The following are the major steps in Aadhaar       Regulations,  2016,  it  is  decided to  mandatorily
            authentication process as shown in Figure 4 below:    use Hardware Security Module (HSM) for digital
                                                                  signing of Auth XML and decryption of e-KYC
            •   Aadhaar holder sends the authentication request   data.
                through the devices                            b)  For digital signing of Auth XML, Authentication
            •   Aadhaar authentication enabled application soft-  request is digitally signed by the requesting enti-
                ware, which is installed on the device, encrypts,   ty (AUA/KUA) and/or by the ASA using HSM,
                and sends the data to AUA server                  as per the mutual agreement between them.
            •   AUA server, after validation, adds necessary      However, to decrypt  the  e-KYC response  data
                headers (AUA specific wrapper XML with license    received from UIDAI, the KUA shall necessarily
                key, signature, etc.), and passes the request     use its own HSM.
                through ASA server to UIDAI CIDR.              c)  The HSM to be used for signing Auth XML as well
            •   Aadhaar authentication server returns a "yes/no"   as for e-KYC decryption is FIPS 140-2 compliant.
                based on the match of the input parameters.    d)  All AUA/ KUA/ASA ensures the implementation
            •   Based on the response  from  the  Aadhaar         of HSM in Aadhaar authentication services.
                authentication server, AUA/Sub-AUA conducts    e)  To eliminate the use of stored biometrics, UID-
                the transaction and Aadhaar holder receives the   AI has mandated the use of registered devices
                service.                                          by AUA/KUAs and ASAs. The registered devic-
                                                                  es provide the following key additional features
                                                                  compared to public devices:

            2�6  Additional Security features for Authentica-     •   Device identification – every device having a
            tion/KYC service                                          unique identifier allowing traceability, analyt-
                                                                      ics, and fraud management.
            a)  To further enhance the security of Aadhaar        •   Eliminating use of stored biometrics –
                authentication eco-system, under Regulations          biometric data is signed within the device
                14(n) and 19(o) of Aadhaar (Authentication)           using the provider key to ensure it is indeed

            Figure 4: Technical process of Authentication & e-KYC services







































                                                                          e-KYC use cases in digital financial services  17