Authentication Devices & Documents
Authentication devices are host devices/electronic actors that form a critical link in the Aadhaar authentication ecosystem. These devices collect personal identity data (PID) from Aadhaar number holders, prepare the information for transmission, transmit the authentication packets for authentication and receive the authentication results. Examples of authentication devices include form factors ranging from desktop PCs, laptops, kiosks to Point-of-Sale (PoS)/handheld mobile devices (microATMs) and tablets. Such devices are expected to be used for a variety of purposes specific to every requesting entity’s requirements.
Authentication devices perform the following key functions:
- Collection of Personal Identity Data (PID) from Aadhaar number holders through the domain / client application hosted on such devices.
- Perform basic checks on the information collected for completeness and compliance
- Transmit the authentication packets and receive the authentication result
In compliance with Aadhaar Act, 2016 and its Regulations.
Authentication devices are deployed by requesting Entities (AUA/KUA). Based on the mode of operation, such devices are classified as Self-Assisted and Operator Assisted devices.
Self-Assisted devices are the devices where Aadhaar authentication transaction is carried out by the Aadhaar number holder himself/herself without any assistance.
Operator-Assisted devices are the devices where the Aadhaar authentication transaction of the Aadhaar number holder is performed with the assistance of requesting entity’s operator.
Exception handling provisions
The device application should have provisions to service genuine Aadhaar number holders who may be falsely rejected during biometric authentication. Also, there should be measures to continue service delivery in case of other technological limitations such as network non-availability, device breakdown etc. There should be no denial of service to Aadhaar number holders due to technology limitations. The exception handling mechanisms should be backed up by non-repudiable features to log/audit requests handled through exception handling mechanism to prevent any fraud attempts.
For details on Security Requirements, The Aadhaar Act, 2016 and its Regulations may be referred
Device Operator Training
A large number of authentication devices, especially those initiating biometric authentication requests, are expected to be operator-assisted devices. AUAs should ensure that operators are adequately trained to carry out Aadhaar authentication transactions and also to handle queries from Aadhaar number holders appropriately.
Some key areas that should be part of operators’ training include:
- Usage of biometric devices and Do’s / Don’ts for capturing good quality biometrics
- Usage of BFD, process for on-boarding Aadhaar number holders and guiding them for next steps
- Exception handling processes and ensuring no denial of service to Aadhaar number holders due to technology limitations
- Communicating appropriately with Aadhaar number holders
- Fraud monitoring & fraud reporting mechanisms
- Basic troubleshooting steps and contact details of AUA’s device/application support team
Mandatory Security Requirements
- PID block captured for Aadhaar authentication should be encrypted during capture and should never be sent in the clear over a network.
- The encrypted PID block should not be stored unless it is for buffered authentication for a short period of time.
- Biometric and OTP data captured for the purposes of Aadhaar authentication should not be stored on any permanent storage or database.
- In the case of operator assisted devices, operators should be authenticated using mechanisms such as password, Aadhaar authentication, etc.