As cyber threats continue to evolve alongside the growth of digital banking, traditional one-time passwords (OTPs) are no longer sufficient to secure financial transactions, according to a cybersecurity expert from ManageEngine.
In an exclusive interview with FintechNewsPH, Subhalakshmi Ganapathy, Chief IT Security Evangelist at ManageEngine, said that while OTPs were once considered a strong second layer of protection, changes in the threat landscape have significantly reduced their effectiveness.
Subhalakshmi Ganapathy, Chief IT Security Evangelist at ManageEngine
“OTPs are not as secure as they were once thought to be,” Ganapathy said, citing the rise of SIM swapping, phishing, and social engineering attacks that enable attackers to intercept or obtain authentication codes.
From system breaches to identity-based attacks
Cyberattacks have shifted from exploiting system vulnerabilities to targeting user identities, making traditional authentication methods less effective.
Ganapathy noted that attackers today are focused on obtaining credentials rather than breaking into systems through technical weaknesses.
“The threat targeting credentials or identities is now at the top,” she said. “It is going to be just logging in.”
This shift reflects a broader change in how digital systems are accessed, particularly as cloud adoption and remote work reduce reliance on traditional network perimeters.
With identities now acting as the primary gateway to systems, security strategies are increasingly focused on verifying users rather than solely protecting infrastructure.
Why OTP alone is no longer sufficient
OTPs were introduced to strengthen security beyond usernames and passwords, particularly as mobile device usage expanded. However, the same technological advancements have also enabled new forms of attack.
IMAGE CREDIT: Freepik
Ganapathy explained that cybercriminals now use techniques such as SIM swapping and phishing campaigns to bypass OTP-based authentication.
“Adversaries are now intercepting OTPs or sending out phishing scams to obtain them,” she said.
While OTPs may still be used in lower-risk scenarios such as deliveries or basic verification, they are less reliable when used as the primary safeguard for financial transactions.
The move toward adaptive and identity-based security
To address these challenges, financial institutions are beginning to adopt more advanced authentication models that rely on user behavior and contextual signals.
Ganapathy pointed to adaptive authentication as a key approach, where additional verification is triggered only when unusual activity is detected.
“If I try to access from a different device or location, that is where the additional layer comes in,” she said.
This allows systems to respond dynamically to potential risks without introducing unnecessary friction for users during routine transactions.
At the enterprise level, organizations are also moving toward zero trust frameworks, where access is continuously verified regardless of prior authentication.
“It doesn’t trust any authentication. Every time an authorization or authentication is invoked, it has to be double-checked,” Ganapathy said.
The role of AI in detecting fraud
Artificial intelligence is increasingly being used to analyze large volumes of data generated by digital systems, helping financial institutions detect suspicious activity more quickly.
Ganapathy explained that enterprise environments generate vast amounts of logs, which can be difficult to analyze manually.
“AI actually makes that analysis much easier,” she said. “It analyzes the logs and flags potential threats or red flags.”
By reducing the time needed to detect and investigate incidents, AI helps organizations contain threats earlier and minimize potential damage.
At the same time, attackers are also using AI to improve the effectiveness of their campaigns, making phishing attempts more convincing and scalable.
BSP push signals urgency for stronger authentication
The Bangko Sentral ng Pilipinas has been urging financial institutions to adopt stronger authentication mechanisms, reflecting growing concerns about cybersecurity risks in digital finance.
IMAGE CREDIT: Bangko Sentral ng Pilipinas
Ganapathy said this shift is necessary given how quickly threats are evolving.
“It is time for us to move beyond OTPs and adapt to how attackers are evolving,” she said.
The transition, however, will require a gradual and structured approach rather than an immediate overhaul.
A phased transition for banks
According to Ganapathy, financial institutions should begin by strengthening their visibility into user behavior and transaction patterns before implementing more advanced systems.
This includes monitoring login activity, identifying anomalies, and understanding how users interact with digital platforms.
From there, banks can gradually introduce adaptive authentication, identity threat detection, and eventually zero trust models.
“It is not going to happen overnight,” she said, noting that factors such as infrastructure, budget, and existing systems will influence the pace of adoption.
Rethinking security beyond OTP
As digital banking continues to expand in the Philippines, the limitations of OTP-based security are becoming more apparent.
While OTPs may still play a role in certain use cases, experts say they are no longer sufficient as a standalone defense against modern cyber threats.
Instead, the focus is shifting toward identity-based security models that continuously verify users and adapt to changing risks — marking a broader transformation in how financial institutions approach cybersecurity.
