UIDAI Authentication data analysis

A recent story on TOI quotes the affidavit that UIDAI filed in the supreme court that there were 1216.8 crore authentications done by Aadhaar so far, which proves that the system is working.

This of course is an obvious misrepresentation since UIDAI never publishes failures but just the total count.

It also does not publish the breakup between various types of authentication such as OTP, biometric and demographic authentication. While OTP and biometric authentication require resident participation, demographic authentication does not. It can be best thought of as a search functionality.

So Srikanth scraped the entire data from UIDAI authentication dashboard. The full spreadsheet is available here. A few quick statistics:

  1. Authentication breakup as per Authentication Service Agencies (ASAs) is Fingerprint: 69.27%, Demographic: 28.08%, IRIS: 1.16%, OTP: 1.21%
  2. However the breakup as per Authentication User Agencies (AUAs) is Fingerprint: 67.06%, Demographic: 26.69%, IRIS: 3.03%, OTP: 2.52%.
  3. The absolute authentication numbers between AUAs and ASAs also don’t match. This is perplexing because all authentication requests flow from AUA->ASA->CIDR which means if there are mismatches between AUA reported numbers and ASA reported numbers, traceability is gone and fraud detection without traceability is next to impossible.

Massive jump in demographic authentication

The total number of authentications as on October 2016 is about 331 crores but it is 1255 crores on November 2017, which is an increase of 924 crores (3X increase). Demographic authentication alone accounts for 231 crores and this is because of the mandatory PAN, Sim, Bank linkage.

Since demographic authentication does not require the consent of the resident, most likely this is inorganic seeding in action.

Aadhaar PAN Linking

So far Aadhaar PAN Linkage stands at 13.28 Crores.

However the breakup for the Income Tax department (AUA) is as follows:

  1. Demographic authentication: 20.05 Crore attempts
  2. OTP authentication: 2.20 Crore attempts

Hence almost 11.08 crore PANs were linked by the Income Tax department using data it had obtained through previous returns or other sources and only 2.20 crore were linked via explicit consent through OTP.

Failure Analysis

It is also possible to derive overall failure rates even though UIDAI would not put out the data from the above excel sheet.

  • Number of eKYC transactions by Reliance JIO stood at 48.15 crore at an estimated base of 14 crore.
  • Further there is an additional 60 crore authentication attempts (not eKYC but just authentication) whose purpose is unclear. Telecom companies are only expected to do eKYC for issuing SIM cards or opening payment bank accounts. While they can sign up others as sub AUA for Aadhaar authentication, it still does not explain the additional 60 crore attempts of which biometric authentication itself is about 59.80 crores.
  • Similarly Bharti Airtel’s eKYC transactions is at 71.31 crore for a subscriber base of 28 crores, it is quite likely that not all the subscribers have been re-verified via eKYC (unlike JIO). Also the AUA authentication numbers for Airtel is at 95.58 crore which is perplexing. Perhaps the only explanation is that an eKYC transaction which uses biometric authentication also generates an AUA transaction and gets counted one more time.
  • The numbers are still perplexing since the ratio of subscriber base to transactions is at 1:3 (eKYC only) or 1:4 (Authentication) meaning the biometric failure rate could be between 75% to 80%, which is quite absurd, given that the maximum failure rates we have seen is around 26%

There are two possible explanations for the more than normal failure rates.

The first explanation is that eKYC transactions and biometric authentications were successful within the usual range of failures, but integration issues resulted in more transactions as documented by Prof. Varma in his blog.

The other explanation is that users were simply told that the eKYC authentication failed but the repeated attempt was used to open a payment bank account as reported by medianama.

Irrespective of the explanations, it is obvious that biometric failure rates for fingerprints are high and may be within the normal range of 12 to 20% for the government to consider switching to a combination of OTP and demographic authentication.

Misleading the court

UIDAI in it’s affidavit has claimed in the supreme court the following:

Given the analysis so far, this is obviously a lie as explained below:

  1. Demographic authentication does not require the knowledge or presence of the residents. It is simply a search operation, but UIDAI counts it as authentication.
  2. More than 25% of the authentication is demographic (334 crores) of which 231 crores is done in the last one year often without the knowledge of the resident.
  3. A very small portion of the residents actually linked their PAN voluntarily while the rest were automatically linked through demographic authentication.
  4. Since failure statistics are not reported, the numbers are misleading since more the failures, more the retries and higher the attempts.
  5. The above statement purposefully misleads the court by mixing up “Attempts” with “Authenticate their identities” to hide the information on failure statistics.

Hopefully the lawyers who argue for the petitioners will bring this to the court’s notice.