TL;DR: On-device identity verification keeps biometric analysis local so no face image or identity document leaves the user’s device, while server-side checks still inspect non-PII signals for liveness and tamper detection, according to Incode. That shifts privacy from policy language to architecture and raises the bar for age assurance, fraud resistance, and data minimisation.
NHIMG editorial — based on content published by Incode: On-Device Processing: The Next Step in Privacy Architecture
By the numbers:
- As of 2024, third-party dependencies are responsible for more than one-third of all data breaches.
- 63% of consumers have serious concerns about providing biometric information, despite two-thirds agreeing that biometrics reduce identity-related crimes.
- 92% of users complete the age check on the first try, with no document upload, no retry loop, and no escalation to a manual review queue.
Questions worth separating out
Q: How should security teams reduce biometric exposure in identity verification flows?
A: Security teams should minimise the movement of biometric data first, then harden whatever processing remains.
Q: Why does on-device processing matter for identity governance and privacy?
A: It matters because privacy becomes a property of the architecture instead of a promise about how a server will handle sensitive data.
Q: What do security teams get wrong about biometric verification risk?
A: They often focus on whether the vendor can process the check accurately and overlook where the biometric data exists during the flow.
Practitioner guidance
- Map biometric data flows end to end Document where the image, template, and verification result exist in on-device and server-side IDV flows, then remove any step that centralises raw biometric data without a control need.
- Separate inference from integrity telemetry Keep device metadata, behavioural context, and session fingerprints distinct from the biometric input so you can govern each data class with the right retention, privacy, and fraud controls.
- Re-test age assurance and IDV controls for privacy minimisation Review whether your age checks and identity verification journeys can validate users without sending images or documents to central infrastructure, and measure the residual data custody that remains.
What's in the full article
Incode's full article covers the operational detail this post intentionally leaves for the source:
- The end-to-end on-device age estimation flow, including how the selfie is captured and processed locally.
- The specific spoofing and tamper signals the architecture checks, such as deepfakes, replay attempts, and virtual cameras.
- The rationale for the 92% first-try completion rate and how the user journey avoids document upload and manual review.
- The vendor's privacy architecture investment priorities, including cryptographic R&D and scale considerations.
👉 Read Incode's analysis of on-device identity verification and age estimation →
On-device identity verification: what it changes for privacy and IAM teams?
Explore further
Privacy-first identity verification is becoming an architecture problem, not a policy problem. Once biometric data leaves the device, the organisation inherits transit risk, storage risk, and third-party custody risk. On-device processing narrows the exposure surface because the raw identity artefact never enters the server estate. For identity programmes, this is a governance shift from evidence handling to evidence avoidance, and that is a materially different control objective.
A question worth separating out:
Q: Who is accountable when biometric identity data is exposed in verification workflows?
A: Accountability sits with the organisation that decided to collect and process the biometric data, even if a third party performs the verification. Privacy regulations and security frameworks both expect data minimisation, controlled processing, and clear ownership of the risk. If the architecture is avoidable, the exposure is usually avoidable too.
👉 Read our full editorial: On-device identity verification changes the privacy model for IDV