The Key Security Factors In Aadhaar Authentication

by Sohini Bagchi    Jan 18, 2018


Earlier this month, a journalist for The Tribune, recently reported a database breach of Aadhaar report details a transaction in which she was able to get a login and password to access a Unique Identification Authority of India (UIDAI) portal. With this access, one can enter a person’s Aadhaar number and obtain their name, photo, sex, age, address, and potentially their contact details. The UIDAI denied that it is a breach, which was again highly debatable. Nonetheless, following the allegations, the authority has announced several steps to secure Aadhaar data.

Face recognition: From July 1, Aadhaar authentication -  the process in which the Unique Identity Number or Aadhaar number will be possible through face recognition, yet another measure to tighten security to its existing modes. The Unique Identification Authority of India (UIDAI) has announced face recognition as an additional means of Aadhaar authentication and said it will release necessary details for implementation by March 1, 2018.

The move came days after the UIDAI - the issuer of the 12-digit Unique Identity Number as well as Aadhaar card - introduced a 16-digit temporary number, called Virtual ID, as an alternative method to authenticate their identity for various services. Currently, Aadhaar system supports authentication at different levels, such as one-time PIN (OTP) based, biometric-based and multi-factor (a combination of two or more modes), according to the UIDAI website -

As per reports, Face authentication will be an optional mode of authentication to be allowed on a ” need basis”, used in combination with existing ways such as fingerprint or iris scan, according to the UIDAI.

“Since face photo is already available in UIDAI database there is no need to capture any new reference data at UIDAI CIDR (Central Identities Data Repository),” the UIDAI said in a statement, adding that face authentication, which is aimed at providing easy authentication for those individuals who face a difficulty in other biometric authentication, will be available in production for Authentication User Agencies (AUAs) to use by July 1, 2018, it has said.

Aadhaar Virtual ID or VID: The virtual identity or virtual ID (VID) will be a random 16-digit number mapped to the Aadhaar number of a citizen. The VID will not be duplicable by agencies performing authentication of Aadhaar number, and hence, will ensure safety of the Aadhaar number. The ID, similar to a debit card, will come with an expiration date.

According to a statement by UIDAI, which administers Aadhaar, the VID can be generated and revoked only by the Aadhaar number holder through channels such as the Aadhaar portal and the mAadhaar mobile app. If so required, a new VID can be generated by the Aadhaar holder for each new transaction, and the previous ID will automatically become redundant.

Last week, Nandan Nilekani, the UIDAI architect also backed the virtual ID arrangement announced by the UIDAI. He said, “everybody has to accept Aadhaar is here to stay,” and with virtual IDs, UIDAI has taken a step in that direction.

Limited KYC: The UIDAI has further introduced limited KYC (know your customer) process wherein only some entities, categorised as global authentication user agency (global AUA), will be allowed to store a citizen’s Aadhaar number, while others, known as local AUAs will not be allowed to store Aadhaar numbers.

These agencies will be given a UIDAI token specific to them, to enable them to uniquely identify their customers. The UID token, a unique character for system usage, will be unique to every authentication request made by a global or local AUA.

Currently, every agency that uses Aadhaar for KYC authenticates a user and often stores a person’s Aadhaar number. However, the new measures do not specify what happens to the Aadhaar numbers that have already been stored by public or private entities. 

Nonetheless, security measures around Aadhaar authentication continues to be a debatable issue, and is subjected to scruitiny, as, in a recent interview with ET Now, RS Sharma, Chairman, TRAI, said, “…sharing Aadhaar password and username with somebody who can do transactions is not a data breach, it is a breach of trust.” 

Despite that, reports show that Indian citizens are showing a strong interest in new biometric technologies more than existing security system such as passwords and pins. A new survey by digital payments major Visa showed that new forms of authentication, such as fingerprint, facial, and voice recognition, can make unlocking accounts and payments much easier and more convenient than traditional passwords or PINs - which are difficult to type onto tiny keyboards, easy to forget, and can be stolen.

Hence UIDAI’s move aims to strengthen the privacy and security of Aadhaar data, that comes amid heightened concerns around the collection and storage of personal and demographic data of individuals - can be a success only when implemented effectively.