UIDAI proposes biometric lock, offline verification in new draft rules

The Unique Identification Authority of India, the agency that administers Aadhaar, has proposed to allow people to permanently lock their biometrics, introduce a mechanism for offline Aadhaar number verifications, and using a system called Aadhaar Number Capture Service Token or ANCS Token.  

"The Authority may enable an Aadhaar number holder to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication. All biometric authentication against any such locked biometric records shall fail with a “No” answer with an appropriate response code,"  the UIDAI said in its Draft Aadhaar (Authentication and Offline Verification) Regulations, 2021, which are intended to replace the Aadhaar (Authentication) Regulations, 2016.

In case of a locked Aadhaar, the UIDAI will allow the resident to authenticate using Virtual ID or other means.

These proposals were put up in the draft by the UIDAI on May 20 for public consultation.

The ANCS is described as an "encrypted Aadhaar number generated for an Aadhaar number by the Authority for completion of an authentication transaction. ANCS Token shall be valid for a short period of time as prescribed" by the UIDAI. There was no further explanation of whether ANCS would be a new system or a capability built on top of existing UIDAI authentication mechanisms.

A big focus, as suggested by the title of the new regulation, is offline verification of Aadhaar. "Offline Verification,” as per the draft, is the process of verifying the identity of the Aadhaar number holder without authentication, through offline methods specified by UIDAI.

These include QR Code verification, Aadhaar paperless offline e-KYC verification, e-Aadhaar verification, offline paper based verification, and other type of offline verification introduced by the UIDAI from time to time.

Salman Waris, Partner - Head TMT and IP Practice at Delhi-based TechLegis Advocates & solicitors called the draft a positive step, but cautioned against more inequalities, similar to the ones the draft tries to fix.

"This is a positive step but caters only to the urban elite, very much like the current Co-win vaccine registration. How many poor villagers or illiterate labourers would know how to permanently lock his biometrics and temporarily unlock it when needed for biometric authentication linked to Aadhaar number? They will again be dependent on someone and this may lead to further frauds and identity thefts and impersonation," Waris said.

Before this, the UIDAI allowed offline verification through an "Offline Aadhaar Data Verification Service," which involved the resident going through a series of steps to generate a secure document.

However the regulations also say "the entities which are not allowed to collect or store the Aadhaar number shall ensure that the first 8 digits of the Aadhaar number are redacted or blacked out through appropriate means in all of the entities’ records before storing the physical copies".

The new regulations also define an Offline Verification Seeking Entity or OVSE as one that wants to undertake offline verification of an Aadhaar number holder.  "An OVSE may use the offline verification facility provided by the Authority for obtaining the offline Aadhaar data of the Aadhaar number holder only for the purpose specified to the Aadhaar number holder at the time of verification," the draft notes.

The draft further says, "No entity or person shall perform Offline Verification on behalf of another entity or person. An OVSE may store, with consent of the Aadhaar number holder, offline Aadhaar data of the Aadhaar number holder, received upon Offline Verification, securely as per the guidelines issued by the Authority from time to time."

It also empowers the Aadhaar number holder to revoke consent given to an OVSE for storing his/her offline Aadhaar data. If a person or entity does so, the OVSE will have to delete the offline Aadhaar data in a verifiable manner and provide an acknowledgement of having done so to the Aadhaar number holder.