6.5.2   Types and modes of authentication for      1.  Correlation of identities across domains: It may
            Aadhaar                                              become possible to track an individual’s activities
            There are two types of authentication, namely –      using their Aadhaar id. This would lead to identifi-
                                                                 cation without consent.
            a) Yes/No authentication facility,                 2.  Identification without consent using Aadhaar
            b) e-KYC authentication facility, which may be car-  data: There could be risks of unauthorised use of
               ried out only using OTP and/or biometric authen-  biometrics to illegally identify people.
               tication modes.                                 3.  Illegal tracking of individuals: Individuals may
                                                                 be tracked without proper authorisation or legal
            The following modes of authentication are support-   sanction using the authentication and identifica-
            ed:                                                  tion records and trails in the Aadhaar database, or
                                                                 in one or more AUA’s databases. Such records will
            a) Demographic authentication: The Aadhaar num-      typically also contain information on the precise
               ber and demographic information of  the Aad-      location, time and context of the authentication or
               haar number holder obtained from the Aadhaar      identification, and the services availed.
               number holder is matched with the demographic   4. Possible collusion of an attacker with inside per-
               information of the Aadhaar number holder.         sonnel can also lead to data breaches under items
            b) One-time pin based authentication: A One Time     2 and 3 above.
               Pin (OTP), with limited time validity, is sent to the
               mobile number and/ or e-mail address of the Aad-  6.5.5   Security measures introduced recently to
               haar number holder registered with the Authori-  address those threats
               ty, or generated by other appropriate means. The   In 2018, the government in India introduced a number
               Aadhaar number holder shall provide this OTP    of security measures to address these threats:
               along with his Aadhaar number during authen-
               tication and the same shall be matched with the   a) Virtual ID
               OTP generated by the Authority.                    UIDAI introduced a system of virtual identifica-
            c) Biometric-based authentication:  The Aadhaar      tion for Aadhaar cardholders, in a bid to prevent
               number and biometric information submitted by     a security breach of all the user information from
               an Aadhaar number holder are matched with the     the database. With this ‘Virtual ID,’ the cardholders
               biometric information of the said Aadhaar num-    can generate a 16 digit temporary number, which
               ber holder. This may be fingerprints-based or iris-  can be used to access various platforms such as
               based authentication or other biometric modali-   banks, insurance or telecom service providers.
               ties based on biometric information stored.       Agencies that undertake authentication would
            d) Multi-factor authentication:  A combination of    not be allowed to generate the Virtual ID on behalf
               two or more of the above modes may be used for    of Aadhaar holder. The virtual ID is linked to the
               authentication – chosen by a requesting entity for   Aadhaar number but it is not permanent in nature.
               enhanced security.                                It is temporary and there are less risks in it being
                                                                 misused. With the virtual ID, there will be no need
            e-KYC authentication is carried out using OTP and/or   to share the user’s Aadhaar number at the time of
            biometric authentication and not demographic.        authentication. It is revocable and can be replaced
                                                                 with a new one.
            6.5.3   Aadhaar authentication security concerns   b) Limited KYC, which does not return Aadhaar num-
            Ideally, for any system, identification and authenti-  ber  so  that  only  an  agency  specific  unique  UID
            cation without consent  should  not be possible. In   token is given to eliminate many agencies storing
            Aadhaar, the single unique identifier, which is need-  Aadhaar  local  AUA s  and  global  AUAs.  Catego-
                                                                                   4
            ed to identify the user across multiple domains,     ry of global AUAs will have access to e-KYC with
            has been at the centre of the security issues. For   Aadhaar no, while all other will have access to
            instance, the Aadhaar number is needed at the time   limited KYC for paperless KYC process. Once the
            of authentication.                                   UIDAI receives an authentication request from the
               Some of the security threats around consumer      local AUA, it will lend it a unique identity token,
            related information and data privacy in Aadhaar are:  a 72 character alphanumeric string that will work
                                                                 only on the local AUA’s system. UID token allows
                                                                 an agency to ensure uniqueness of its beneficia-



           32    Implementation of Secure Authentication Technologies for Digital Financial Services