Authentication devices are host devices/electronic actors that form a critical link in the Aadhaar authentication ecosystem. These devices collect personal identity data (PID) from Aadhaar holders, prepare the information for transmission, transmit the authentication packets for authentication and receive the authentication results. Examples of authentication devices include form factors ranging from desktop PCs, laptops, kiosks to Point-of-Sale (PoS)/handheld mobile devices (microATMs) and tablets. Such devices are expected to be used for a variety of purposes specific to every requesting entity’s requirements.
Authentication devices perform the following key functions:
- Collection of Personal Identity Data (PID) from Aadhaar number holders through the domain / client application hosted on such devices.
- Perform basic checks on the information collected for completeness and compliance
- Transmit the authentication packets for authentication
- Receive the authentication results along with instructions for next steps, if any
AUAs may specify additional requirements such as multi language support, voice support, form factor etc. Various device vendors are expected to incorporate the certified sensor-extractors in device models / form factors based on AUA’s needs.
Authentication devices are deployed by the AUA, Sub AUA or their agents. Authentication devices could be deployed in the Aadhaar authentication ecosystem by the requesting entities or their agents and operated by them accordingly. Based on the mode of operation, such devices are classified as Self-Assisted and Operator Assisted devices.
Self-Assisted devices are the devices where Aadhaar authentication transaction is carried out by the Aadhaar number holder himself/herself without any assistance.
Operator-Assisted devices are the devices where the Aadhaar authentication transaction of the Aadhaar number holder is performed with the assistance of requesting entity’s operator.
The connectivity from devices to AUA/ Sub AUA server is also provisioned by the AUA/ Sub AUA. Authentication devices are expected to be used for a variety of purposes and would need to be specific to every AUA’s requirements. To cater to the varied application needs of different AUAs, while ensuring authentication packets received from AUAs are standard and secure, UIDAI has adopted an API based approach for authentication application.
For the hardware component, demographic and OTP based authentication could be initiated from any kind of device capable of creating authentication packet as per UIDAI’s authentication APIs. For biometric authentication, sensor and extractor certified by STQC should be used in the biometric devices. More information on biometric devices can be found in the section on “Biometric Devices”
Application Components on Devices
AUAs should develop authentication application based on its business needs and UIDAI’s authentication API.
- Best Finger Detection (BFD) application: Success of biometric authentication is dependent on the quality of biometric captured in the authentication request. The quality varies across different fingers of a Aadhaar number holder, amount of pressure applied etc. To ensure that a Aadhaar number holder is on-boarded to the concept of biometric authentication and is aware of which fingers are best suited for biometric authentication, UIDAI has developed a protocol called BFD. If an AUA opts for biometric authentication, it should ensure that the BFD application, as per the BFD API published, is deployed on the devices.
- OTP application: If an AUA opts for Aadhaar-based OTP authentication, the AUA should build a module for initiating OTP request and integrate the same with its service delivery application. The API for developing OTP request application is available on UIDAI’s websie.As a backup option, the AUA may also guide Aadhaar number holders to generate OTP through UIDAI’s portal, UIDAI’s contact centre or USSD through resident’s registered mobile phone.
Exception handling provisions
The device application should have provisions to service genuine Aadhaar number holders who may be falsely rejected during biometric authentication. Also, there should be measures to continue service delivery in case of other technological limitations such as network non-availability, device breakdown etc. There should be no denial of service to Aadhaar number holders due to technology limitations. The exception handling mechanisms should be backed up by non-repudiable features to log/audit requests handled through exception handling mechanism to prevent any fraud attempts. This is to ensure the protection of Aadhaar number holder information as specified in the Aadhaar Act 2016 and Aadhaar Authentication Regulations 2016.
Authentication devices could be operator-assisted or self-operated. Similarly, the environment in which the authentication devices are deployed could either be managed/monitored by AUA or unmanaged/ not-monitored. While devices in operator-assisted, AUA managed environment would provide highest level of trust, it may not be practical for all authentication purposes.
AUA should make a comprehensive risk assessment while considering the environment factors before finalizing authentication type, security and audit measures, fraud monitoring requirements etc.
Device Operator Training
A large number of authentication devices, especially those initiating biometric authentication requests, are expected to be operator-assisted devices. AUAs should ensure that operators are adequately trained to carry out Aadhaar authentication transactions and also to handle queries from Aadhaar number holders appropriately.
Some key areas that should be part of operators’ training include:
- Usage of biometric devices and Do’s / Don’ts for capturing good quality biometrics
- Usage of BFD, process for on-boarding Aadhaar number holders and guiding them for next steps
- Exception handling processes and ensuring no denial of service to Aadhaar number holders due to technology limitations
- Communicating appropriately with Aadhaar number holders
- Fraud monitoring & fraud reporting mechanisms
- Basic troubleshooting steps and contact details of AUA’s device/application support team
Mandatory Security Requirements
- PID block captured for Aadhaar authentication should be encrypted during capture and should never be sent in the clear over a network.
- The encrypted PID block should not be stored unless it is for buffered authentication for a short period of time.
- Biometric and OTP data captured for the purposes of Aadhaar authentication should not be stored on any permanent storage or database.
- In the case of operator assisted devices, operators should be authenticated using mechanisms such as password, Aadhaar authentication, etc.