Firewall for Aadhaar with 16-digit Virtual ID, UID Token & Limited KYC

Aadhaar Virtual ID, UID Token & Limited KYC to strengthen privacy

To strengthen privacy and security of Indian citizens, the UIDAI has introduced a new layer of security – Aadhaar Virtual ID (VID), Limited KYC and UID Tokens – for Aadhaar card holders. It’s a two – layer security to reinforce privacy protection for Aadhaar ID number holders.

A circular issued by UIDAI said:

It will not be possible to derive the Aadhaar number from the Virtual ID.

READ MORE IDRBT (RBI’s affiliated institute) Research: Aadhaar – A single target for Cyber Criminals & India’s External Enemies

Present Scenario

Till now, a person had to give his/her 12-digit identity number along with other attributes (demographic and/or biometrics and/or through a one-time password) during authentication or e-KYC (know your customer) for accessing various benefits and services from service providers.

Let’s study the security layers of UIDAI on Aadhaar.

Aadhaar Virtual ID (VID)

The Virtual ID (VID) will be a 16-digit random (or temporary) number mapped with the Aadhaar number. It can only be generated, replaced or revoked by the Aadhaar number holder from time to time. It will be issued from 1st March 2018. It can be shared with any service provider instead of the 12-digit Aadhaar number.

You can opt to use the Virtual ID as many times as you want or keep generating a new one every time you have to share your Unique ID. The older ID gets automatically cancelled once a fresh one is generated.

In simple words, you will be able to generate a temporary 16-digit number that can be shared instead of the Aadhaar number for various services like airline or railway counters.

Limited KYC

Through Limited KYC (Know Your Customer) safety feature, UIDAI will only provide need-based or limited details of a user to an authorized agency that is providing a particular service such as airline or railway counters.

Authentication User Agencies (AUAs)

In the Limited KYC, UIDAI will decide if an organisation needs to store Aadhaar numbers.

Here, AUAs are categorized in two parts:

Global AUAs: These agencies will be allowed to store the Aadhaar number and will also be provided UID Tokens for each Aadhaar number in response to any e-KYC request, which they can use as per their need to authenticate.

Local AUAs: These agencies will only be allowed Limited KYC and will not be allowed to store the Aadhaar numbers. They will use UID Tokens.

UID Token

The UIDAI will issue agency specific UID Tokens to Local AUAs, which will help them identify customers.

UIDAI said it will:

Reserve the right to determine, in addition to UID Token, what demographic fields need to be shared with the Local AUAs depending upon its need.

A UID Token will be specific to the authentication agency and the Aadhaar number. To authenticate the identity of a beneficiary, the UID will provide a unique token for a particular Aadhaar number, which will remain same for that number for one particular authenticating entity. For any other authentication body, the UID Token for the same Aadhaar number will be different.

Regarding to UID Token, UIDAI said in the circular:

Allows an agency to ensure uniqueness of its beneficiaries, customers etc. without having to store the Aadhaar number in their databases while not being able to merge databases across agencies thus enhancing privacy substantially.

Service Providers

All service providers (such as banks, income tax authorities, post offices, LPG, insurance and telecom companies) will have to upgrade their systems to mandatorily allow for the new tool from June 1, 2018.

Note: Agencies (or service providers) that do not migrate to the new system to offer this additional option to their users by the stipulated deadline will face financial disincentives.

As per the UIDAI, agencies that undertake authentication would not be allowed to generate the Aadhaar Virtual ID on behalf of Aadhaar holder.