The YEO CFR SDK — Adding Presence Verification to Your Regulated Application
May 18, 2026
If you're building a platform for a regulated industry, identity verification is not a feature you add at the end of the project. It is a foundational requirement, one that shapes architecture decisions, audit capability, and ultimately your product's regulatory posture from the ground up.
The problem most development teams run into is that the tools available for identity verification were built for a specific, narrow problem: verify the user at login. Check the box. Move on.
That is not the same problem that regulated industries have.
In financial services, defence, law enforcement, and other high-accountability sectors, the question isn't just whether the right person authenticated. The question is whether the right person is still present, right now, in this session, for this communication or decision.
That distinction is the gap the YEO CFR SDK is designed to close.
What the CFR SDK Is
The YEO Continuous Facial Recognition (CFR) SDK is a developer toolkit that enables any application to perform continuous, passive, on-device identity verification throughout a user's session — not just at the point of login.
It is designed to integrate into existing regulated applications across industries including:
Financial services — trading platforms, wealth management tools, secure banking communications
Defence and government — operational communications, classified briefing platforms, secure command-and-control interfaces
Law enforcement — evidence management systems, inter-agency communications, body-worn technology
Social media and adult content platforms — age verification, identity assurance, session-level accountability
The SDK handles the biometric layer. Your application retains full control of the session logic, policy enforcement, and audit output.
What Presence Verification Actually Means
Most identity verification tools operate on a single, point-in-time model: the user proves who they are, and the system accepts that proof for the duration of the session.
This model has a name in legacy security architecture: "verify once, trust thereafter." It is the exact model that Zero Trust frameworks replaced at the network level. It remains the unchallenged default at the application layer.
Presence verification is different. Rather than asking "did this person authenticate?" once, it asks "is this person still present?" continuously — at intervals throughout the session, passively, without interrupting the user's workflow.
The CFR SDK does this using on-device facial recognition with liveness detection. The biometric processing occurs locally on the device. No biometric data is transmitted to or stored on YEO's servers. Verification is continuous and passive — the user experiences no challenge prompts, no re-authentication flows, no friction.
If presence cannot be confirmed — because the user has left the device, or a different person is now in front of it — the application receives a signal and can act on it according to your defined policy. That might mean locking the session, triggering an alert, or logging the event for audit purposes.
Why This Changes the Risk Profile of Your Product
The regulatory risk in most enterprise applications doesn't come from login. It comes from what happens after login.
An authenticated session on an unattended device. A shared terminal in an operational environment. An employee under duress, coerced into performing an action within a legitimate session. A session inherited by an attacker who gained physical access to a device.
None of these scenarios represent a failure of the initial authentication check. All of them represent a failure of session-level identity assurance — and all of them carry regulatory, legal, or operational consequences that the application developer is ultimately responsible for.
The CFR SDK changes this by making session-level presence a verifiable, auditable fact rather than an assumption.
For regulated industries, this has three specific implications:
Accountability. Under frameworks like SMCR in the UK, senior managers are personally accountable for decisions made within their remit. That accountability only holds if you can demonstrate who was present when the decision was made. An audit trail that shows access, but not presence, does not meet that bar. The CFR SDK produces a continuous session-level identity record that does.
Compliance posture. Regulators in financial services, healthcare, and government are increasingly scrutinising the application layer — not just the network perimeter. The CBUAE's Notice 2058, prohibiting consumer messaging platforms for financial institution use, identified session-layer risks explicitly. Integrating the CFR SDK positions your product on the right side of that scrutiny.
Enterprise sales. For product teams selling into regulated organisations, the ability to demonstrate continuous identity assurance is increasingly a procurement requirement rather than a differentiator. The CFR SDK gives your product a capability that most competing platforms cannot offer.
Integration
The CFR SDK is designed for integration into existing applications with minimal architectural change.
It operates as a standalone biometric layer that sits alongside your existing session management and authentication infrastructure. It does not replace your login flow. It extends it — adding session-level presence verification as a continuous service that runs in the background of any active session.
Key integration characteristics:
On-device processing — biometric computation runs locally; no raw biometric data leaves the device
Passive operation — no UX disruption; verification runs continuously without user interaction
Policy-agnostic output — the SDK signals presence state; your application defines the policy response
Audit-ready logging — session-level identity assurance records are produced automatically for compliance and audit purposes
Cross-platform — available for integration across mobile and desktop environments
The SDK is currently available for integration across financial services, defence, law enforcement, social media, and adult content platforms, with cross-industry interest actively supported.
FIDO2 Accreditation
YEO has initiated the process for FIDO2 industry accreditation on the CFR SDK. FIDO2 is the global standard for strong authentication, a recognition that carries significant weight in enterprise procurement processes, particularly in regulated sectors where third-party validation of security claims is increasingly required.
Accreditation, when achieved, will provide independent verification of the SDK's compliance with internationally recognised authentication standards, supporting enterprise adoption and reducing procurement friction for organisations with formal security accreditation requirements.
The Developer Case
The argument for continuous presence verification is not primarily a compliance argument. It is a product argument.
If you are building a platform for regulated industries, you are competing on trust. Your product's value proposition is that sensitive communications, decisions, and data are handled with a level of assurance that the alternatives cannot offer.
Most platforms stop that assurance at the login screen. The CFR SDK extends it through every session, every communication, every action taken within your application.
That is a different class of product, and in markets where accountability is not optional, it is increasingly the class of product that procurement teams are looking for.
Get Started
The YEO CFR SDK is available for integration today. To discuss your use case, request technical documentation, or arrange a developer briefing, contact us at christo@yeomessaging.com or visit yeomessaging.com.
