Select any of the 12 Languages.

Mera *Aadhaar#, Meri Pehchaan
Authentication
Authentication » Authentication Overview » Requesting Entities (AUA & KUA)

Requesting Entities (AUA & KUA)

Introduction

As per the Aadhaar Act 2016, a requesting entity means an agency or a person that submits Aadhaar number and demographic information or biometric information, of an individual to the Central Identities Data Repository (CIDR) for authentication.

Authentication User Agency (AUA) is an entity engaged in providing Aadhaar Enabled Services to Aadhaar number Holder, using the authentication as facilitated by the Authentication Service Agency (ASA). An AUA may belong to a government / public / private legal agency registered in India, that uses Aadhaar authentication services of UIDAI and sends authentication requests to enable its services / business functions.

A Know-Your-Customer (KYC) User Agency (KUA) is a requesting entity that may be a government / public / private legal agency registered in India, seeking to use electronic- KYC (e-KYC) service of UIDAI for providing its subsidy, benefits or services to intended beneficiaries. Also, a KUA serves as the principal agency that sends authentication/e-KYC requests to enable its services.

Sub AUAs are agencies that use Aadhaar authentication to enable its services through an existing requesting entity.

A requesting entity (such as AUA, KUA) connects to the CIDR through an ASA (either by becoming ASA on its own or by contracting services of an existing ASA).

Eligibility Criteria for Appointment of Authentication User Agency (AUA)

The applicants are required to fulfill the following eligibility criteria to become AUA:

AUA Category 1
AUA Category 2

Criteria

1. Entity has to be either Government(Central/State)or Regulated Entity as prescribed in the table above

2. Back-end infrastructure used specially for the purpose of Aadhaar authentication shall be based in the territory of India.

3. Well defined data Sharing and Private Policy.

AUA Category 3

Criteria

1. Please see Annexure for document requirements.

2. Back-end infrastructure used specifically for the purpose of Aadhaar authentication shall be based in the territory of India.

3. Well-defined Data Sharing and Privacy Policy.

4. An Organisation need to have either minimum Rupees 1 (one) crore of Paid up capital or an Annual turnover of minimum Rupees 5 (Five) Crore during the last Financial year, and

5. Entity should be in business for minimum of 1 year from date of commencement of Business

NoteNote: Any relaxation in the Financial, Technical & other criteria mentioned in this document can be considered by the competent authority on case to case basis.

** Exception to meet the above mentioned financial and technical criteria for Category 3:

a) Sub-AUA who has performed minimum 10,000 transactions / month for last 10 months or minimum 25,000 transactions / month for last 4 months is eligible to become an AUA. The sub- AUA is responsible to submit proof of having performed the desired number of authentication transactions using his sub-AUA code.

b) Startup who is among the top 3 awardees in Aadhaar based Hackathonorganized with minimum 100 participants would be eligible for provisional AUA with relaxation on technical and financial eligibility criteria. The startup need to perform minimum 1 Lakh authentication transactions in a maximum period of 18 months after getting AUA production access to become regular AUA.

Note:Test data to be excluded from the number of transactions. Live transaction data in Production environment using any modality for Authentication is counted for the purpose.

Eligibility Criteria for Appointment of e-KYC User Agency (KUA)

KUA Category 1
KUA Category 2

Criteria

1. Entity has to be either Government (Central/State) or Regulated Entity as prescribed in table above.

2. Back-end infrastructure used specifically for the purpose of Aadhaar authentication shall be based in the territory of India.

3. Well-defined Data Sharing and Privacy Policy.

4. Entity which is required to fulfill KYC norms as required by law.

NoteNote: Any relaxation in the Financial, Technical & other criteria mentioned in this document can be considered by the competent authority on case to case basis.

Examples of AUAs

The Income Tax Department that seeks Income Tax (IT) returns from assessees by adopts e-filing of IT returns that is based on Aadhaar One Time Password (OTP ) authentication.

A Hospital Administration Department that requires a fast and convenient process for registration of Out Patient Data (OPD) using Aadhaar based Authentication. Through this process, the identity of the patient is validated prior to his/her registration in the hospital.

Passport Seva Kendra (PSK) that seeks to use Aadhaar authentication services to verify the identity of the applicant before issuing passport to the applicant.

The administration/security department of a high-security building/zone that seeks to verify the identity of any Aadhaar number holder seeking entry into the building/zone.

AUA Readiness Stages

  • Identify business / service delivery needs: The requesting entity needs to identify its service delivery areas where Aadhaar authentication may be used. The agency also needs to decide what authentication types it would be using for Aadhaar enabling different service delivery needs.
  • Fill online application form: Any agency interested in becoming a requesting entity needs to apply online. UIDAI has an online workflow based application form for engaging with AUAs.
  • Engage with ASA(s): One of the initial stages for becoming a requesting entity is the need to engage with an existing ASA. The list of approved ASAs would be available online and an interested requesting entity can engage accordingly. In case a requesting entity wants to become both ASA and requesting entity, it would first need to get approved as an ASA and then apply for becoming a requesting entity.
  • Send signed contract and supporting documents to UIDAI: The requesting entity should send hardcopy of the signed contract along with required supporting documents to UIDAI. The online application would be approved by UIDAI upon receipt of the required documents.
  • Ensure process and technology compliance: The requesting entity needs to setup necessary systems, processes, infrastructure etc. in compliance with UIDAI standards and specifications, as specified in the AUA Handbook . Some such requirements include defining exception handling mechanism, developing application using Aadhaar authentication APIs, ensuring connectivity from authentication devices to the requesting entity server etc. Compliance to various requirements needs to be confirmed to UIDAI through the online application process.
  • Plan device deployment: The requesting entity needs to decide upon the authentication device specifications based on its business requirements and ensure deployment of same. If a requesting entity opts for biometric authentication, the sensor/extractor of the biometric devices needs to be certified by a certifying body such as STQC that has been authorized by UIDAI. If a requesting entity opts for operator-assisted devices, the AUA would also need to ensure training and readiness of operators.
  • Obtain approvals from UIDAI:UIDAI would approve an application form from a requesting entity when various compliance requirements are met. A requesting entity should engage with UIDAI during the process and provide required clarifications.
  • Carry out end-to-end testing: Approval from UIDAI allows a requesting entity to carry out end-to-end testing of their application with the CIDR. Before going live with actual resident authentication, it is highly recommended that the requesting entity carries out thorough end-to-end testing of their application with the selected ASA and with CIDR. The requesting entity should get the systems related to Aadhaar authentication audited by information systems auditors certified by a recognized body before going live.
  • Go-live: A requesting entity can go-live after confirmation of adherence to all UIDAI’s standards and specifications. UIDAI plans to manage the same through online workflow based application.

Key AUA Responsibilities

  • Choose an appropriate authentication type based on business and deployment risk assessment; inform UIDAI regarding the same.
  • Ensure compliance of authentication related operations (processes, technology, security, etc.) to UIDAI’s standards and specifications as specified in the AUA Handbook
  • Ensure to obtain an informed consent from the Aadhaar number holder by intimating the purpose of authentication and any information relating to his/her data sharing in accordance with Aadhaar Act 2016.
  • Prepare authentication packet as per latest Authentication API specifications.
  • Log and maintain details of all authentication transactions as per the provisions of the Aadhaar Act 2016.
  • In case Aadhaar biometric authentication is used, Best Finger Detection (BFD) application is implemented to on-board the Aadhaar number holders for biometric authentication.
  • Identifying exception-handling and back-up identity authentication mechanisms, as recommended by UIDAI through AUA Handbook
  • Deploy fraud monitoring mechanism, as per AUA’s business needs, to prevent misuse of exception handling mechanism by operators and any other ecosystem members, as mandated through Chapter VI of Aadhaar Act 2016
  • Get its operations and systems related to Aadhaar Authentication audited as per UIDAI’s specifications specified in the AUA Handbook and in accordance with the provisions of the Aadhaar Act 2016.
  • Ensure connectivity from authentication devices to the AUA server and between the AUA server and the ASA server.
  • Procure, deploy and manage certified biometric devices in compliance with UIDAI’s latest biometric device specifications.
  • Ensure adequate training for the personnel managing authentication devices and bring an awareness for compliance aspects relating to Protection of Aadhaar number holder information, penalties associated with unauthorized usage, misuse of data etc, as specified in Chapter VI and Chapter VII of the Aadhaar Act 2016 and Aadhaar Authentication Regulations 2016.
  • Inform UIDAI of the engagement/ disengagement of Sub AUAs.
  • Ensure supported Sub AUAs comply with UIDAI’s standards and specifications.
  • Inform UIDAI of any misuse of Aadhaar data, authentication services, or any compromise of Aadhaar related data or systems and ensure compliance to Aadhaar Act 2016.

Mandatory Security Requirements

  • Aadhaar number should be never used as a domain specific identifier.
  • In the case of operator assisted devices, operators should be authenticated using mechanisms such as password, Aadhaar authentication, etc.
  • Personal Identity Data (PID) block captured for Aadhaar authentication should be encrypted during capture and should never be sent in the clear over a network.
  • The encrypted PID block should not be stored unless it is for buffered authentication for a short period, currently configured as 24 hours.
  • Biometric and OTP data captured for the purposes of Aadhaar authentication should not be stored on any permanent storage or database.
  • The meta data and the responses should be logged for audit purposes.
  • Network between AUA and ASA should be secure.