Strategic document · Visual briefing · Confidential

Building India's
Identity Security Platform

A deep-tech strategy brief explaining how e91's MFA platform becomes the foundation for an entire identity and access management suite — and why this is defensible against Okta, CyberArk, and Microsoft in the Indian market.

Anchor
MFA Platform
Moat
Air-gap + PQC
Market
Gov · BFSI · Defense
Horizon
36 months
Navigate this document
01 · Foundation

What is MFA, in plain terms

Before we talk strategy, let's make sure we're aligned on what we're actually building.

The problem

Passwords alone are broken

Passwords can be guessed, phished, stolen, or leaked. 81% of cybersecurity breaches involve stolen or weak credentials. A password is one thing you know — but attackers can know it too.

The solution

Prove identity with 2 factors

MFA requires at least two proofs: something you know (password), something you have (phone, key), and/or something you are (fingerprint). Even if one factor is stolen, the attacker can't complete the login.

Figure 01 · The three factors of authentication
Factor 1 Something you know Password PIN, secret answer Can be guessed or stolen Factor 2 Something you have Phone with OTP FIDO2 security key Physical possession required Factor 3 Something you are Fingerprint Face, iris, voice Unique to the human Multi-Factor = require 2 or more of these to prove identity. Your platform handles Factor 2 (mainly) and Factor 3 (biometrics via FIDO2).
02 · How it works

Your MFA platform, in motion

Here's what actually happens when a user logs into any enterprise application protected by your MFA platform. This is the flow that happens hundreds of times per second in a real deployment.

Figure 02 · End-to-end authentication flow
User Bank employee logging in Enterprise Application Core banking HR system, VPN, etc. Identity Provider Azure AD / Okta / LDAP (existing, not replaced) ELEMENTS91 MFA PLATFORM Second-factor verification service Stateless · Horizontally scalable · Plug-in 1 User submits username + password 2 Enterprise app forwards to IdP for primary auth 3 IdP verifies password → returns authenticated user 4 App calls /validate/check with user + OTP INSIDE YOUR PLATFORM → Resolve user + realm → Load active tokens → Verify OTP (timing-safe) → Write to audit log (chain-hashed) 5 Returns {"result": true} 6 User granted access to the application Your platform only handles the second factor. It never sees the password. It never replaces the IdP.
1

User initiates login

A bank employee tries to log into their core banking system with their username and password.

2

Primary authentication happens at the IdP

The application forwards credentials to Azure AD, Okta, or LDAP — the existing identity provider. Your platform is not involved yet.

3

Application calls your MFA platform

After the password passes, the application calls your /validate/check endpoint with the user's name and the OTP code they entered. This is the single API that everything flows through.

4

Platform verifies the second factor

Your platform loads the user's registered tokens, verifies the OTP using timing-safe cryptographic comparison, writes to the tamper-proof audit log, and returns a simple true or false.

5

Access granted or denied

If both password and OTP are correct, the user is logged in. If either fails, access is denied and the event is logged for compliance audit.

Why this design is commercially important

Your MFA platform returns a single boolean — true or false. This extreme simplicity is intentional. It means any existing application — a 20-year-old banking mainframe, a modern SaaS HR tool, a government VPN — can integrate with your platform in a few hours, without re-architecting anything.

This is how you win enterprise deals in India where customers have sprawling legacy environments. Okta and global OEMs typically require deeper architectural commitment. You don't.

03 · Architectural differentiator

The IdP-agnostic advantage

Your platform doesn't compete with the customer's existing identity system — it plugs into it. This is the single biggest commercial advantage buried in your technical spec, and here's why.

Figure 03 · Okta and Microsoft want to replace · You want to plug in
THE OKTA / CYBERARK APPROACH Replace everything Existing Azure AD Must be displaced Legacy LDAP Must be displaced OKTA UNIVERSAL DIRECTORY IdP + MFA + SSO + Directory "Bundled — you must use all of it" "18-month migration project" Outcome: Long, risky, expensive migration. Many Indian enterprises simply can't do it. THE ELEMENTS91 APPROACH Plug in, don't displace Existing Azure AD Preserved, unchanged Legacy LDAP Preserved, unchanged ELEMENTS91 MFA Second-factor only "Add second factor — keep your IdP" "Ships in weeks, not quarters" Outcome: Fast win. Zero displacement risk. The entire Indian enterprise market opens up.

What this means for sales cycles

When Okta pitches to an Indian bank, the CIO has to approve a 12-18 month project to migrate away from their Microsoft Active Directory. That requires board approval, budget approval, and carries huge risk. Many times, the deal simply doesn't happen.

When you pitch the same bank, you're saying "keep everything you have — we just add the second factor." The CIO can approve this at their level. The deal closes in weeks, not years. This is why your sales motion is structurally faster.

04 · Unlocking defense & gov

Air-gap deployment explained

Your platform can run in environments that have no internet connection at all — defense networks, nuclear facilities, intelligence agencies, critical infrastructure. Okta, Microsoft, and CyberArk structurally cannot operate here.

Figure 04 · How your platform works with zero internet access
OUTSIDE THE FACILITY Public internet Twilio, FCM, APNs AWS, Azure, GCP Cloud KMS, cloud services AIR GAP · NO NETWORK ISOLATED FACILITY · ZERO INTERNET e.g. defense network, nuclear plant, intelligence HQ ELEMENTS91 MFA Running on-premises Same code, same features Config flag: airgap=true Ntfy (self-hosted) · Push Gotify (self-hosted) · Push SMSEagle (on-site appliance) · SMS Local KMS (encrypted keystore) On-site PostgreSQL + Redis Classified apps Defense systems, SCADA, etc. Authorized personnel Must authenticate locally Every dependency has a self-hosted alternative. This is the market Okta and Microsoft cannot serve.
What this unlocks

Markets only you can serve

  • Defense (Army, Navy, Air Force, MoD)
  • Intelligence (RAW, IB, NTRO)
  • Space (ISRO, DRDO)
  • Nuclear (DAE, NPCIL)
  • Power grid, railway, refineries
  • Central and State gov SOC, NCIIPC-protected infra
Why global OEMs can't compete

Architectural dependencies

Okta, Microsoft Entra, and CyberArk Cloud are fundamentally SaaS products. They require outbound connections to authentication servers, telemetry endpoints, push notification services, and cloud KMS.

In an air-gapped facility, none of those connections are allowed. Re-architecting their products for air-gap would take years and break their core product model. Your platform was designed for this from day one.

05 · The hidden multiplier

The platform reuse superpower

This is the most important slide in this document. The components you're building for MFA are not MFA-specific — they're a reusable foundation for an entire identity security suite. Every future product inherits 40-60% of its work from here.

Figure 05 · Shared platform components power every future product
FOUNDATION LAYER · BUILT ONCE WITH MFA · USED FOREVER Audit Log SHA-256 chain Tamper-proof 7-year retention KMS Envelope AES-256-GCM 4 KMS backends Key rotation RBAC Framework 4 roles JWT + mTLS Fine-grained Policy Engine Pre/post rules Realm-scoped Time/CIDR aware CryptoProvider Algorithm-agnostic PQC-ready Future-proof ANCHOR MFA Platform In build · 20 weeks 8 token types TIER 1 SSO 3–4 months 60% reuse TIER 1 PAM 9–12 months 45% reuse TIER 1 IGA 6–9 months 55% reuse TIER 2 ZTNA 12 months 50% reuse Your product suite Each product ships faster because it reuses the foundation ↑ All products consume shared platform services ↑

What this means financially

Building PAM from scratch would take a typical vendor 18-24 months and cost ₹8-12 crores in engineering. Because your foundation is already there, you can ship PAM in 9-12 months at roughly half the cost. Same for IGA, ZTNA, and Secrets Management.

This compounding leverage is why platform companies outperform single-product companies in public markets — and why building the MFA anchor correctly matters so much more than building it quickly.

06 · What you're shipping

The 8 token types

Your platform supports 8 different ways to prove the second factor. Each matters for a different customer segment. Here's how to think about them commercially.

1

TOTP

Time-based OTP from Google Authenticator, Microsoft Authenticator. Most common.

Enterprise default
2

HOTP

Counter-based OTP for legacy hardware tokens (RSA SecurID style).

Legacy BFSI
3

SMS

6-digit code sent to the user's phone. Universal but phishable.

Consumer grade
4

Email

8-digit code sent via SMTP. Secondary factor for enterprise.

Easy rollout
5

Push

Modern approve-on-phone with number matching. Anti-phishing.

UX premium
6

FIDO2

Security keys (YubiKey) and passkeys. Highest security tier.

RBI mandate
7

RADIUS

Delegate to network equipment. Critical for VPN and router auth.

Gov + defense
8

Registration

Single-use enrollment tokens for new-user onboarding.

Onboarding
Figure 06 · How each token type maps to customer segments
GOVERNMENT & DEFENSE TOTP HOTP (hardware) FIDO2 RADIUS Push (via Ntfy/Gotify) Air-gap deployable No SMS / no cloud BFSI TOTP (primary) FIDO2 (RBI phishing) Push (modern UX) SMS (customer side) HOTP (legacy migration) All 8 types used RBI CSCRF-aligned ENTERPRISE TOTP Push FIDO2 (execs) Email (fallback) Registration DPDP-ready Cloud-first deploy FINTECH / CIAM SMS (UX) Push FIDO2 (passkeys) Email Registration Consumer scale UPI + Aadhaar
07 · Future-proofing

Post-quantum cryptography, explained

Within 5-10 years, quantum computers will be able to break today's encryption. Your platform is architected to survive this transition — a rare capability in Indian cybersecurity and a genuine moat.

Figure 07 · The quantum threat and your defense
TODAY 2026 Classical cryptography RSA, ECDSA all secure 2027-2030 Transition Hybrid mode mandated Classical + PQC at same time 2030-2035 "Q-Day" Quantum computers break RSA, ECC obsolete PQC required 2035+ New normal Pure PQC algorithms ML-KEM, ML-DSA are standard Your CryptoProvider abstraction lets you swap algorithms via config — no code change. When RBI, CERT-In, or NCIIPC mandates PQC (expected 2027-2028), you flip a flag. Competitors need a 12-month migration. ⚠ "Store now, decrypt later" — encrypted data stolen today is decryptable once quantum arrives

Why this is a commercial moat, not just a tech curiosity

Indian regulators (CERT-In, NCIIPC, MeitY) are actively watching NIST and NCSC guidance. PQC mandates are expected within 2-4 years for critical infrastructure and defense. BFSI will follow within 5 years.

When that happens, every vendor without a PQC-ready architecture faces an 18-month scramble. You flip a configuration flag. This is the difference between a 3-month sales win and a 3-year absence from the market.

08 · 36-month plan

Product expansion roadmap

Building the MFA anchor first, then layering products in a sequence that maximizes platform reuse and follows the buyer's budget cycle.

Now → Month 5 · Currently active

MFA platform build (Phases 1-6)

Ship core platform via 20-week development plan. Run 2-3 design-partner pilots with BFSI and government. Begin MeitY empanelment conversations. Foundation layer (audit, KMS, RBAC, policy, crypto) is built here and reused forever.

Month 5 → Month 8

MFA GA + Workforce Identity bundle

General availability. Package MFA + SSO + Passwordless as single SKU. Close first 10-15 paying customers. Establish channel with 2-3 Indian SIs (Wipro/TCS/HCL).

Month 6 → Month 18

PAM — the revenue inflection point

Privileged Access Management. Target BFSI first — RBI mandate is natural sales trigger. Hire dedicated team of 6-8 engineers. This is where ARR begins to scale meaningfully.

Month 15 → Month 24

IGA-lite + Device Trust

Complete the workforce identity story. Unlocks large PSU and audit-heavy BFSI deals. Device trust becomes foundation for ZTNA.

Month 18 → Month 30

ZTNA — next-gen VPN replacement

Position post CERT-In 2022 directives. Bundle with device trust + MFA step-up. Air-gap variant unlocks defense ZTNA market.

Parallel · Month 12+

CIAM product line

Separate team, separate GTM. Indian fintech, e-commerce, insurance. Native Aadhaar + DigiLocker + UPI. Different buyer persona (CDO/CPO, not CISO).

Month 30+

International expansion

SEA, Middle East, Africa using same compliance-first playbook. These geographies have similar data-localization demands and respect Indian technology.

09 · Investment framework

Tier 1, 2, 3 — what to build

A clean framework for every future product decision. If a product fits Tier 1, build it. Tier 2, plan it. Tier 3, partner or skip.

Tier 1 · Build next

Identity Core Suite

Month 6 → Month 18
Single Sign-On (SSO)
Must-have
SAML 2.0 + OIDC provider bundled with MFA. One login across enterprise apps.
Effort
Low
Revenue
Medium
Attach
Very high
Competes with: Okta, Microsoft Entra, JumpCloud
Your edge: Bundled with MFA, unified audit log, INR pricing
Reuses: RBAC · Audit · Multi-realm · Admin console
Passwordless Auth
Strategic
FIDO2 / passkeys for full passwordless login. Already built into your MFA.
Effort
Very low
Revenue
Medium
Timing
Peak
Competes with: Yubico, HYPR, 1Kosmos
Your edge: RBI phishing mandate; Aadhaar-linked passkey
Reuses: FIDO2 module · Enrollment portal · KMS
Privileged Access (PAM)
BFSI goldmine
Session recording, credential vaulting, just-in-time access, break-glass workflows.
Effort
High
Revenue
Very high
Margin
Very high
Competes with: CyberArk, BeyondTrust, ARCON
Your edge: Cloud-native + air-gap; 40% of CyberArk price
Reuses: KMS envelope · Audit · RBAC · Policy · MFA step-up
Identity Governance
Audit demand
Access reviews, joiner-mover-leaver, segregation-of-duties. Auditor-mandatory.
Effort
Medium
Revenue
High
Stickiness
Very high
Competes with: SailPoint, Saviynt, Oracle
Your edge: India audit templates; mid-market pricing
Reuses: Audit · RBAC · Policy · Admin console · Realm model
Tier 2 · Strategic bets

Trust, Access & New Buyers

Month 18 → Month 30
Zero Trust Network Access
Gov + BFSI
Replace traditional VPN. Identity + device posture + real-time policy. Post-CERT-In budget unlock.
Your edge: India residency; air-gap variant for defense; RADIUS already built
Reuses: RADIUS · Policy · Audit · MFA step-up
Customer Identity (CIAM)
Fintech play
Consumer identity for Indian fintech, e-comm, insurance. DPDP consent native.
Your edge: Aadhaar eKYC, DigiLocker, UPI, eSign native; DPDP flows
Reuses: MFA (consumer) · Audit · KMS
Secrets Management
DevOps buyer
API keys, DB passwords, service credentials — vaulted and rotated.
Your edge: HashiCorp alternative at lower cost; air-gap variant
Reuses: KMS · Audit · RBAC · All KMS backends
Device Trust & Posture
ZTNA enabler
Endpoint compliance signals. Gates access decisions. Foundation for ZTNA.
Build rationale: Ships as feature within ZTNA; unlocks zero-trust story
Reuses: Policy engine · Audit · API framework
Tier 3 · Do not build

Adjacent but wrong for us

Partner or skip
EDR / XDR
Skip
Requires threat intel labs with 100+ engineers. CrowdStrike dominates globally.
Instead: Partner — consume EDR signals into your ZTNA.
SIEM
Skip
Capital-intensive storage. Splunk, Securonix own this space.
Instead: Export your audit events; become preferred identity source.
DLP
Skip
Commoditized. Margins dying. Not strategic to identity.
Instead: Watch; revisit in 3 years if the category reshapes.
Firewall / NGFW
Skip
Hardware business, different DNA. Palo Alto / Fortinet own 80% globally.
Instead: Your ZTNA is the future firewall.
10 · Landscape

Competitive positioning

Where you can win against global OEMs and Indian incumbents, and where you should not show up.

Product vs Global OEMs vs Indian players Your edge
MFA Platform Can win Can win Air-gap + PQC-ready + IdP-agnostic
SSO Can tie Can win Bundled MFA + unified audit log
Passwordless Can tie Can win RBI-ready; FIDO2 already built
PAM Win on price Win on tech Cloud-native + air-gap vs legacy ARCON
IGA-lite Tie mid-market Can win India audit templates + unified platform
ZTNA Hard standalone Can win Win only after identity suite established
CIAM Tie fintech Can win Aadhaar, UPI, DigiLocker native
EDR, SIEM, DLP, Firewall Will lose Will lose Do not compete
11 · The one page that matters

CEO bottom line

1. Your MFA spec is not a commodity product. The combination of air-gap deployment, post-quantum readiness, and IdP-agnostic plug-in architecture makes it a government-grade security platform. Position it — and price it — accordingly.

2. Do not split engineering focus before MFA Phase 4 is complete. The foundation components you're building (audit log, KMS envelope, RBAC, policy engine, crypto abstraction) are the basis for every product that follows. Cutting corners now creates compounding cost over 3 years.

3. Sequence discipline wins. MFA GA → SSO + Passwordless bundle → PAM → IGA → ZTNA. CIAM runs as a parallel product line from month 12 with its own team.

4. Your moat is structural, not feature-based. India-first compliance, air-gap deployability, PQC architectural readiness, and platform-wide component reuse. These cannot be copied by Okta or CyberArk without rebuilding their products from scratch.

Target outcome: Become India's Okta + CyberArk hybrid — with a 2-3 year head start on PQC — before going global to SEA, Middle East, and Africa.