A look at India’s biometric ID system: digital APIs for a connected world

The consistency of government-issued ID ensures connection to government benefits and financial services, limiting fraud, waste and abuse. In India, a lack of a national identification system has restricted access to public-sector goods and services. Indians had struggled when obtaining a driver’s license or even enabling a mobile phone if they didn’t have identification. That has changed. India has emerged as a global leader in digital identification and has established the largest database of biometrics in the world.

Aadhaar: a national identification system

The classic debate over the merits of open free markets and a system of imposed central control by government is a foundational quandary of democracy. A question that comes to the forefront is this: Have open markets offered a road to growth and prosperity, or is a central operator a crucial element of the economic balance?

Regardless of which side of this debate you fall on, in both scenarios, a method for building an implied architecture for trust is required. A key tenet of setting the foundation for economic growth in a free and open market is to ensure citizen identity. Social healthcare, government entitlement programs, immigration, school admissions and electoral voting all demand an identification system to minimize abuse.

1.1 billion enrolled and growing

The Unique Identification Authority of India (UIDAI) is the world’s largest voluntary national ID number project; the goal is to cover 1.34 billion residents by the time the project is complete. Aadhaar is a voluntary, unique identification document program similar to the smart card program of France. Unlike the U.S. Social Security Number (SSN) program, the Chinese ID card program or Chile’s RUN ID card program, UIDAI is not mandatory, but rather a voluntary government program.

The Aadhaar program has made impressive strides toward the goal of providing all residents of India with ID numbers. The initiative that began in 2009 and as of this month, 1.1 billion Aadhaar cards had been issued. A project that started with the lofty goal of issuing 100 million cards within the first year now has built a national system that can process 1.5 million applications a day.

Aadhaar is industrial grade and handles 15 million transactions daily.

The race to a unified payment system

The Unique Identification Authority of India was created with the objective of issuing unique identification numbers (UID), or “Aadhaar.” Even before the first Aadhaar card was issued, in 2010, the UIDAI launched the Aadhaar Auth API. By 2011, the National Payments Corporation of India (NPCI) launched the Aadhaar Payments Bridge and the Aadhaar Enabled Payments System which uses the Aadhaar number as a central key for the electronically channeling of government benefits and subsidies. Through 2012, the UIDAI eKYC, a paperless “know your customer” (KYC) process, allowed businesses to perform the customer verification process digitally using biometric or mobile OTP (one-time password). It is within the eKYC process that the identity and address of the subscriber are verified electronically through Aadhaar authentication. The Aadhaar eKYC was set up to reduce the delays with attestations and other verifications, resulting in faster processing and issuance of digital certificates.

In 2015, the Indian government’s Controller of Certifying Authorities launched eSign as an open API. This new API enables an Aadhaar card holder to sign a document digitally. The Ministry of Electronics and Information Technology (MeitY) also launched DigiLocker, a platform for issuance and verification of documents and certificates in a digital way, thus eliminating the use of physical documents.

For reference, accessing a document available on DigiLocker has five simple steps:

1. Sign up: register with mobile.
2. Sync: use your Aadhaar (card) to sync.
3. Request: get documents from issuers.
4. Share: exchange documents with requesters.
5. View: get documents verified by requesters.

Today, DigiLocker has 4.5 million registered users with more than 6.6 million uploaded documents, and 1.6 billion issued digital documents.

Lastly, in 2016 the National Payments Corporation of India enhanced its Unified Payments Interface, an advanced public payments system. This interface may be the backbone that catapults India into a cashless society by 2020.

India’s emerging API integrations

IndiaStack is a set of APIs that allows governments, businesses, startups and developers to utilize an India’s digital infrastructure. IndiaStack provides four technology layers: 1) presence-less, 2) paperless, 3) cashless and 4) consent. Already some interesting APIs and products have emerged to leverage the IndiaStack suite of APIs.

There are several sandbox servers available to test functionality across the Aadhaar network. The Aadhaar Bridge Developer Kit enables developers to build apps with Aadhaar integration using one seamless platform. eMudhra eServices comprises eSign and eAuth services that enable electronic paperless signing and authentication services. This service allows residents to sign any document electronically without going through the hassle of signing a document physically or with a dongle-based digital signature — no physical signature required. AuthBridge offers an array of services like employee background checks, risk assessment and talent solutions. OnGrid is a consent-based trust platform that modernizes verification and background checks in India by linking an individual’s data, documents, verification reports, testimonials and references to the residents’ 12-digit Aadhaar number, for a faster and cleaner access to true identity and background. Aadhaar API provides authentication (anyone using their Aadhaar number and biometric, OTP, and demographic data instantly), eKYC (onboard anyone quickly by retrieving their proof of address and proof of identity using Aadhaar based KYC), and eSIGN (get contracts and documents digitally signed by your customers or business associates using Aadhaar). Digio is another document-signing app that allows residents to sign agreements, IDs (driver’s licenses, PAN cards, passports), approvals and letters, and self-attestations.

The Aadhaar API

How does India manage the vast amounts of data flowing through the identification system supporting 1.1 billion residents? There are a lot of articles addressing in general terms how the Indian identification systems work. However, I was hard-pressed to find out any specifics about how authentication or data security and privacy was managed.

That is, until I stumbled upon the Aahdaar Authentication API Specification. This specification outlines the how software professionals and vendors can incorporate Aadhaar authentication into their applications. This is an API that will soon reach across India. In the following two sections I’ll explain how authentication and data security is managed by the Indian identification system.

Authentication and data security

Data blocks are encrypted using an AES-256 symmetric algorithm (AES/ECB/PKCS7Padding), and the session key is encrypted with 2048-bit UIDAI public key using an asymmetric algorithm (RSA/ECB/PKCS1Padding). Sessions keys are one-time only use and are not used across transactions. (There is a rather technical exception, but for the article’s continuity, we’ll omit that description. But you’re welcome to explore it if interested.)

The encryption flow also accepts multifactor authentication using one-time PIN (OTP) and could also be used in conjunction with biometrics.

Access to the Aadhaar Authentication API is categorized into two broad workflows: registered devices and nonregistered devices. For this discussion, we’ll focus on the most likely access point, a registered device.

The encryption flow has nine steps which I’ll summary for brevity.

1. Request key: Aadhaar number, demographic and biometric details are entered into the application, and the Aadhaar authentication server sends out a one-time PIN to the resident’s registered phone.
2. Generate key: The application generates a one-time session key.
3. Encode data: An authentication “data” XML block is encrypted using the one-time session key and then encoded (base 64).
4. Encrypt data: The session key is encrypted with the UIDAI public key.
5. Send data: The encrypted block is sent along with a keyed-hash message authentication code (HMAC) to the authentication server.
6. Construct XML: The authentication server composes the XML for API input, including a license key.
7. Decrypt data: The authentication server decrypts the data with the UIDAI private key, then the data block is decrypted using the session key.
8. Biometric factored: The residents biometric, demographics information and optional one-time PIN is factored in during the match.
9. Response confirmation: Aadhaar authentication server responds with a yes or no as part of the digitally signed response XML.

The introduction of India’s national identity system establishes the foundation for an integrated government. In my most recent paper, titled “An e-Government Interoperability Framework to Reduce Waste, Fraud and Abuse,” I present a practical approach for how separate entities can share information within the United States through an e-government interoperability framework. Interoperability is the key to a connected government, and India has taken the first step. A connected government is a government where the residents can access services such as healthcare, school admission, voting and government programs seamlessly across government entities. With 1.1 billion Aadhaar cards issued and the number racing toward 1.3 billion, it’s evident that the Aadhaar program is a vision that will be realized. A program for the betterment of all Indian residents. Other countries, including the United States, would be well advised to pick up a lesson or two from the largest identification and biometrics program in the world.