On 10th January 2018, UIDAI issued a circular outlining the details of its proposed Virtual Aadhaar ID system along with the introduction of the “Limited KYC” system that does not return the Aadhaar number and only provides an “agency specific” unique UID token to eliminate agencies storing Aadhaar number.
According to the system Aadhaar owners could go to UIDAI website and obtain a Virtual Aadhaar ID (VID) by providing the Real Aadhaar ID (RID) and responding to the OTP request. This would be a 16 digit random number which at the back end would be mapped to the real Aadhaar ID and its information. But this VID would be temporary and the user can use it once or for any limited time until he goes back to the UIDAI website and obtains a fresh VID. If the user wants to re-use the VID which he has earlier generated, he can “Retrieve” the VID.
The mobile number is of course the key to the security of the VID since the control is only through the OTP.
While we can debate the security of the OTP, there is also a concern that the real risk in Aadhaar usage is when the biometric is given for authentication. There is no doubt that OTP is less safe than biometric for authentication purpose but from the point of the user, loss of biometric is a permanent loss while loss of OTP is a temporary loss. Loss of money due to fraudulent use of OTP may perhaps be recovered but the loss of biometric would permanently disable a person from many other services where he can be impersonated with the stolen biometric. At this point of time, it is not clear if UIDAI has any security measures for loss of biometric but let us now stick to our discussion on the OTP based VID system.
It was directed by UIDAI that all agencies using Aadhaar authentication and e-KYC servies shall ensure that users can provide the 16 digit VID instead of the 12 digit real aadhaar ID.
For the Limited KYC system, all AUAs were categorized into two categories namely “Global AUAs” and “Local AUAs”. Once the VID system was introduced, only Global AUAs would have access to e-KYC and all others would have access only to limited KYC.
Global AUAs will alone be eligible to access Real Aadhaar IDs and Local AUAs will work only with VIDs. During the VID authentication process, UIDAI will return a unique number or “Token” which can be stored by the agency for its reference of the customer and his Aadhaar authentication. This token will be agency specific and will be the same for a given agency and a given aahdaar number. This will be a 72 character alphanumeric string meant only for system usage.
Subsequent authenitcation would be allowed for the agency using the token and hence without storing the Real Aadhaar ID, the agency can store the token number and use it for authentication whenever required.
Only Global AUAs are allowed to securely store the Aadhaar number and may be subjected to greater information security oversight by UIDAI.
In this circular, it was stated that the new system would come into force from 1st June 2018. However in subsequent reports, on the UIDAI website- RBI instructs Banks to tweak their systems by June 30 and UIDAI extends deadline to deploy virtual ID system the deadline for implementation was extended by one month and this expires on June 30, 2018.
It would therefore be compulsory for all Aadhaar User agencies to be ready to use the VID system by 1st July 2018. It is reasonable to expect that UIDAI may stop authentication of Real Aadhaar IDs for “Local AUAs” from 1st July 2018.
To an independent observer like the undersigned, it appears that the private sector is not keen on introducing the system any time in the next few days or weeks probably because they donot think UIDAI is serious in its efforts. Even Banks may not be ready and may ignore the RBI directions in this regard by giving some excuse or other.
UIDAI has also not yet updated list of Global AUAs nor given any public information on what is the criteria under which the existing AUAs will be reclassified. It can be presumed that all existing AUAs will be considered as Local AUAs unless they are reclassified as Global AUAs for which they may have to enter into a fresh contract with UIDAI.
At present it is not clear if UIDAI has moved in the direction of this documentation for re-classification. Also it is not clear if Banks are ready for the new system by 1st July 2018. Hence we need to wait and see if UIDAI will again extend the deadline or show some seriousness in the introduction of the scheme.
It may be reiterated that if UIDAI does not show seriousness in implementing the new system, Government’s case in Supreme Court to retain Aadhaar linking to vital services would become weaker.
Unless UIDAI itself wants to sabotage Mr Modi’s drive against black money and benami property, UIDAI should force user agencies to switch over to the VID system promptly by 1st of July 2018 or within a short term extension of say another 7 days.
Will UIDAI clarify?
Naavi
Related Articles:
Three days to go for mandatory use of Virtual Aadhaar ID… Who is ready?
How Aadhaar security reaches a new dimension with Virtual Aadhaar ID
It is Y2K moment again in India, with Virtual Aadhaar ID
Aadhaar Authentication: How To Use Virtual ID (VID)
Virtual ID is Aadhaar 2.0, It Can be Changed Any Number of Times: UIDAI Chairman
Aadhaar Virtual ID “Unworkable”, Will Oppose Tooth-And-Nail: Petitioners
There’s no consensus over Aadhaar number or 16-digit virtual ID
Old Articles of naavi
Reasonable Security Practices For UID Project..in India..A Draft for Debate
The Unique ID Project.. What should be Unique?
The National ID Card Challenge for Nandan Nilekani.. Part I
The National ID Card Challenge for Nandan Nilekani.. Part II