By Rohan Pinto, CTO & Co-founder, 1Kosmos
The single password vault. The monolithic gateway. The central directory holding keys to your digital kingdom. For decades, centralised identity was the enterprise security bedrock. That assumption has become a catastrophic liability. India’s enterprises can no longer afford a single point of authentication failure.
This article explores why the centralised model is broken, the architecture that must replace it, and how distributed biometrics based identity verification offers a compelling path forward.
The Anatomy of Failure: The fragility of India’s identity infrastructure is no longer theoretical. In April 2026, Ahmedabad police uncovered an AI-enabled identity theft racket that exploited Aadhaar update kits. Criminals used AI to generate “live” facial videos from static photos, bypassing biometric systems and compromising around 240 identities. A data leak on Rajasthan’s Bijli Mitra portal exposed over 1.5 crore consumer records due to broken access control. Even without directly breaching UIDAI, lateral compromises make centralised ecosystems a house of cards.
Financial consequences are staggering. IBM’s 2025 Cost of a Data Breach report placed India’s average breach cost at INR 220 million, a 13% increase. Nearly one in four Indian enterprises reported losses exceeding USD 1 million from cyber breaches. Meanwhile, India’s biometrics market is projected to triple to INR 73,759 Crore by 2034, and Aadhaar face authentication transactions have crossed 2 billion. The more we scale centralised systems, the larger the bullseye
The Regulatory Imperative: DPDP Act: The Digital Personal Data Protection (DPDP) Act, 2023, mandates data minimisation and prohibits unnecessary collection of personal data. Centralised models that amass vast biometric stores are directly at odds. A single breach could incur penalties of hundreds of crores. Compliance forces enterprises to abandon centralised data models for privacy-preserving architectures.
The Emerging Quantum Threat to Identity Systems: Another profound threat: cryptographically relevant quantum computers. India’s Department of Science and Technology has published a final national quantum-safe roadmap under the National Quantum Mission. Critical infrastructure, including defence, banking, and telecom, must adopt post-quantum cryptography (PQC) by December 2029; regular enterprises by 2033. Adversaries can capture encrypted identity transactions today and decrypt them later, a “store now, decrypt later” attack. SEBI has prepared quantum readiness plans for its regulated ecosystem. Any identity system relying on RSA or ECC will become obsolete this decade.
Reference Architecture: From Centralised Hub to Distributed Quantum Resilient Fabric
Legacy centralised architecture stores all credentials in a single honeypot, vulnerable to both classical breaches and quantum attack. In this model, every identity record, biometric template, and authentication key sits in one repository — a single point of compromise that, once breached, exposes the entire enterprise’s identity ecosystem.
The necessary evolution is a distributed biometrics architecture built on post-quantum cryptography. In this model:
– Biometric capture and match occur entirely on the user device within a Trusted Execution Environment. No raw biometric data is ever transmitted or stored centrally.
– Cryptographic proofs use NIST standardised PQC: ML KEM (formerly Kyber) for secure key establishment, and ML DSA (formerly Dilithium) for digital signatures. This ensures that even a quantum computer cannot forge authentication proofs.
– Zero knowledge proofs employ quantum resistant schemes like STARKs, which rely only on hash functions.
– A permissioned distributed ledger acts as a DID registry, with all transactions signed using post quantum signatures, preventing tampering by quantum adversaries.
Enterprise-ready solutions embodying these principles:
- Live biometric liveness detection to defeat AI generated deepfakes.
- Biometric binding to a specific device, enabling true passwordless, phishing resistant authentication.
- Post quantum cryptographic binding using NIST standard algorithms.
- Reusable verified digital identity without repeated proofing.
- Privacy by design: verify, don’t store.
- Quantum resilient distributed ledger backing with PQC signatures.
- Verifiable Credentials framework using post quantum digital signatures.
- FIDO2 compliance with PQC extensions.
- Crypto agility: seamless algorithm replacement without hardware changes, as mandated by India’s roadmap.
Adoption Framework for Indian Enterprises: Transitioning from legacy IAM to a distributed biometric quantum resilient model is a strategic transformation. A phased adoption framework is essential.
Phase 1: Assessment and Quantum Cryptographic Inventory
Inventory all cryptographic assets and dependencies on RSA/ECC. Identify long lived credentials vulnerable to harvest now, decrypt later.
Phase 2: Pilot for High Risk Use Cases with PQC Integration
Deploy for high risk use cases like privileged access or high value customer authentication using NIST PQC algorithms.
Phase 3: Hybrid Integration with Crypto Agility
Integrate the distributed PQC identity source alongside legacy IAM using SAML/OIDC, with crypto agility built in.
Phase 4: Incremental Migration to Post Quantum Only
By December 2029 for regulated entities, decommission all classical only cryptographic modes in identity systems.
Phase 5: Optimisation, Expansion, and Continuous Assurance
Expand to employee onboarding, vendor access, and step up authentication. Implement continuous cryptographic assurance.
Conclusion: The era of the centralised identity vault is ending. It cannot withstand AI driven deepfakes, quantum capable adversaries, or the DPDP Act’s data minimisation mandate. India’s National Quantum Mission sets December 2029 as the deadline for critical infrastructure. Enterprises that continue defending an indefensible model do so at their own peril. The alternative is clear: distributed biometrics, post quantum cryptography, and a zero trust architecture where identity is verified locally and never stored centrally. The end of centralised identity has arrived. The only question is whether your enterprise will lead the change or be forced into it.