After a lot of hear and cry about the ease of purchasing the Aadhaar database for as little as ₹500, UIDAI launched the Virtual ID (VID) to counter this revelation. This VID is in place for the Aadhaar number for authentication and provides a limited KYC.
UIDAI created the Virtual ID which is a mechanism that cannot be mapped back to the Aadhaar number. This would add another level of security wherein the UID tokens would ensure uniqueness to the beneficiaries without allowing the sub-AUAs to store the Aadhaar number.
Earlier, Aadhaar was primarily used for the purpose of authentication for Authentication User Agencies (AUAs) and providing KYC User Agencies (KUAs), KYC data when required on details which include the Name, Address or even Date of Birth. The Authentication User Agencies uses Aadhaar to provide the authorization and validity after you provide the Aadhaar number and the name of the user by the entity. The KYC User Agencies would provide KYC data when requested by entities about the user.
|Authentication User Agencies (AUAs)||KYC User Agencies (KUAs)|
|An AUA or Authentication User Agency is a requesting entity that submits Aadhaar number and either demographic or biometric information of an individual to the Central Identities Data Repository (CIDR) for authentication.||A KUA or KYC User Agency provides you with e-KYC details about the Aadhaar card holder. KUA can provide details which include Name, Address, and Date of Birth|
|Global AUAs are the entities that are required to authenticate customers using Aadhaar number||KUAs refer to the types of authentication access allowed by the UIDAI to Aadhaar data.|
|Local AUAs are not permitted to verify a client using Aadhaar number but are only allowed to use VID for OTP based authentication||KUAs provide all information related to an Aadhaar Card Holder which go through stringent legal and technical specifications.|
|Examples of Global AUAs include DBS, ICICI, IDFC, IndusInd, KVB, Kotak Mahindra Bank, Equitas Small Finance Banks, NPCI
Examples of Local AUAs include Bajaj, L&T, Reliance Jio Infocomm, Home Credit, Mannapuram, Zen Lefin, Tata Capital
|Examples of KUAs are Banks, Insurance, Telecom and Directorate of Income Tax|
With the launch of VID, Limited KYC, and the introduction of a blanket restriction on Storage of Aadhaar Number, by Local AUA’s the UIDAI sought to get an order and introduce security layer, in the Aadhaar User Databases.
Further UIDAI sought to create a classification amongst Agencies, which were previously using Aadhaar Number for Authentication Services. Thereby restricting usage of Aadhaar Number by certain entities.
The Global AUAs have access to Aadhaar data while the Local AUAs have limited access Aadhaar data as per the act. Since the update has come into place, linking Aadhaar number or storing Aadhaar related information is illegal and punishable.
What is Virtual ID (VID)?
UIDAI by its notification dated January 10, 2018, introduced the concept of Virtual ID. The Virtual ID was conceptualized to be a revocable 16 Digit Number, generated by Aadhaar Holder, to use in transactions, where previously Aadhaar Number was used for authentication.
The Virtual ID can be used for the purpose of authentication just like the Aadhaar number. This VID can be generated on the UIDAI’s residential portal. This UIDAI requires the entities to migration to the new system which is authenticated using the VID.
The Digital ID can be regenerated several times and this makes it a safer option instead of sharing your Aadhaar number. The VID is revocable and at any time it can be replaced by a new number by the Aadhaar holders after it expires the minimum validity period set by UIDAI. This can be accessed with the registered mobile number and the OTP that you receive.
In simple words, the VID masks the Aadhaar number and information and this is done through a solution called Tokenization. This token number is unique for a particular entity and remains the same for authentication requests. However, for different AUAs and Sub-AUAs, the UID token would differ.
Some of the guidelines of the New Virtual ID from UID include:
- Virtual ID is a 16-digit, random system-generated number that is used for authentication instead of the Aadhaar number
- Virtual ID is linked to your Aadhaar number. This makes only one active and valid at a particular point of time
- If you are one that shares your Aadhaar number with private agencies, services, and apps then you can consider generating Virtual IDs using the UIDAI website, mobile app or at enrolment centres
- Once you share your VID with specific agencies, then they would see only a limited amount of details depending on whether you are a Local or Global AUA. If you are providing information through a Local AUA, UIDAI introduced the concept of limited e-KYC and will not share your Aadhaar number details
- You can create as many VIDs as you like and once the new one is created the old one gets cancelled and it becomes invalid.
- The Aadhaar cardholder uses the VID in place of the Aadhaar number when an authentication or KYC takes place.
- By 1 July 2018, all authentication service providers will complete the implementation of VID processes.
How Different are SSN and CPF different from Aadhaar?
The Social Security Number in America keeps a record of services while Aadhaar is the proof of Indian identity. SSN is governed by the Federal Legislation, Aadhaar is governed by the Aadhaar Act of 2016. While SSN collects demographic data, Aadhaar collects biometric data. On the one hand, Social Security stored all information at a Central database while Aadhaar links databases. Central Provident Fund (CPF) provides social security in Singapore. This is done through four vital accounts which include: Ordinary Account, Special Account, Retirement Account and Medisave Account. In Singapore, every employed person contributes a certain amount from their earnings to the fund and this is based on age and income levels.
Is VID a Solution to this Problem?
When defining the time when the VID implementation took place, it all comes down to how effective it is and whether it dwells on it being as simple UIDAI’s migration plan. This ensures that the old method of submitting Aadhaar numbers is replaced with a Virtual ID. These practices came into place to counter The Tribune’s report on acquiring billions of Aadhaar data for as little as ₹500.
Privacy and Security Concerns
In the earlier model, there were several privacy and security concerns, this lead to several reviews as follows:
- The old model uses biometrics as the password for authentication and authorization. This allows biometrics to be used for identity verification which could lead to a conflict in usage.
- Here the single identifier or the Aadhaar number can be vulnerable to attacks when it is used for applications. This attack can be reduced when you use a VID.
- This access control architecture appears vague when there is no defined online protocol that can be accessed or authorized. Is the Virtual ID tamper-proof from recording access and authorization trails and an online audit? These vulnerabilities are caused due to insider attacks.
- Last, what needs to be audited is the poor structure of web-pages and mobile apps.
Virtual IDs Share of Sceptics
Claiming that the UIDAI’s latest move in January was a PR gimmick to cover the accusations of data leaks. Ankush Johar, Director of Infosec Ventures explained that even the facial recognition measure would provide zero security based on the poor 3 and 5-megapixel cameras that are being used.
Take a look at this video to understand learn more about the technical aspects that could be at risk:
Is Virtual ID The Solution To Aadhaar Woes?
Speaking on the issue, Troy Hunt, Microsoft Regional Director and MVP for Developer Security suggested, “The biggest concern of Aadhaar was the statements that it was hack proof or absolutely secure. They (UIDAI) are at one point of the spectrum where there will never be 100% secure.”
Countering this, Saket Modi, Co-Founder and CEO of Lucideus Tech suggested that all these points would fall on a low category and these issues would usually be taken up by UIDAI.
Is Virtual ID the Way Forward?
Under the regulations and rules provided by UIDAI, there is no clarity on the current impact of VID on existing and new applications. All registered AUAs are required to upgrade their registered devices and a lack of clarity could involve a misappropriation of information. Some of the public models deployed for STQC certification have been expired. This leads to KUAs upgrading their API and those non-registered devices would not be able to authenticate transactions.
Similarly, Local AUAs can use Aadhaar numbers for biometric authentication but are not allowed to store Aadhaar numbers in their database. In addition to VID, Global AUAs can accept Aadhaar numbers to authenticate while Local AUAs can only accept VID with UID Tokens.
Though the Virtual ID has a lot to gain from, several questions have remained unanswered. Is there a distinction or rationale that explains the basis of this decision? In order to explain this rationale, it would seem unclear as this additional security layer may seem short lived. This is due to the fact that entities that have already included the Aadhaar number in the form and now have to update subsequent actions using the VID with UID Tokens. This would lead to unanswered questions on why this is possible with several sub-AUAs that authenticate and authorise several payments on behalf of their customers.
Do you feel that there is an increase in security for both Aadhaar and VID for loans? When you review the decisions behind VID, you need to determine if your bank still uses your Aadhaar details and subsequently uses VID to process loans. This seems detrimental as this would be a spoke in the wheel of the otherwise Aadhaar-enabled bank function. If this is the case, then several financial decisions would likely be reviewed if your Aadhaar data are easily available despite the enactment of the Virtual ID. So where is the question of the increased level of security?
Should we collect VIDs or submit Aadhaar details to create an eNACH? On a similar front, wouldn’t it seem unnecessary to submit your VID with the UID token if eNACH creators already have your Aadhaar details? That being said as Limited KYCs they should not be in a position to gain access to your biometric information and other details that are not required to create an eNACH.
While creating a loan with your bank account, should you submit both the Aadhaar and VID details? This comes as a no-brainer that your bank should usually request you for your VID and UID token, but on the contrary, banks required an e-KYC from UIDAI. After your account is created with your Aadhaar number, then the question about why you need to submit a VID is quite puzzling. In order to ensure that your loan is processed, a VID is acknowledged but not at the cost of you submitting your Aadhaar credentials to your respective bank while creating an account. This leads to the final question, does this make VID an effective solution to the problem?
FAQs on the New Virtual IDs
- Do all individuals have to mandatorily generate a Virtual ID?
No, if you are comfortable with sharing a 12-digit Aadhaar number with governments and private agencies authentication and KYC procedures then you continue the same. But based on security concerns, it is advisable that you generate and use Virtual IDs in place of Aadhaar numbers.
- Should you continue using the same Virtual ID?
Well, you can use the same Virtual ID as often as possible or generate a new one every time you need to share it. Only if UIDAI sets a minimum validity will you need to generate a VID for that time period.
- Could companies or agencies learn about your Aadhaar number if they have your Virtual ID?
It’s not possible to locate an individual’s Aadhaar Number when an entity receives the Virtual ID.
- Can your demographic information be accessed by unauthorised individuals? Could Virtual IDs help in this case?
You should know that since 1 March, 2018 since the launch of the VID security feature, no unauthorised use can be made to recover personal data that has been accessed. This is because VIDs are created to limit the number of companies and agencies that can share your Aadhaar number.
- Is there a reason why the Virtual ID is 16 digits long as compared to the 12-digit Aadhaar?
When it comes to the Virtual IDs, multiple VIDs can be generated by a single Aadhaar number. While at the same time a 16-digit Virtual ID would be far greater than the total number of 12-digit Aadhaar numbers. This makes it impossible to derive the Aadhaar number from the VID. The last digit of the VID uses the Verhoeff algorithm as in the Aadhaar number. This makes the VID temporary and cannot be used for duplication.
How Secure is Your Business?
Let SignDesk.com, enable your business through its Aadhaar-based document workflow solution. Choose to eSign your documents in as little as 3 steps by reducing costs and improving productivity. Get better operational efficiency, drive sales better, use a legally valid and secure workflow solution.
Sending documents for eSign has never been easier. Simply upload the documents and add any number of signees with reminders. Make Aadhaar-based eSignatures with your Aadhaar registered mobile number. This is also possible for digital stamping solutions that require signatures. Moreover, you can also scale your business through quick payment solutions, automate payments and do auto-debits with our eNACH solutions.
Connect with SignDesk.com to learn all about Aadhaar-based solutions which are sure to help your business. Whether it’s quick eSigning of documents, creating eNACH or producing digital stamping, we have the best document workflow solution. So breathe easy!