Aadhaar Paperless Offline e-kyc

Introduction

UIDAI has launched Aadhaar Paperless Offline e-KYC to allow Aadhaar number holders to voluntarily use it for establishing their identity in various applications in paperless and electronic fashion, while still maintaining privacy, security and inclusion.

Why Aadhaar Paperless Offline e-KYC ?

UIDAI provides a mechanism to verify identity of an Aadhaar number holder through an online electronic KYCservice. The e-KYC service provides an authenticated instant verification of identity and significantly lowers the cost of paper based verification and KYC. However, this method of online e-KYC is not available to all agencies and may not be suitable due to some of the following reasons;

  • Online e-KYC requires reliable connectivity
  • Agency needs to have technical infrastructure to call online e-KYC service and deploy devices (as necessary)
  • The resident may need to provide biometrics for the online e-KYC
  • UIDAI maintains a record of the KYC request for audit purposes

Advantages of Aadhaar Paperless Offline e-KYC

  • Privacy :
    • KYC data may be shared by the Aadhaarnumber holder directly without the knowledge of UIDAI.
    • Aadhaar number of the resident is not revealed, instead only a reference ID is shared.
    • No core biometrics (fingerprints or iris) required for such verification
    • Aadhaar number holder gets a choice of the data (among the demographics data and photo) to be shared.
  • Security:
    • Aadhaar KYC data downloadable by Aadhaar number holder is digitally signed by UIDAI to verify authenticity and detect any tampering.
    • Agency can validate the data through their own OTP/Face Authentication.
    • KYC data is encrypted with the phrase provided by Aadhaar number holder allowing residents control of their data.
  • Inclusion:
    • Aadhaar Paperless Offline e-KYC is voluntary and Aadhaar number holder driven.
    • Any agency working with people can use it with consent of the Aadhaar number holder allowing wide usage.

How does it work?

Aadhaar Paperless Offline e-KYC eliminates the need for the resident to provide photo copy of Aadhaar letter and instead resident can download the KYC XML and provide the same to agencies wanted to have his/her KYC. The agency can verify the KYC details shared by the resident in a manner explained in below sections. The KYC details is in machine readable XML which is digitally signed by UIDAI allowing agency to verify its authenticity and detect any tampering. The agency can also authenticate the user through their own OTP/Face authentication mechanisms.

How to obtain Aadhaar Paperless Offline e-KYC Data

Aadhaar number holders can obtain Aadhaar Paperless Offline e-KYC data through the following channels:

  • Download Aadhaar Paperless Offline e-KYC from resident portal (https://resident.uidai.gov.in)
  • In future, obtain Aadhaar Paperless Offline e-KYC will also be available via:
    • mAadhaarmobile application on a registered phone number
    • Inbound SMS using registered phone number
    • Aadhaar Kendra using Biometric Authentication

What Data is covered in e-KYC

While downloading/obtaining Aadhaar Paperless Offline e-KYC data, the resident has the choice of selecting the fields within the XML. The following fields can be included depending on the format.

  • Fields that are always available
    • Resident Name
    • Download Reference Number
  • Optional fields:
    • Address
    • Photo
    • Gender
    • DoB/YoB
    • Mobile Number (in hashed form)
    • Email (in hashed form)

Aadhaar Paperless Offline e-KYC data is encrypted using a “Share Phrase” provided by the Aadhaar number holder at the time of downloading which is required to be shared with agencies to read KYC data.

How to share Aadhaar Paperless Offline e-KYC Data

Aadhaar Paperless Offline e-KYC data may be provided to the verifying agency by the Aadhaar number holder in digital or physical format along with share phrase:

  • Digital Format: XML/PDF
    • This format is preferred when high quality photo is required
  • Printed Format: QR code
    • When resident is more comfortable with a physically printed format
    • Low resolution photo for visual inspection only

Technical Facets of Aadhaar Paperless Offline e-KYC

The following will help residents in getting a better understanding about the technical facets of Aadhaar Paperless Offline e-KYC.

XML Data Format

Aadhaar Paperless Offline e-KYC when downloaded has the following XML :
<OKY v=""n=""r=""i=""d=""e=""m=""g=""a=""s="" />

XSD for the above xml

<?xml version="1.0" encoding="UTF-8"?>
<xs:schemaxmlns:xs="http: www.w3.org="" 2001="" xmlschema"="" attributeformdefault="unqualified" elementformdefault="qualified" targetnamespace="http://www.uidai.gov.in/offlinePaperlesseKYC/1.0">
<xs:element name="OKY">
<xs:complextype>
<xs:attribute name="v" type="xs:string"/>
<xs:attribute name="n" type="xs:string"/>
<xs:attribute name="i" type="xs:string"/>
<xs:attribute name="d" type="xs:string"/>
<xs:attribute name="e" type="xs:string"/>
<xs:attribute name="m" type="xs:string"/>
<xs:attribute name="g" type="xs:string"/>
<xs:attribute name="a" type="xs:string"/>
<xs:attribute name="r" type="xs:string"/>
<xs:attribute name="s" type="xs:string"/>
</xs:complextype>
</xs:element>
</xs:schema>

Element Details

Element :

OKY – Container for keeping the resident kyc data.

Attributes :

v - (Mandatory) Version: – Version number. Current value will be “1”. Later it may change if the XML structure or validation logic changes.

n - (Mandatory) Name: – Present as plain text.

r - (Mandatory)Reference Number: – This is a composition of last 4 digits of Aadhaar numberfollowed bytimestamp in YYYYMMDDHHMMSSmmm format.

Example :
Aadhaar Number: XXXX XXXX 3632
Time Stamp : 20181001134543123
Reference Number : r=”363220181001134543123”

i - (Optional) Photo: – Is present as Base64 string of a JPEG image. Can be rendered using any standard JPEG software.

d - (Optional) DoB/YoB: – Present as plain text in DDMMYYYY or YYYY format

e - (Optional) EmailID: – This is represented as a hash with following logic.

Hashing logic for Email ID :
Sha256(Sha256(Email+SharePhrase))*number of times last digit of Aadhaar number
(Ref ID field contains last 4 digits).

Example :
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Aadhaar Number:XXXX XXXX 3632
Passcode : Lock@487
Hash : Sha256(Sha256(This email address is being protected from spambots. You need JavaScript enabled to view it. @487))*2
In case of Aadhaar number ends with Zero we will hashed one time.

m - (Optional) Mobile Number: – This is represented as a hash with following logic.

Hashing logic for Email ID :
Sha256(Sha256(Mobile+SharePhrase))*number of times last digit of Aadhaar number
(Ref ID field contains last 4 digits).

Example :
Mobile: 1234567890
Aadhaar Number:XXXX XXXX 3632
Passcode : Lock@487
Hash: Sha256(Sha256(1234567890Lock@487))*2
In case of Aadhaar number ends with Zero we will hashed one time.

g - (Optional) Gender: – This is either“M”(Male) or “F”(Female) or “T” (TransGender).

a - (Optional) Address: – Full address present as plain text.

s - (Mandatory) Signature: – This will a 344 character long digital signature of the data present in the downloaded XML. This can be validated using the public key of UIDAI which can be downloaded here.

Steps to validate signature :

1. Read the entire XML and separate the s=”xxxx” tag from it.

2. Use a signature validation algorithm leveraging “SHA256withRSA” based hashing and encryption technique

3. Signature value present in “s” tag, remaining XML (without "s" tag) and UIDAI public key (available here.) is to be fed to the algorithm to validate digital signature.

4. Sample code snippets provided here.

XML Validation steps :

1. Aadhaar Paperless Offline e-KYC XML is zipped and protected with the “Share Phrase”. It can be unzipped using any standard unzipping utility (like WinZip, WinRaR, 7Zip etc.). While unzipping, a prompt will show for password where “Share Phrase” should be entered.

2. Parse the XML and use the logic mentioned earlier to validate the digital signature.

3. Optionally do OTP validation against the mobile number (resident needs to provide mobile number which can be hashed and verified against the KYC data) and/or do face validation by capturing face and matching against the photo within the e-KYC XML.

Sample Data:

You can download sample data