Moving beyond OTPs: How Indian BFSIs are ensuring compliance and trust

The most significant security incidents within a financial institution rarely begin with a blaring siren. They start with a quiet anomaly—an odd pattern discovered during a routine log analysis, a single privileged credential appearing on a dark web forum, or a trusted third-party vendor unknowingly providing an entry point.

It’s the unsettling realisation that your perimeter was breached weeks or even months ago, and an intruder has been moving silently within your walls. This is the modern reality of enterprise security—a scenario where the simple combination of a password and an OTP has proven to be a fragile defence against a patient and determined adversary.

A crisis of access; a question of resilience

The narrative of security has shifted. While external fraud makes headlines, the financial and reputational damage from an internal breach can be catastrophic. The financial toll of such an incident is severe, with the average cost of a single data breach in India now representing a staggering, multi-crore liability. This isn't a hypothetical figure; it is the real cost of operational disruption, regulatory fines, and forensic investigation when a malicious actor—or simply a compromised employee—gains access to core banking systems, customer data repositories, or cloud infrastructure.

In this new reality, an employee’s password—even when paired with a simple OTP—is no longer a robust defence; it is a liability waiting to be exploited through sophisticated phishing or social engineering.

Beyond compliance: The mandate for zero trust

The Reserve Bank of India's push for more robust, risk-based authentication mechanisms is not just about customer-facing transactions; its principles apply with even greater urgency to internal corporate governance.

Securing a hybrid workforce of employees and third-party vendors requires a fundamental shift from the old model of trust-by-default to a "Zero Trust" architecture. This is where biometrics—something a user is—becomes a game-changer for internal security.

An employee authenticating their access to a critical application with a facial scan or fingerprint provides a far stronger, non-transferable proof of identity than a code that can be stolen or a token that can be lost.

Securing the user, not just the device

For our internal teams, security has often meant friction—multiple passwords, cumbersome tokens, and frustrating lockouts. This friction not only hinders productivity but also tempts employees into insecure workarounds.

Biometric authentication flips this paradigm by offering a seamless, near-instantaneous access experience that is more secure and less intrusive. Imagine a developer accessing a sensitive cloud console or a wealth manager logging into their portfolio system with a simple, secure facial scan. This isn't just about convenience; it is about building a security culture that is rigorous and efficient—a fact underscored by data showing an overwhelming user preference for biometrics over traditional passwords.

Anticipating the next frontier: The insider deepfake threat

As we fortify our internal access points with biometrics, adversaries are already preparing their next move—the weaponisation of AI and deepfakes against our people.

Consider a scenario where a deepfake video of a CFO is used in a video call to authorise a fraudulent transfer, or an AI-generated voice of an IT administrator is used to convince a junior employee to grant system privileges. This is the next frontier of corporate espionage and insider threats.

Our security posture must, therefore, evolve beyond simple authentication. We need to integrate "liveness" detection—the capability to verify that the biometric presented belongs to a real, live human being in that very moment.

This ensures the person accessing your core banking system is not just the right person, but a real person—here and now. It is a critical defence against the looming threat of AI-driven identity fraud targeting our most trusted employees.

Forging a new contract of digital resilience

This evolution beyond OTPs for internal and third-party users is not merely a technological upgrade; it is a new contract of digital resilience with our board and our regulators. It’s an acknowledgement that in a world with a vanishing perimeter, our security must be anchored to the one constant: human identity.

By deploying strong biometric authentication fortified with deepfake detection, we are not only meeting the stringent data privacy mandates of the Digital Personal Data Protection Act for our employees. We are making a strategic statement about securing our institution from the inside out, protecting our most critical assets by verifying the identity of every user, every single time.

Vijender Yadav is the Founder and CEO of Accops.