Authentication Service Agency (ASA)
ASAs are agencies that have established secured leased line connectivity with the CIDR compliant with UIDAI’s standards and specifications. ASAs offer their UIDAI-compliant network connectivity as a service to requesting entities (such as AUAs/KUAs) and transmit their authentication requests to CIDR.
An ASA plays the role of enabling intermediaries. Only entities who are partnered with UIDAI as ASAs shall gain access to UIDAI’s systems and send authentication requests to the UIDAI’s CIDR; no other entity can directly communicate with CIDR. An ASA could serve several requesting entities; and may also offer value added services such as multi-party authentication, authorization and MIS reports to requesting entities.
Examples of ASAs
- An agency such as National Payments Corporation of India (NPCI) that is currently mandated as the umbrella organisation to operate the retail payment systems in the country.
- DIT/NIC that provides connectivity solutions to various Central and State Government ministries / departments
- Telecom carriers, depository bodies etc that provide related services to multiple organizations
ASA Eligibility Criteria
- A Central/ State Government Ministry / Department or an undertaking owned and managed by Central / State Government OR
- An Authority constituted under the Central / State Act OR
- A Not-for-profit company / Special Purpose organization of national importance OR
- A company registered in India under the Indian Companies Act 1956 meeting the following requirements:
- Financial capabilities: An annual turnover of at least Rs. 100 crores in last three financial years, and
- Technical capabilities:
- A Telecom Service Provider (TSP) operating pan India fibre optics network and should have a minimum of 100 MPLS Points of Presence (PoP) across all states OR
- A Network Service Provider (NSP) capable of providing network connectivity for data, voice transmission and should have an agreement with the TSP having 100 MPLS PoPs OR
- A System Integrator having necessary arrangement with TSP/NSP as described above
- The agency should not have been blacklisted by Central / State Governments / PSUs of Central / State Governments in the last five years
For more details, please refer ASA Onboarding process document
The entity should give an undertaking and demonstrate the capability of design, configure, implement and maintain the infrastructure and systems required for an ASA as per the guidelines outlined in the ASA handbook and certify that necessary human resources with requisite skills are in place to perform the functions required as an ASA.
The existing ASA providers should explicitly register with UIDAI to enable them for providing e-KYC service to their customer base. The e-KYC service responds with Aadhaar number holder’s demographic information along with the photograph and the ASAs would pass the information to the requesting entities and use the information to provide additional services.
The decision of UIDAI regarding engagement of ASA shall be final.
ASA Readiness Stages
- Fill online application form: Any agency meeting the eligibility criteria as specified by UIDAI for appointment as Authentication Service Agency (ASA) shall submit an application online. UIDAI has published an online workflow based application form for engaging ASAs.
- Send signed contract and supporting documents to UIDAI : The ASA should send hardcopy of the signed contract along with required supporting documents to UIDAI. The online application would be approved by UIDAI upon receipt of the required documents.
- Establish leased line connectivity with CIDR: The ASA needs to draw secure leased line or MPLS connectivity from its data centre to CIDR. The ASA should plan bandwidth, redundancy etc based on their business requirements. Atleast 1 pair of enterprise class routers (in active-standby mode to eliminate single point of failure) needs to be provisioned by ASAs while terminating leased line at CIDR.
Although ASAs can choose to provision leased line connectivity to one of the data centres, it is highly recommended that ASAs need to provision dual redundant links to both data centres viz. Hebbal Data Centre (HDC) and Manesar Data Centre (MDC) to ensure high availability and reliability of Aadhaar services for their requesting entities .
- Ensure process and technology compliance: The ASA needs to setup necessary systems, processes, infrastructure etc. in compliance with UIDAI's standards and specifications as laid down in the ASA handbook . Compliance to various requirements needs to be confirmed to UIDAI through the online application form.
- Obtain approvals from UIDAI: UIDAI would approve an ASA's application form when various compliance requirements are met. An ASA should engage with UIDAI during the process and provide necessary clarifications, as required.
- Carry out end-to-end testing: An approval from UIDAI allows ASA to carry out end-to-end testing of their connectivity with the CIDR in UIDAI’s Pre-Production environment. Before going live, it is highly recommended that an ASA works with the requesting entity to carry out end-to-end testing of the connectivity from devices to requesting entity to ASA to CIDR and reverse response communication. An ASA should also carry out load testing to ensure bandwidth adequacy. The ASA would also need to get the systems related to Aadhaar authentication audited by information systems auditors certified by a recognized body before going live.
- Go-live: An ASA can get into the “go-live”/ Production stage only after confirmation of adherence to all UIDAI’s process procedures in pre-production environment. UIDAI plans to manage the same through online workflow based application. In addition, an ASA can transmit authentication packet only after it engages with the requesting entity.
- Engage with Requesting Entities: An ASA may enter into a formal agreement with the requesting entities that it supports. UIDAI has a set of proposed guidelines that may be included in the contract between an ASA and an AUA ( Guidelines to ASA-AUA Agreement). However, the agreement (and commercial terms, if any) between an ASA and an AUA is at the sole discretion of the signing parties and UIDAI does not have any responsibilities regarding same. Similarly, if an ASA provides any value added services to an AUA over and above Aadhaar based authentication, UIDAI will not be liable to any such services.
Key ASA Responsibilities
- Ensure compliance of authentication related operations (processes, technology, security, etc.) to UIDAI's recommended standards, as indicated in ASA Handbook.
- Log and maintain details of all authentication transactions as prescribed by UIDAI and in accordance with Aadhaar Act
- Get its operations and systems related to Aadhaar Authentication audited as specified in the ASA Hanbook.
- Perform basic checks on the authentication input and forward it to CIDR
- Transmit the result of the authentication transaction received from CIDR to the AUA that has placed the request
- Inform UIDAI of the engagement/ disengagement of requesting entities that it serves
- Inform UIDAI of any misuse of Aadhaar data, authentication services, or any compromise of Aadhaar related data or systems.
Mandatory Security Requirements
- ASAs can connect to the CIDR only through a leased line or MPLS connectivity.
- The meta data and the CIDR responses should be logged for audit purposes in accordance with the provisions of the Aadhaar Act.
- Encrypted Personal Identity Data (PID) of Aadhaar number holder and license keys ( as provided by UIDAI to access its services) that came as part of authentication packet should never be stored anywhere in its system. This is to ensure compliance w.r.t protection of Aadhaar number holder information, as mandated through Aadhaar Act.
- The network between requesting entity and ASA should be secured through appropriate network protocols as prescribed in the ASA handbook.