While the introduction of new features such as face authentication, virtual ID, and limited know-your-customer (KYC) by the Unique Identification Authority of India (UIDAI) are being seen as reactions to mounting public pressure over the security of Aadhaar, experts, who’ve helped build the citizen identity system, say these’ve been in the pipeline for a long time.
Pegged to be fully functional by July 1, the new features will make Aadhaar more secure, but that hasn’t stopped the UIDAI from drawing flak over the recent issue of rogue agents selling demographic data of individuals. Moreover, the agency’s handling of the issue has not inspired confidence among the public and security researchers.
Experts say for a system of Aadhaar’s size, security is continually evolving. Lalitesh Katragadda, former head of Google’s product centre in India and who also helped build Aadhaar, says as a country we need to understand there’s “no such thing as a 100 per cent secure system.” While security gaps will always exist, he says it’s the UIDAI’s duty to ensure there’s no “large-scale theft of people’s identity.”
According to him, the new security features will help significantly in this regard. Face authentication will be another biometric Aadhaar will begin offering to combat the reportedly high failure rates of fingerprint authentication. The system will use common webcams to capture photos of individuals and match them with the existing photo on the UIDAI’s database.
The system will not use any high-end hardware backed facial recognition like the recently launched iPhone X, which the company claims is more accurate than its previous fingerprint authentication technology. The UIDAI will work around this issue by clubbing face authentication with other forms of authentication — fingerprint, iris scan or a one-time password sent to a user’s mobile phone.
While it isn’t known how exactly the feature will be built into apps relying on Aadhaar authentication, Srikanth Nadhamuni, the former chief technology officer of Aadhaar, envisions a scenario where a photo of an individual could be captured and matched when fingerprint authentication fails, in order to improve the probability of a match.
But even this isn’t a foolproof plan, some believe. “Your face is again a biometric, and that comes with the same host of issues that’s plaguing the other biometrics that have so far been used,” says Sunil Abraham, executive at Bengaluru-based think tank, Centre for Internet and Society.
The other feature virtual ID will allow a user to generate a 16-digit stand-in in place of their 12-digit Aadhaar, helping address the qualms of people who do not want share their original Aadhaar number. Users will be able to generate this by logging into the e-portal, visiting an Aadhaar enrolment centre, or using the mAadhaar app.
The idea is that by masking the Aadhaar numbers of individuals, all the subsequent fears they have of people misusing their Aadhaar will be relaxed. Moreover, the UIDAI will allow a user to generate as many virtual IDs as they want; when a new one is made the old one is destroyed. This feature, however, will be an opt-in due to a major issue Aadhaar faces.
“A lot of people in rural India are using their Aadhaar for authentication under the Public Distribution System and Mahatma Gandhi National Rural Employment Guarantee Scheme and so on and it’s working for them. You don’t want to confuse all of them and ask them to create yet another number,” says Nadhamuni.
The final feature, limited KYC, is aimed at further securing the Aadhaar number and details of individuals by masking them on databases of services that use them. First, the UIDAI will begin discriminating between services that need all of Aadhaar’s demographic data (name, age, sex, address, and photograph) and those that don’t.
With bodies and companies that don’t require all of a user’s data, say their address and photograph, the UIDAI will stop sharing it with them at the time of authentication. Moreover, a 72-digit alphanumeric UID token will be generated and stored on the databases of all services, in place of a user’s actual Aadhaar.
The idea is that the fewer places a person’s Aadhaar details are stored, the fewer chances of them leaking. However, details of how the UIDAI will handle the masking of Aadhaar on databases of services where people have already seeded their Aadhaar is to be seen and is one of the biggest contentions security experts have with the effectiveness of the new feature.
While all three of these new features were discussed at the time of inception, they were not rolled out to avoid making the system too complex at launch. Katragadda, who has worked on building many large application programming interfaces at Google agrees all systems should avoid rolling out too many features at launch and should be introduced later.
On the entire row over Aadhaar security, he says, “Just because people violate the law, doesn’t mean we should not have systems. Otherwise we need to have this holy grail of a system which is perfectly automated, and we’re still at least
20 years away from that.”