UIDAI announced the Virtual Aadhaar ID system in January and made it available from 1st March 2018 giving time upto 30th June 2018 for AUAs/KUAs to tweak their systems. Then it extended the time upto the end of June. (Refer: Is Private Sector ignoring Virtual Aadhaar ID ?)
Now we understand that UIDAI has provided further breathing time to the User agencies who have so far made no attempt to introduce the new system. According to the UIDAI plans, the current system of KYC where the eKYC provider collects the Real Aadhaar ID (RID), and makes a query through an API whereby all the demographic data attached to the ID is pulled down into a form at the eKUA’s end will be restricted to only those agencies which will be called “Global AUAs”. Others would be allowed “Limited KYC”.
The agencies who are presently AUAs and are not upgraded to Global AUAs would be called “Local AUAs” and would not be permitted to make queries based on RIDs. Instead, they need to implement a new API where a 16 digit input namely the “Virtual Aadhaar ID” (VID) would be taken from the Aadhaar user with or without biometric for KYC purpose. Before providing such a number, the user should have gone to the UIDAI website and generated this 16 digit VID by providing the RID and responding to the OTP.
The Local AUA would get the response from the UIDAI by referring to the CIDR on the back end and return a “Token number” for the authentication which would be stored by the Local AUA as a reference for the verification.
Implementation of this required that UIDAI had to reclassify the registered AUAs and AUAs to implement the new API. The front end of all agencies which used Aadhaar had to be modified to take the input of the 16 digit VID instead of the 12 digit RID. (Refer It is Y2K moment again in India, with Virtual Aadhaar ID).
However despite some prodding, no such change was visible in the industry. No warnings came forth from UIDAI and UIDAI did not even post noticeable warnings on its website.
Now according to the TOI report which surfaced late yesterday night, a statement has been made by somebody in UIDAI which is not yet appearing in the press releases on UIDAI website even today morning, the deadline for implementation of VID has been extended upto August 31st 2018. The report mentions a “Release” and we can presume that UIDAI will post it on their website by tomorrow.
According to the report,
- Banks will be designated as Global AUAs but the telecom authorities and others including e-sign companies would be designated as Local AUAs.
- Time is provided upto August 31 for implementation. However from 1st July 2018, a charge of Rs 0.20 will be made on each authentication as a disincentive. This will be a provisional charge which may be waived if the migration is completed before August 1.
- If the VID system is not implemented by August 31, UIDAI will be free to terminate the AUA license or impose higher financial disincentives.
Let’s hope that for whatever it is worth, VID system would be in place after August 1, 2018. It will at least avoid further leakage of Aadhaar numbers along with the associated data from the user end as it has happened in the past.
UIDAI has also stated that there would be further improvements in the form of new authentication methods. The “Face Recognition” is also expected to be introduced by August 1, 2018 and could add more security to the system where Global AUAs undertake authentication based on RIDs.
The OTP insecurity will still remain but we need to think of alternatives to OTPs to overcome this problem.
Need for Awareness Creation
The CEO of UIDAI Mr Ajay Bhushan Pandey is quoted as stating that a number of AUAs have tested the new API in their usage environment though no migration has happened. However this could just be a gracious statement meant to boost the morale of the AUAs since it appeared that the industry just did not care and had no intention to adopt to the change. Most of them are perhaps waiting for Supreme Court to scrap the Aadhaar system and hence donot want to make changes at this stage.
I recently had an encounter with a Bank and the officials had no clue of either the biometric lock system or the proposed VID system. If the Bank had sent a circular, perhaps they would have known. This vindicates our observation that even Banks have so far taken no steps to keep their employees aware of the changes that are occurring in the Aadhaar system.
There is a serious concern in some sections of the experts that the VID system will not be used by the users since it is too cumbersome for the less educated users.
The need for education of the masses on the use of Aadhaar is therefore indicated more than ever before since we need to not only tell people why Aadhaar authentication is used but also how to generate VIDs and keep changing the VIDs from time to time.
mAadhaar needs to be upgraded
I suppose mAadhaar application should itself provide an option to generate VID, which it has not done so far. Alternatively mAadhaar download itself should be enabled on VID basis atleast as an option. UIDAI has to show the way for others by implementing the 16 digit input option of VID on mAadhaar immediately along with a provision to change it. The resulting VID can be shared by the users with the Local AUAs as and when necessary without going to the web.
Technical Glitches to be corrected
In one of my recent encounters, I found that UIDAI website could not complete biometric unlocking on chrome browser on my Android phone and I had to download the Mozilla mobile browser to complete it on the mobile at the Bank where the KYC was being done. The Bank’s system which was rejecting the finger prints did not provide a proper error statement indicating that the error was because of the biometric lock and it was only after repeated failures that I was able to figure out the cause and unlock it through the Mozilla browser.
These technical glitches need to be set right by UIDAI as otherwise there will be complaints on denial of basic rights of citizens due to denial of service at the Aadhaar end.
Looking forward to further developments and official information from UIDAI on the extension of time and other issues mentioned above
Naavi
Pingback: Offline verification of Aadhaar data.. Is it feasible? | Naavi.org
Pingback: Innovation of “Offline Authentication of Aadhaar” – Privacy Knowledge Center