captured live. Then the Registered Device   is a great tool that authenticates offline, there would
                   (RD)  Service  of the  device  provider  must   not be any audit trial or any other trace that can be
                   form the encrypted PID block before return-  recorded away from the user device. This would be
                   ing to the host application.                an exposure for fraud and at the same time, and it
                                                               cannot be in a non-operator assisted operation.
                                                                 Under this approach, using an Identity Cloud
            2�7  Integration of FIDO & Aadhaar: Merging Real   (referred to as "AadhaarHub") that is tied to mAad-
            Identity with Virtual identities                   haar  mobile app, any  time,  and every time a  user
            This section provides some indication as to how FIDO   needs to be authenticated, all user needs to do is to
            could be integrated with Aadhaar system in India.   use FIDO to authenticate with mAadhaar app and
               FIDO (Fast Identity Online)  is  the  World's  Larg-  the authentication validation is done on the identi-
            est Ecosystem for Standards-Based, Interoperable   ty  cloud.  This  provides  data  privacy  as  there  is  no
            Authentication with Google as the alliance president,   specific user information that is sent to the server
            Microsoft as the vice president with representation   other than FIDO assertion. The user biometrics nev-
            from major segments of the markets globally. FIDO's   er leaves the device, and the authentication can only
            mission is to eliminate the reliance on network pass-  happen  on  that  device  for  that  user  and  with  the
            words, which is the major source of identity fraud   AadhaarHub.
            and major source of pain for the common user. There   This could also be a great vehicle to deliver gov-
            are already major deployments of FIDO globally     ernment services to the citizens, enable peer-to-peer
            from financial organizations, to network operators to   payments, and with simple tap and go, other pay-
            e-commerce service providers to cloud infrastructure   ments in public transportation and other merchant
            providers. FIDO eliminates the most common iden-   locations with server-side authentication with high
            tity fraud sources like phishing attacks, server-side   assurance on the identity.
            attacks, man in the middle attacks, dictionary attacks   mAadhaar  and  AadhaarHub  can  be  part  of  the
            and global attacks that are rampant.               "India Stack" and in this way device manufacturers
               W3C is making FIDO Authentication part of Web   could be influenced to include in the software stack.
            Authentication specification for browsers. There are   This will provide the scale with every device that is
            already Mobile phones from all major mobile original   sold in India without causing extra burden to the
            equipment manufacturers like Apple, Samsung, Hua-  device manufacturers. And the "India Stack" can be
            wei, Lenovo for the past two years that are already   the standard that would promote a userID, password
            FIDO capable. In the FIDO architecture, the root of   less identity that can be offered to major service
            trust for the identity is tied to a service that the user   providers that are offering services to Indian citizens
            is logging in to. For the same user and same device,   where there will be a binding between their virtual
            user device will have different public/private key.  identities and real identity which will really help curb
               For  a  country  like  India  with  a  large  population   the cyber fraud.
            and a mobile based economy with big investment in    This could be a showcase for entire world how
            centralised ID systems like Aadhaar, there is a good   cybersecurity can and should be handled to provide
            opportunity to design strong authentication systems   the anonymity and privacy that is required in the
            that are based on the FIDO standard.               cyber world that is safe, at the same time provide
               This could be done by building on the solid base   the enough identity assertion when solving a cyber-
            that India has already built. It is very impressive to   crime.
            see how much Aadhaar is being embraced in the
            arena of KYC and linking the identity with Aadhaar.
            Real upside would be expanding the Aadhaar ID to   3  PAKISTAN
            provide a derived credential for Aadhaar verification
            into a user smart phone with an Identity service that
            would  be  in  the  cloud,  that  can  be  used  for  every   3�1  Biometric Verification System (BVS)
            transaction that a citizen performs at various places   The SIM sale procedures deployed prior to BVS initial-
            without really interacting with the Aadhaar database   ly performed well, however, demand for illegal SIMs,
            each time.                                         especially for illegal international traffic termination
               mAadhaar mobile application could be a perfect   (SIM box) paved the way for a system bypass. Publi-
            place to integrate FIDO and provide a cloud-based   cation of electoral rolls and their access to public for
            identity that is verified by Aadhaar. While mAadhaar   2013 general elections indirectly provided access of



            18   e-KYC use cases in digital financial services