By Siddharth Gandhi, COO Asia-Pacific, 1Kosmos
Let’s face it—banking has changed.
Remember the days when you’d walk into a bank branch, wait in line, and hand over a stack of paperwork just to open an account? Those days are long gone. Now, almost everything happens online, from depositing checks to managing investments, and it’s all just a click away. It’s a dream come true for consumers but also a golden opportunity for hackers and fraudsters. Think about it—your entire financial life is just a password and a one-time code away. Feeling safe?
You probably shouldn’t. Most of our online banking security depends on ‘trusting blindly.’ We assume that if someone logs in with the right password and MFA code, they must be the rightful account owner. But what if we’re wrong? What if hackers have found yet another clever way to sneak past our defenses? This is where Identity and Access Management (IAM) steps in as the game-changer. It’s time to stop relying on outdated security methods and start focusing on identity—proving that the person trying to access your bank account is really you, not some cyber crook. And banks are finally catching on.
So, What Exactly is IAM?
The term ‘IAM’ emerged in the early 2000s as businesses and organisations grappled with the challenges of securely managing digital identities in an increasingly online world. While it’s hard to pin down exactly who coined the term, IAM is generally attributed to the collective evolution of the information security industry. Tech giants like Microsoft, IBM, and Oracle were among the first to explore IAM as they sought to develop systems that could verify users’ identities and manage their access to networks and sensitive data. So, what does IAM really mean today? It’s a lot more than just passwords or multi-factor authentication (MFA). Early on, IAM started as a way to handle who gets access to what within an organisation. It was about defining roles, assigning permissions, and ensuring that only authorised users could access certain data. However, as technology evolved, IAM expanded
beyond simply managing user access. In the beginning, access control was relatively straightforward. If you had the right password, you got in. But with the advent of web-based applications, mobile banking, IAM today leverages advanced technologies like biometrics (fingerprints, face recognition), blockchain, and cryptographic key pairs to create a secure digital identity. It’s an entire framework designed to verify you—not just the device you’re using or the code you enter. IAM has shifted from being a ‘set it and forget it’ security measure to becoming a continuous process
of verification. Around 2013, when Apple introduced Touch ID, the idea of using biometrics for security began to catch on. Biometric authentication brought a new layer of ergonomic improvement, but it wasn’t perfect. Without the proper identity backing the biometric data, we were still left asking, ‘Whose biometric is it?’ and ‘Is this really the person we think it is?’ It was a step forward, but not the complete answer.
Why Banking and Finance Desperately Need IAM
Banks handle your life savings, your mortgage, your investments—the stakes are sky-high. But they’re also a prime target for cybercriminals. In 2023, identity fraud had a significant impact on financial services and personal finances.
Americans experienced a massive loss of $43 billion due to identity fraud, with traditional forms of identity fraud affecting around 15 million people. This marked a 13% increase in total losses compared to the previous year.
The growing losses indicate that cybercriminals are targeting larger payouts once they gain unauthorised access to accounts. Identity theft, data breaches, and account takeover fraud were some of the primary methods employed by hackers to steal sensitive information and commit fraud. Account takeover fraud alone resulted in nearly $13 billion in losses in 2023, up from $11 billion in 2022, highlighting the growing threat to financial services security .
Traditional security methods rely heavily on customers to keep their accounts safe. Choose a strong password. Don’t reuse it. Don’t click on that suspicious link. It’s a lot to ask, and let’s be real—most of us are human and make mistakes. This is where industry leaders flip the script; we match live biometrics with government documents. This allows companies to truly know who’s behind the device while creating a seamless experience for end users.
Biometrics like fingerprint and facial recognition are not only more secure than passwords but also more convenient for users. This technology confirms your identity every time you access your accounts, ensuring that no unauthorised person can use stolen credentials to log in. By shifting the focus from ‘what you know’ (passwords) to ‘who you are’ (biometrics), banks add an extra layer of security that is difficult for cybercriminals to bypass.
Modern IAM systems employ ‘privacy by design’ principles, utilising blockchain and cryptographic key pairs to create self-sovereign identities. This decentralised approach means that users control their credentials, which are securely stored on a blockchain. This way, banks no longer have to maintain vast centralised databases vulnerable to hacks. When a customer logs in, the IAM system verifies their identity through cryptographic proof without ever exposing
their sensitive information. Adaptive authentication adjusts the security measures based on the risk level of each login attempt. For instance, if you’re logging in from your usual device and location, the system allows seamless access. However, if an attempt is made from an unfamiliar device or location, the IAM solution requires additional verification steps, such as a biometric scan or one-time passcode. Traditional security models operate on the assumption that once someone is inside the network, they are trustworthy. Modern IAM solutions challenge this with a ‘Zero Trust’ model, meaning no one is trusted by default—not even internal employees. Every access request is verified, and permissions are strictly managed based on the user’s role and responsibilities. This drastically reduces the risk of insider threats and unauthorised access.
