After Data Breaches and Leaks, UIDAI Rolls Out New Security Measures

A new 'virtual ID' and 'UID token' system will roll out from March 2018 in an attempt to crack down on privacy violations by errant private enrolment partners and authentication agencies. 

Like how the UPI system works for bank transfers, the UIDAI hopes the virtual ID will allow users to no longer hand over their Aadhaar numbers. Credit: Reuters

New Delhi: A new sweeping two-tier security system for the Aadhaar programme was announced by the Unique Identification Authority of India (UIDAI) on Thursday, weeks after a wave of data breaches and leaks raised fresh privacy and security concerns.

One new measure is the introduction of a “virtual ID” for every Aadhaar holder – a temporary 16-digit number that will be mapped to a user’s Aadhaar number that will allow the individual in question to avoid furnishing his or her Aadhaar number at the time of authentication.

The second, according to an IT ministry notification, is the creation of a “limited KYC (know your customer) service” that will purportedly prevent agencies from storing Aadhaar numbers during the paperless KYC process.

“Residents are currently required to share Aadhaar number to authenticate their identity to avail various services. With the introduction of virtual ID (VID), a fungible number mapped to the Aadhaar number, Aadhaar number holders will have an option not to share their Aadhaar number to improve privacy,” the notification says.

Also read: What UIDAI Needs To Clarify After the Latest Aadhaar Data Leak

The UIDAI notes that it is “not possible” to derive the Aadhaar number from the VID and that it can be generated through the “UIDAI’s resident portal, an Aadhaar enrollment centre and the mAadhaar mobile application”.

According to government officials The Wire spoke to it will essentially work like an UPI ID, which maps to a person’s bank account number.

Limited KYC

The other concerning privacy issue is how authentication user agencies (AUA) store a person’s Aadhaar number during the paperless or eKYC process.

“While VID allows Aadhaar number holders to avoid sharing Aadhaar number, storage of Aadhaar numbers within various databases also needs to be further regulated. Limited KYC will allow agencies to do their own paperless KYC process without access to the Aadhaar number,” the notification states.

A screenshot of the UIDAI notification. Credit: The Wire

A screenshot of the UIDAI notification. Credit: The Wire

UIDAI plans on categorising all AUAs into two categories – global AUAs and local AUAs. The latter will only be allowed to initiate limited KYC processes.

Essentially, local AUAs will carry out the same KYC process but do it with an “unique UID token” instead of an Aadhaar number.

“UID token allows an agency to ensure uniqueness of its beneficiaries, customers etc without having to store Aadhaar number in their databases while not being able to merge databases across agencies thus enhancing privacy. All agencies should use UID tokens within their system” the notification states.

When a local AUA pings UIDAI for an authentication request, UIDAI (in response to the limited KYC request) will return a unique UID token. This token will remain unique for an Aadhaar number for all authentication requests by that particular entity – however for a particular Aadhaar number, there will be different tokens when it comes to different AUAs and sub AUAs.

Crucially, however, global AUAs will not need to adhere to the token system. When they perform authentication requests will be given the Aadhaar number and a token.

System rollout date?

In order for these two new security measures to work, all AUAs will need to rejig their systems, to make sure they can accept a VID instead of an Aadhaar number and use a UID token within their database instead of an Aadhaar number.

The UIDAI plans on rolling out “necessary APIs with implementation” by March 1, 2018 and all agencies will have to migrate to the new system by June 1, 2018 failing which their authentication services will be discontinued.