Aadhaar Virtual ID System is OperationalStill, UIDAI Extends Migration Deadline to Aug. 31
In January, UIDAI introduced the Virtual ID, a temporary, 16-digit Virtual ID number that can be used by Aadhaar holders for authentication purposes, and UID Token - a 72-character alphanumeric string all entities can use to help ensure the uniqueness of its customers.
While the original deadline for banks, telecom companies and other organizations to deploy the VID feature was June 30, UIDAI has extended the deadline to Aug. 31 because, it says, many organizations are not ready for deploying VID features.
One of the reasons for the extension is because the Authentication User Agency, an entity engaged in providing Aadhaar Enabled Services to Aadhaar number Holder, using the authentication as facilitated by the Authentication Service Agency, requested for more time to switch to the new system.
The creation of virtual ID is certainly an improvement in the security of Aadhaar, quite similar to virtual credit card numbers for online transactions.
UIDAI has taken this initiative to add additional security layers and beef up security for its identification system in response to the recent reports on a breach of the Aadhaar biometric database through unauthorized access.
"It has been observed that a number of AUAs have already migrated to production environment using APIs 2.5 for VID implementation, and most of the remaining AUAs have tested VID and UID Token in pre-production environment APIs 2.5," says UIDAI CEO Ajay Bhushan Pandey. "We are requesting with these agencies to fully migrate to production environment by the stipulated date". (See: What Action Will Court Take to Improve Aadhaar Security)
The extension may prove to be a blessing in disguise, as security experts are skeptical about organizations' preparedness to deploying additional layers of security through VID and UID Token. (See: Aadhaar Getting Additional Security Layer)
According to Naavi Vijayashankar, cyber law, risk and privacy professional and founder of Naavi & Co, it appears that the private sector is not keen on introducing the system any time in the next few days or weeks probably because some do not think UIDAI is serious in its efforts. (See: Revamping the Approach to Aadhaar Security)
"Even banks may not be ready and may ignore the RBI directions in this regard, as they consider it as a complex project," Naavi says.
Operationalizing Virtual ID
According to UIDAI, the authentication ecosystem varies from agency to agency. And while for certain entities the authentication is carried out in a "controlled environment" in the presence of their own regular staff, in some other cases the authentication is performed in the presence of agents who may cater to more than one entity. At times, these agents are also involved in other business activities.
"It is imperative that on the basis of level of supervision in authentication ecosystem and the risk assessment, the VID/UID Token associated security features should be implemented in certain category of AUAs sooner without any delay," Pandey says.
UIDAI, which has categorised all its authentication agencies as either global or local, is in the process of reviewing the classification, based on the security and risk assessment of the authentication process of the said entity.
Pandey says that, pending this review, AUAs which were not classified earlier are now being provisionally classified. Nonetheless, global AUAs shall develop their application in such a manner that their Aadhaar based services may continue even in case of a change in their classification in future.
Once the new feature is fully implemented by user agencies, it will allow Aadhaar holders to quote their VID number without actually disclosing Aadhaar number for authentication or verification purposes.
Prasanna Lohar, Innovation Head & Technical Architect, DCB Bank, says, "While implementing VID and UID Token is not complex, the delay is due to technical changes one needs to bring in along with certification process, which is time consuming."
Lohar says that it is more a operational handicap, as UIDAI has introduced several authentication mechanism, including biometric, UIDAI 2.0, Aadhaar data Vault, device encryption and others, resulting in confusion.
The new feature will enable only the Aadhaar holder to generate the VID; no one else, including the authentication agency, can generate this VID on behalf of the Aadhaar holder.
The key issue according to security practitioners is that the concept of VID is still not understood by most enterprises.
Ratan Jyoti, CISO, Ujjivan Small Finance Bank, finds the Aadhaar system to be a complex one for implementation, as the institution acquired 1 million customers through Aadhaar authentication process.
"Due to lack of technical understanding at both the agency level and the enterprise level, there is a delay by the authentication agencies to make necessary changes in front-end application to accept Aadhaar number as well as Virtual ID, and in backend application to accept UID token and limited KYC data immediately," Jyoti says.
One of the reasons for the slow takeoff is apprehension about the third party risks at the AUS and KUAs level, says Naavi.
Lohar argues that since the intermediaries are involved, there is no assurance that standard certification and security guidelines are observed to authentication user identities.
Expediting Virtual Security
Security leaders say that CISOs now must ensure that they redefine their security architecture to enable Aadhaar authentication and design a framework complementing VID in their respective systems to enable Aadhaar authentication for users.
Naavi believes that with the introduction of VID third party data collection agents Authentication User Agency and Know Your Customer User Agency will have limited access to Aadhaar holders' actual data, as only the Virtual ID generated is registered under any service and not the actual Aadhaar number.
CISOs need to change the APIs to integrate with VID requirement and ensure that this process is completed quickly before the mandatory verification kicks in at the end of June to enable Aadhaar authentication mechanims within the organization, says Naavi.
While UIDAI claims that the Aadhaar system is safe with encryption tools, practitioners believe that besides providing additional layers of security, it should think of defined security standards at every function including at CIDR, AUAs and KUAs and transactional level.
Agnidipta Sarkar, Global Information Risk & Continuity Officer, DXC Technologies says, "It's a question of governance as how and who needs to implement standards around Aadhaar authentication process and deploy reasonable security practice."
Lohar recommends building traceability ecosystem in the Aadhaar system to capture the anomalies in the biometric and other data gathering mechanism.