The Unique Identification Authority of India (UIDAI) has announced a new way to ensure your Aadhaar number is protected. The new solution is called Aadhaar Virtual ID.
The Virtual ID is a 16-digit random number which can be generated by an Aadhaar card holder on the UIDAI website. Its aim is to mask the real 12-digit Aadhaar number when something is being authenticated via Aadhaar. By this means, your actual Aadhaar number is secure and there will be no need to share it with everyone.
The Virtual ID will come into effect on 1 March and is meant to be a temporary and revocable 16-digit random number which is mapped to a person's real Aadhaar number. From 1 June onwards, it will be mandatory for all agencies that authenticate users by their Aadhaar numbers to have the Virtual ID systems in place. The Virtual ID system is optional for users, but agencies will have to provide both options for authentication from 1 June onwards.
"Aadhaar number holders can use the Virtual ID in lieu of an Aadhaar number whenever authentication or KYC services are performed. Authentication may be performed using the Virtual ID in a manner similar to using Aadhaar number," a UIDAI circular said. There are around 119 crore Aadhaar numbers that have been issued by the UIDAI.
Aadhaar card holders can give this Virtual ID to service agencies along with the fingerprint at the time of authentication. Since the system generated Virtual ID will be mapped to an individual's Aadhaar number itself at the back end, it will do away with the need for the user to share their Aadhaar number for authentication.
Here are the major things you need to know about the 16-digit Virtual ID:
- Users can go to the UIDAI website to generate their Virtual ID, which will be valid for a pre-defined period of time, or till the user decides to change it
- There is no limit on the number of Virtual IDs that are generated. The last Virtual ID will cease to exist after you use your current one
- The Virtual ID cannot be used by agencies for de-duplication. Virtual ID is revocable and can be replaced by a new one by the Aadhaar number holder after the minimum validity period set by UIDAI policy
- Agencies will not be able to locate an individual's real Aadhaar number from the Virtual ID
- Virtual IDs cannot be generated by third-party agencies on behalf of Aadhaar card holders
- The Virtual ID can be generated, replaced with a new VID number and more from the UIDAI website, Aadhaar enrollment centre as well as the mAadhaar mobile app.
For added security, UIDAI will soon limit the amount of information shared during a KYC process. In the current scenario, you have to share details such as name, date of birth, photo, address and mobile number at the time of authentication. But in the future, you may just need to share some of these details at the time of authentication, based on the service being accessed. For instance, for a new mobile connection, you may just need to share your name, photo and address. For other things such as a Passport, all details may need to be shared.
According to a report in Medianama, the limited sharing of information is only possible with local authentication user agencies (local AUAs) as opposed to a global AUA.
An Authentication User Agency (AUA) is an entity engaged in providing Aadhaar Enabled Services to an Aadhaar number holder, using the authentication as facilitated by the Authentication Service Agency (ASA). An AUA may be a government/public/private legal agency registered in India, that uses the Aadhaar authentication services of UIDAI and sends authentication requests to enable its service/business functions.
The report points out that the global AUA will be designated according to an evaluation done by UIDAI, and they will have access to full eKYC and Aadhaar number from users. Some have speculated that the chances of banks and telcos being classified as global AUA's are higher. Local AUA's, on the other hand, will only get access to a limited set of information regarding the user and they will not be allowed to share Aadhaar number on their systems — this is where Virtual ID can truly shine and help in preventing the misuse of Aadhaar numbers.
Security researcher Srinivas Kodali feels that the Virtual ID feature has been added in a hurry and that the 1 March deadline can't be met. "The virtual ID is to be used only for local AUAs. Global AUAs, like banks, will still need Aadhaar for Direct Benefit Transfers. This does not remove the financial fraud risk that Aadhaar poses," he said.
This announcement comes just a few days after a major flaw was discovered in the Aadhaar security setup. A report in The Tribune on Thursday revealed that access to any Aadhaar holder's details could be gained through a payment of a mere Rs 500 via an anonymous service on WhatsApp. As per the report, the payment allowed the person to be designated as an 'agent', which in turn granted her access to the grievance redressal system. Entering an Aadhaar number into the system revealed the Aadhaar card holder's information, including name, date of birth, address, PIN, photo, phone number and e-mail ID. About one billion Aadhaar holders' details can be accessed this way. The report alleged that a further payment of Rs 300 allowed printing of an Aadhaar card using just the holder's number.
— CNBC-TV18 (@CNBCTV18Live) January 10, 2018