Biometric devices means the devices that are used for capturing the biometric data inputs i.e Fingerprint / Iris /both the information from Aadhaar number holders. These biometric devices fall under two categories viz. Discrete Devices, Integrated Devices.
Discrete Devices: These type of devices refer to the class of biometric devices (Fingerprint/IRIS) that require connectivity to a host device such as PC/laptop/Micro ATM etc.
Integrated Devices: The integrated devices have the sensor integrated into the device package i.e. phone/tablet etc.
- Fingerprint Device Specification
- Iris Device Specification
- Authentication API Specification
- BFD API Specification
- Procedure for obtaining Biometric Device Certification
- List of Certified FP devices and FP Device Suppliers –
- List of Certified Iris Devices and Iris Device Suppliers
- Aadhaar Technology & Architecture – Principles, Design, Best Practices and Key Learnings
The form factors in which biometric devices may be deployed include:
- Hand-Held / PoS Device such as MicroATMs, attendance devices
- USB device connected to PC
- Mobile phone with biometric sensor
- Kiosks such as ATMs, MNREGA job request kiosks
Requesting Entities may choose appropriate authentication type (FP/Iris in case of biometric modality) based on their service delivery needs, nature of service, volume of transactions, desired accuracy levels and risk factors associated with their service delivery. Once the modality is chosen as Fingerprint/Iris/a combination of both/ multi-factor authentication involving OTP along with biometrics (FP/Iris/Both), the requesting entity can leverage the published list of certified device suppliers (as highlighted in the website link above) for the purpose of procurement of certified biometric devices (Fingerprint/Iris).
Based on the security levels, devices are classified into Public devices and registered devices.
“Public Devices” refer to the category of devices that are not registered with Aadhaar system and uses the encryption as defined by UIDAI’s Aadhaar Authentication API specifications. Aadhaar authentication server does not individually identify these public devices.
“Registered Devices” refer to devices that are registered with Aadhaar system for encryption key management. Aadhaar authentication server can individually identify and validate these devices and manage encryption keys on each registered device. It provides two key additional features compared to public devices:
- Device identification – every physical sensor device having a unique identifier allowing device authentication, traceability, analytics, and fraud management.
- Eliminating use of stored biometrics – every biometric record is processed and encrypted within the secure zone eliminating transmission of unencrypted biometrics from sensor to host machine.
Data Format for Biometric Information: The biometric data for FP shall or Iris would need to conform to the ISO standard data format, as specified by latest Aadhaar Authentication API specifications.
Biometric Device Certification and Specifications
The requesting entities shall deploy biometric devices and integrate them into their respective domain/client applications. The Fingerprint / Iris devices that need to be used in the client application should confirm to the latest specifications issued by UIDAI.
UIDAI conducts assessment studies through Proof-of-Concepts (POCs) by involving several device vendors / OEMs and periodically revise the device specifications from time to time. Once the specifications are finalized, a certification body such as STQC would consider the same for device certification purposes.
In cases where Biometric devices are used for Aadhaar Authentication, UIDAI recommends requesting entities to adhere to the following biometric device specifications.
The device vendors/OEMs may approach a certification body such as STQC to certify their biometric devices and the procedure for obtaining the biometric device certification is available in the STQC website. For more details on the biometric devices, exception handling processes, security aspects etc, please refer the Aadhaar Technology & Architecture – Principles, Design, Best Practices and Key Learnings.
Requesting entities shall train their Sub-AUAs/operators/ agents to comply with UIDAI’s security policy.