie. This image is instantly analyzed by proprietary algorithms that perform two critical functions concurrently: they verify the customer’s identity by comparing against stored biometric templates while also ensuring the image represents a live, physically present person rather than a photo, video, or deepfake.
This second function—liveness detection—represents one of xFace’s critical security dimensions. The system incorporates advanced presentation attack detection capable of identifying photos, masks, and digital displays, along with injection attack prevention that guards against digitally manipulated images inserted into the data stream. These capabilities have been tested against the rigorous ISO 30107-3 standard, achieving certification for levels 1 and 2 compliance from iBeta, an independent security testing laboratory. Complementing this comprehensive liveness detection, xFace’s AI-powered biometrics matching engine has been NIST-tested for accuracy via the Face Recognition Vendor Test (FRVT) for both one-to-one verification and one-to-many identification scenarios, ensuring advanced security validation across all system components.
What distinguishes xFace from many biometric systems is its flexibility in deployment. While the biometric matching occurs server-side, organizations can choose between SaaS, managed hosting by Daon, or self-managed deployment (in their own cloud environment or on-premises) depending on their regulatory requirements and security architecture. The system processes hundreds of authentications per second, making it suitable for even the largest financial institutions with millions of customers.
The powerful technology behind xFace means that users never notice it working in the background. A complex security apparatus manifests to customers as nothing more than a simple selfie—familiar, frictionless, and fast—while providing the resilient security infrastructure that enables financial institutions to fundamentally reconsider their digital service limitations.
Responsible Deployment: Implementation and Privacy Considerations
Introducing biometric technology within financial services raises legitimate questions about privacy, data security, and customer choice. These concerns are particularly acute in regions with robust data protection frameworks like the European Union’s General Data Protection Regulation (GDPR), which explicitly categorizes biometric data as sensitive personal information requiring special protections. A responsible implementation must therefore balance security benefits with stringent privacy safeguards.
xFace approaches this challenge through a key fundamental principle: customer consent. The system operates on an opt-in model, giving customers explicit choice in whether to participate. This consent-first approach aligns with both regulatory requirements and ethical considerations about biometric technology deployment.
For new customers, enrollment can be streamlined by leveraging the selfie already captured during know-your-customer (KYC) verification processes. This approach repurposes an existing step rather than creating additional friction. For existing customers, enrollment typically occurs at strategic moments of high motivation—most commonly during a payment journey when the enhanced capabilities provide immediate, tangible benefits. Alternatively, banks can offer enrollment with secure pre-authentication using existing methods, or through identity verification services that validate government-issued identification documents.
The data architecture behind xFace minimizes privacy risks through several technical measures. The system stores only the essential elements needed for authentication: an anonymous identification number and the biometric face template. These templates consist of mathematical data points that cannot be reverse-engineered to recreate an image of the person’s face or used for other forms of authentication. All sensitive data is encrypted using advanced cryptographic methods, creating multiple layers of protection against potential breaches.
Real-World Success Stories: Elevating Digital Banking
The true measure of biometric authentication’s effectiveness lies in real-world outcomes—improved customer experiences, more service offerings, and favorable fraud prevention metrics.
NatWest Bank’s implementation of xFace represents one of the most dramatic examples of enhanced customer empowerment in digital banking. Prior to adopting xFace, the bank limited mobile payment transactions to £4,000—a ceiling common among financial institutions balancing convenience with fraud risk. After deploying server-side facial biometrics, NatWest confidently raised this limit to £100,000, a staggering 2,400% increase.
For customers purchasing property, making business investments, or managing other substantial financial transactions, this elevation removed the need to visit local branches or use separate banking channels for high-value transfers. Customers could complete important financial activities entirely within the preferred mobile experience.
Most remarkably, this dramatic increase in transaction limits did not correspond with an increase in fraud rates—demonstrating that properly deployed biometrics can expand capabilities while optimizing security. Customer satisfaction metrics reflected this improvement, with numerous five-star app reviews specifically mentioning the streamlined process for completing transactions.
The removal of barriers extended beyond just payment limits. NatWest also simplified the process for paying someone new—historically a friction point in mobile banking due to fraud concerns. By incorporating biometric verification at this critical juncture, the bank maintained security while eliminating unnecessary steps in the customer journey. xFace also significantly streamlined account recovery processes, eliminating the frustrating traditional methods of branch visits or lengthy call center verifications. Customers locked out of their accounts were able to regain access through facial verification, reducing recovery time from days to minutes while maintaining rigorous security standards.
Allied Irish Bank (AIB) provides another compelling case study with different yet equally impressive metrics. After adopting xFace, AIB increased their payment limits from €1,000 to €10,000 without experiencing increased fraud.
What distinguishes both xFace implementations is the rapid user adoption they achieved. Unlike many security enhancements that face user resistance, many banks experience linear growth in opt-in rates as customers recognize the dual benefits of increased convenience and enhanced security.
The success of xFace implementations reveals an important insight about digital banking: when security enhances rather than constrains customer capabilities, it transforms from a necessary burden into a competitive advantage. Customers don’t inherently resist security measures—they resist limitations. By deploying biometrics that expand rather than restrict what customers can accomplish digitally, these institutions have fundamentally changed the relationship between security and service.
xFace: Core Capabilities and Advantages
The transformative impact of xFace in real-world banking environments stems from its technical architecture—a system designed with both security and user experience as first principles rather than competing objectives. Central to this architecture is a comprehensive rules engine that gives financial institutions full control over authentication parameters, allowing them to calibrate security thresholds according to transaction risk, customer profiles, or other contextual factors. This fine-tuned control enables institutions to strike the optimal balance between security rigor and user convenience—tightening requirements for high-risk activities while streamlining routine transactions.
Recovery and device management represent another area where server-side biometrics demonstrate clear advantages over device-based alternatives. When authentication is anchored to the individual rather than their device, recovery processes become straightforward. Customers who lose phones or upgrade to new devices can seamlessly authenticate themselves through their biometric identifiers, eliminating complex recovery procedures and reducing operational overhead for customer service teams.
xVoice: Enhancing Authentication Through Voice Biometrics
The security adage that “authentication should rely on something you know, something you have, and something you are” represents a fundamental principle in digital identity verification. xFace addresses the “something you are” component through facial biometrics, but its integration into comprehensive authentication frameworks demonstrates how biometrics complement rather than replace other security factors.
In most implementations, xFace works alongside device-specific factors like private device keys, creating multi-layered security that satisfies regulatory requirements while remaining largely invisible to users. This approach leverages the strengths of both possession factors (the authenticated device) and inherent factors (the biometric) while mitigating the vulnerabilities of each approach in isolation.
A key strength within the Daon suite of solutions is the voice biometrics offered by xVoice, which create “a winning combination” when paired with facial recognition. Voice biometrics serve multiple functions in this pairing: they provide a secondary biometric verification channel, create an additional layer of liveness detection, and crucially, offer an alternative authentication path for accessibility.
While facial recognition delivers exceptional security and convenience for most users, certain customer segments—including those with visual impairments or certain physical disabilities—may find voice authentication more accessible. By incorporating both modalities, financial institutions ensure that enhanced security and convenience extend to their entire customer base rather than creating new forms of digital exclusion.
Reclaiming Control of the Authentication Experience
For banking executives and security officers navigating the complex terrain of digital authentication, the evidence from early adopters provides clear direction: taking control of the authentication experience rather than delegating it to device manufacturers creates both security and competitive advantages. When institutions can calibrate security thresholds, determine appropriate risk tolerances, and design customer journeys around their specific needs rather than generic device capabilities, they create experiences that distinguish them in crowded markets.
The future of server-side biometrics promises even greater capabilities as artificial intelligence continues advancing presentation attack detection, matching algorithms become increasingly accurate across diverse populations, and integration platforms streamline implementation across channels. Financial institutions that establish biometric foundations today position themselves to leverage these advances as they emerge, creating sustainable advantages in both security posture and customer experience.
In a digital banking landscape where differentiation grows increasingly difficult, facial authentication has emerged as a legitimate competitive advantage. The institutions that recognize this opportunity—that see security not only as loss prevention but as experience enablement—will define the next generation of digital financial services. The technology exists today, and the question is which institutions will seize its full potential.
