To make the online banking system secure, a three-step authentication method using the face, iris, and fingerprint is used. To improve security, spoofing detection has also been included. A spoofing attack happens when someone attempts to impersonate someone else and gets unauthorized access. The face and iris are captured by the camera, while the fingerprint is captured by the fingerprint module. Gray Level Co-occurrence Matrix is used to extract a picture of a person's face, iris, and fingerprint (GLCM). A reference module is constructed using the extracted picture so that the input may be compared to it, and if the input matches the module, a one-time password (OTP) is delivered to the user's mobile phone. Only the online transaction may take place if the OTP is entered correctly. Otherwise, the account holder will get an alert message. This method allows for a very secure online transaction.