Understanding Aadhaar Authentication and Offline Verification
On May 20, 2021, the Unique Identitfication Authority of India (UIDAI) released a Draft Aadhaar (Authentication and Offline Verification) Regulations, 2021 and after requests extended the deadline for feedback on draft regulations was extended to June 21, 2021.
A short thread with highlights and low downs of the draft regulations and some issues were flagged on the below Twitter thread.
To better understand the draft and help shape response to the consultation, the following post will attempt to break down the different authentication types of Aadhaar authentication and offline verification.
Online Authentication and eKYC
While this is probably well known by now, just to set context for those who are reading it for first time, there are 2 types of services UIDAI provides to “Requesting Entities” — Entities that connect to UIDAI Central Identities Data Repositary (CIDR)
- Authentication — Only a Yes / No response from UIDAI upon a successful Aadhaar authentication.
- eKYC — Response containing demographic details of the Aadhaar holder upon a successful Aadhaar authentication, which may be carried out only using OTP and/ or biometric authentication modes.
Authentication Modes
The following are the authentication modes, as per the regulation.
(a) Demographic authentication: The Aadhaar number and demographic information of the Aadhaar number holder obtained from the Aadhaar number holder is matched with the demographic information of the Aadhaar number holder in the CIDR.
(b) One-time pin based authentication: A One Time Pin (OTP), with limited time validity, is sent to the mobile number and/ or e-mail address of the Aadhaar number holder registered with the Authority, or generated by other appropriate means. The Aadhaar number holder shall provide this OTP along with his Aadhaar number during authentication and the same shall be matched with the OTP generated by the Authority.
(c) Biometric-based authentication: The Aadhaar number and biometric information submitted by an Aadhaar number holder are matched with the biometric information of the said Aadhaar number holder stored in the CIDR. This may be fingerprints-based or iris-based authentication or other biometric modalities based on biometric information stored in the CIDR.
(d) Multi-factor authentication: A combination of two or more of the above modes may be used for authentication.
Note that biometric-based authentication includes face modality, which is currently allowed only in Multi-factor authentication mode.
Authentication Identifier
Authentication Identifiers are like username used during authentication. The following are the different authentication identifiers supported for Aadhaar authentication, with details on ANCS yet to be broadly available.
- UID — The 12 digit Aadhaar number
- VID — A regeneratable 16 digit Virtual Identifier mapped to a single UID at that time. While the documentation and the draft regulation mentions various modes of generating / retriving VID, it is unclear if VID can be generated / retrived without having access to linked Registered Mobile Number.
- UID Token — This is a 72 digit alphanumeric token given by UIDAI run Aadhaar Tokenize API. The token is specific for a specific Sub-AUA. While large requesting entities like large banks are Authenticating User Agencies, small government departments within a state as usually classified as Sub-AUA, using the AUA access of the state IT department. There isn’t information available publicly if UID Tokens are revocable / can be regenerated by the same AUA (post a breach etc).
- Aadhaar Number Capture Service — The draft regulation defines ANCS Token as an encrypted Aadhaar number generated for an Aadhaar number by the Authority for completion of an authentication transaction. ANCS Token shall be valid for a short period of time as prescribed by the Authority;
There is very limited information on ANCS token at this point of time, but there needs to be thorough privacy impact analysis and conformance to UIDAI’s optimal ignorance (that UIDAI does not know where your Aadhaar was used, hence is not a surveillance tool) submission in Puttaswamy II case.
Offline Verification / offline eKYC
The draft regulation defines following as types of offline verification
(i) QR Code verification, which may be carried out as per the specifications given by the Authority from time to time;
(ii) Aadhaar Paperless Offline e-KYC verification, which may be carried out as per the specifications given by the Authority from time to time;
(iii) e-Aadhaar verification, which may be carried out as per the specifications given by the Authority from time to time; and
(iv) Offline Paper based verification, which may be carried out by the entity. It shall be the responsibility of the concerned entity to verify the genuineness of copy of the Aadhaar letter submitted by the resident. Entity shall obtain the consent of the Aadhaar number holder on the paper copy submitted by the resident.
(v) Any other type of Offline verification introduced by the Authority from time to time.
Although classified under Offline verification, it is important to note that offline here refers to ability to verify the information without connectivity to UIDAI infrastructure, as in most cases the resident and requesting entity transfer QR / paperless KYC XML / eAadhaar via online and requesting entity needs connectivity / tooling to verify.
In Nov 2018, when the offline use was first published, Derick Thomas had previously written about QR Verification and Aadhaar Paperless Offline eKYC verification, along with detailed commentary.
Additional Notes on QR Verification
- Besides the Google Play app and Windows Client, UIDAI has also made the specification for QR Verification publicly available. It is now possible to build open implementations of QR Verification app, albeit with some bugs.
- The problem of stored QR images cited in the above post used for KYC was addressed by banking regulator with a specific clause to Master direction on KYC. This still leaves the risk of reusable QRs for KYC in other sectors without a similar regulatory mandate.
According to RBI Master direction on KYC amendment dated January 9, 2020, Chapter VI, Part I, 18(vi) , QR generated older than 3 days is not eligible for V-CIP and hence is ineligible to be used for KYC.
There is very little evidence on scale of use on both QR and offline paperless KYC, although some fintechs / ID verification providers have created mobile workflows which login to UIDAI and download the paperless KYC XML and relay back to app.
eAadhaar
The other mode of verification is eAadhaar, where resident information is available in a (weak) password protected PDF file that is digitally signed by UIDAI and the signature can be verified. The password is 4 characters from name and Year of birth. There is no clarity is resident is expected to share the password to requesting entity or how RE will be masking the signed PDF if they have to store it.
Paper Verification
When all things fail in Digital India, we are back to paper world and UIDAI allowing paper verification is stark reality of availability of digital infrastructure. While the rules related to masking UID are great on paper, the translation of it reality on ground, especially for paper based Aadhaar verification has a long way to go.
The problem of notice to Aadhaar holder, responsibility on requesting entity when using offline modes of verification is being addressed with the current draft regulations placing regulatory mandates on Offline Verification Seeking Entities (OVSE). While this is a positive step, the draft regulation has some problematic aspects related to deemed consent, while going so far as to say the resident must have option to verify data deletion by AUA upon revocation of consent. It is relevant to note that we still don’t have option to verify if UIDAI itself deleted authentication log data beyond 6 months and have to take their word on compliance to Puttaswamy — II judgement.
The protection of Aadhaar information will only be as good as the regulation and its enforcability can be. Do send your feedback to UIDAI.
