UIDAI

Introduction

Entering Aadhaar Authentication Ecosystem

AUA is any government / public / private legal agency registered in India that seeks to use Aadhaar authentication for its services. An AUA is the principal agency that sends authentication requests to enable its services / business functions.

An AUA connects to the CIDR through an ASA (either by becoming ASA on its own or contracting services of an existing ASA).

Examples of AUAs:

Department of Civil Supplies, which seeks to verify the identity of a target resident before issuing them their monthly ration of rice, kerosene, etc.

Any bank / financial institution that seeks to verify the identity of its customer before letting them complete a financial transaction such as withdrawal or transfer of funds.

The administration/security department of a high-security building/zone that seeks to verify the identity of any individual seeking entry into the building/zone.

• Identify business / service delivery needs : The agency needs to identify service delivery areas where Aadhaar authentication may be used. The agency also needs to decide what authentication types they would be using for Aadhaar enabling different service delivery needs.
• Fill online application form: Any agency interested in becoming an AUA needs to apply online. UIDAI has an online workflow based application form for engaging with AUAs.
• Engage with ASA(s): One of the initial stages for becoming an AUA is the need to engage with an existing ASA. The list of approved ASAs would be available online and an interested AUA can engage accordingly. In case an agency wants to become both ASA and AUA, it would first need to get approved as an ASA and then apply for becoming AUA.
• Send signed contract and supporting documents to UIDAI: The AUA should send hardcopy of the signed contract along with required supporting documents to UIDAI. The online application would be approved by UIDAI upon receipt of the required documents.
• Ensure process and technology compliance: The AUA needs to setup necessary systems, processes, infrastructure etc. in compliance with UIDAI’s standards and specifications. Some such requirements include defining exception handling mechanism, developing application using Aadhaar authentication APIs, ensuring connectivity from authentication devices to the AUA server etc. Compliance to various requirements needs to be confirmed to UIDAI through the online application form.
• Plan device deployment : The AUA needs to decide upon the authentication device specifications based on its business requirements and ensure deployment of same. If an AUA opts for biometric authentication, the sensor/extractor of the devices needs to be certified by STQC. If an AUA opts for operator-assisted devices, the AUA would also need to ensure training and readiness of operators.
• Obtain approvals from UIDAI: UIDAI would approve an AUA’s application form when various compliance requirements are met. An AUA should engage with UIDAI during the process and provide required clarifications.
• Carry out end-to-end testing: Approval from UIDAI allows an AUA to carry out end-to-end testing of their application with the CIDR. Before going live with actual resident authentication, it is highly recommended that an AUA carries out thorough end-to-end testing of their application with the selected ASA and with CIDR. The AUA should get the systems related to Aadhaar authentication audited by information systems auditors certified by a recognized body before going live.
• Go-live: An AUA can go-live after confirmation of adherence to all UIDAI’s standards and specifications. UIDAI plans to manage the same through online workflow based application.

• Choose an appropriate authentication type based on business and deployment risk assessment; inform UIDAI regarding the same.
• Ensure compliance of authentication related operations (processes, technology, security, etc.) to UIDAI’s standards and specifications.
• Prepare authentication packet as per Authentication API specifications.
• Log and maintain details of all authentication transactions.
• In case Aadhaar biometric authentication is used, ensure Best Finger Detection (BFD) application is implemented to on-board the residents for biometric authentication.
• Identifying exception-handling and back-up identity authentication mechanisms.
• Deploy fraud monitoring mechanism, as per AUA’s business needs, to prevent misuse of exception handling mechanism by operators and any other ecosystem members.
• Get its operations and systems related to Aadhaar Authentication audited as per UIDAI’s specifications.
• Ensure connectivity from authentication devices to the AUA server and between the AUA server and the ASA server.
• Procure, deploy and manage devices in compliance with UIDAI specifications.
• Ensure adequate training for the personnel managing authentication devices.
• Inform UIDAI of the engagement/ disengagement of Sub AUAs.
• Ensure supported Sub AUAs comply with UIDAI’s standards and specifications.
• Inform UIDAI of any misuse of Aadhaar data, authentication services, or any compromise of Aadhaar related data or systems.

• Aadhaar number should be never used as a domain specific identifier.
• In the case of operator assisted devices, operators should be authenticated using mechanisms such as password, Aadhaar authentication, etc.
• PID block captured for Aadhaar authentication should be encrypted during capture and should never be sent in the clear over a network.
• The encrypted PID block should not be stored unless it is for buffered authentication for a short period, currently configured as 24 hours.
• Biometric and OTP data captured for the purposes of Aadhaar authentication should not be stored on any permanent storage or database.
• The meta data and the responses should be logged for audit purposes.
• Network between AUA and ASA should be secure.