About Requesting Entities (AUA, KUA)
As per the Aadhaar Act 2016, a requesting entity means an agency or a person that submits Aadhaar number and demographic information or biometric information, of an individual to the Central Identities Data Repository (CIDR) for authentication.
Authentication User Agency (AUA) is an entity engaged in providing Aadhaar Enabled Services to Aadhaar number Holder, using the authentication as facilitated by the Authentication Service Agency (ASA). An AUA may be government / public / private legal agency registered in India, that uses Aadhaar authentication services of UIDAI and sends authentication requests to enable its services / business functions.
Sub AUAs are agencies that use Aadhaar authentication to enable its services through an existing requesting entity.
A requesting entity (such as AUA, KUA) connects to the CIDR through an ASA (either by becoming ASA on its own or by contracting services of an existing ASA).
Appointment of Requesting Entities (Authentication User Agency & e-KYC User Agency)
- Agencies seeking to become requesting entities to use the authentication facility provided by the Authority shall apply for appointment as requesting entities in accordance with the procedure as may be specified by the Authority for this purpose. Only those entities that fulfill the criteria laid down in Schedule A are eligible to apply. The Authority may by order, amend Schedule A from time to time so as to modify the eligibility criteria.
- The Authority may require the applicant to furnish further information or clarifications, regarding matters relevant to the activity of such a requesting entity, as the case may be, which may otherwise be considered necessary by the Authority, to consider and dispose of the application.
- The applicant shall furnish such information and clarification to the satisfaction of the Authority, within the time as may be specified in this regard by the Authority.
- While considering the application, the information furnished by the applicant and its eligibility, the Authority may verify the information through physical verification of documents, infrastructure, and technological support which the applicant is required to have.
- After verification of the application, documents, information furnished by the applicant and its eligibility, the Authority may:
a. approve the application for requesting entity, as the case may be; and
b. enter into appropriate agreements with the entity or agency incorporating the terms and conditions for use by requesting entities of the Authority’s authentication facility, including damages and disincentives for non-performance of obligations.
- The Authority may from time to time, determine the fees and charges payable by entities during their appointment, including application fees, annual subscription fees and fees for individual authentication transactions.
Mandatory Security Requirements
- Aadhaar number should be never used as a domain specific identifier.
- In the case of operator assisted devices, operators should be authenticated using mechanisms such as password, Aadhaar authentication, etc.
- Personal Identity Data (PID) block captured for Aadhaar authentication should be encrypted during capture and should never be sent in the clear over a network.
- The encrypted PID block should not be stored unless it is for buffered authentication for a short period, currently configured as 24 hours.
- Biometric and OTP data captured for the purposes of Aadhaar authentication should not be stored on any permanent storage or database.
- The meta data and the responses should be logged for audit purposes.
- Network between AUA and ASA should be secure.
Requesting Entities (AUA/KUA) Responsibilities and Data Securities
For Requesting Entities (AUA/KUA) Responsibilities and Data Securities the Aadhaar Act, 2016 and its regulations may be referred