INTRODUCING ONE of the most significant changes since its inception, the Unique Identification Authority of India (UIDAI) has added another layer of protection on the use of Aadhaar as proof of identity. The UIDAI said Wednesday that it has introduced Virtual IDs (VID) that Aadhaar holders will be able to generate for a temporary period and can use in place of Aadhaar numbers to validate their identity. This temporary number, like an OTP, will be valid for a particular time period decided by UIDAI, unless revoked and replaced by the Aadhaar holder.
The parent body of the Aadhaar project has also brought in Limited KYC (Know Your Customer) and UID Tokens, in an attempt to assuage privacy and security concerns about Aadhaar numbers being used and stored by many public and private entities. The new measures, which will be introduced by March 1, will provide up to two layers of firewalls between the Aadhaar-holder and authentication agencies from getting access to an Aadhaar number. All authentication bodies must fully migrate to the new system by June 1.
The latest move comes at a time when the UIDAI is facing criticism for registering an FIR against a reporter of The Tribune for a report claiming that unknown agents had provided access to Aadhaar’s demographic database for Rs 500. The UIDAI had denied that its “Aadhaar biometric database” had been breached. In its latest circular, the UIDAI said that the VID will be a 16-digit number that can be used in place of the Aadhaar number “to avoid the need of sharing of the Aadhaar number at the time of authentication”. This, UIDAI said, will reduce the collection of Aadhaar numbers by various agencies.
The VID will be a temporary number “mapped with the Aadhaar number”. The UIDAI said it will not be possible to derive the Aadhaar number using a VID. For any given Aadhaar number, there will only be one active VID at any given time; the Aadhaar-holder will be able to revoke or generate a new one after a maximum validity period. Since the VID will be temporary, the UIDAI said, it can’t be de-duplicated, nor will authentication agencies be able to generate one on behalf of the Aadhaar-number holder.
The options to generate, retrieve or replace VIDs by the holder of an Aadhaar number will be available through UIDAI’s portal, enrollment centers, Aadhaar’s mobile app, etc. Additionally, to “regulate” the number of agencies where Aadhaar is required and stored as a proof of identity to avail services, the UIDAI has introduced the concept of Limited KYC. It will divide the Authentication User Agencies (AUAs) into two categories: Global AUAs and Local AUAs. Only agencies whose services require them to store the Aadhaar number as per law will be qualified as Global AUAs and allowed to do so. Local AUAs will only be allowed Limited KYC and will not be allowed to store the Aadhaar numbers.
The UIDAI will issue “agency specific UID Tokens” to Local AUAs, which will help them identify customers. UIDAI said it will “reserve the right to determine, in addition to UID Token, what demographic fields need to be shared with the Local AUAs depending upon its need”. A UID Token will be specific to the authentication agency and the Aadhaar number. To authenticate the identity of a beneficiary, the UID will provide a unique token for a particular Aadhaar number, which will remain same for that number for one particular authenticating entity. For any other authentication body, the UID Token for the same Aadhaar number will be different.
The UID Token, the Aadhaar-issuing body said in the circular, “allows an agency to ensure uniqueness of its beneficiaries, customers etc. without having to store the Aadhaar number in their databases while not being able to merge databases across agencies thus enhancing privacy substantially”. Global AUAs can store Aadhaar numbers and will also be provided UID Tokens for each Aadhaar number in response to any e-KYC request, which they can use as per their need to authenticate.
All the authentication agencies have been asked by UIDAI to update their systems to allow for VID, UID Tokens and Limited or Full KYC services, depending on their categorisation.