Virtual ID to Bolster Aadhaar Authentication UnveiledSecurity Leaders Assess New Layer of Security
The Unique Identification Authority of India has taken the next step toward adding an extra layer of security to protect Aadhaar data, a move that some security leaders are welcoming in light of recent Aadhaar-related data leaks.
All government agencies will be required to fully implement Virtual ID by June.
Some security practitioners says this extra layer of authentication could help protect Aadhaar data against breaches. Virtual ID will mask the original Aadhaar number and thus help minimize the risk of data leaks or disclosures.
"The concept of 'security by design' is being introduced through Virtual ID, and CISOs have the task of designing a framework complementing VID in their respective systems to accept Aadhaar authentication," says Prashant Mali, a cyber law expert who is president of Cyber Laws Consulting.
Virtual IDs is optional for use by all the organizations and individuals using Aadhaar; it's not restricted to government agencies. Aadhaar users can choose not to use the new Virtual IDs and continue using their Aadhaar numbers instead for transactions.
UIDAI's introduction of Virtual ID was prompted by the breach of the Aadhaar biometric database through unauthorized access and other breach incidents.
How VID Works
The Virtual ID is a temporary, revocable 16-digit random number that's mapped with the biometrics of the user's 12-digit Aadhaar number, giving limited details, such as name, address and photograph, which are enough for any verification. VID can be used in place of the Aadhaar number for any service for which Aadhaar authentication is used. Aadhaar holders still will be able to use the full Aadhaar number instead.
The VID will be automatically revoked once the Aadhaar holder generates a new VID or the validity period (10 minutes) expires.
The last digits of the VID is the checksum using 'Verhoeff' algorithm as in the Aadhaar number, and there will be only one active and valid VID for an Aadhaar number at any given time.
Only the Aadhaar holder will be able to generate the VID; no one else, including the authentication agency, can generate this VID on behalf of the Aadhaar holder.
The VID is generated with these four steps:
- Visit the UIDAI official portal;
- Under Aadhaar Services section, click on "Virtual ID (VID) to generate link by inserting name search and Aadhaar card number;
- Generate/retrieve VID using your Aadhaar number and one-time-password;
- Receive VID via a registered mobile phone.
Timely Action from UIDAI
The launch of VID comes at a time when the Constitution bench of the Supreme Court is hearing petitions challenging the Aadhaar Act and the use of a biometric identifier in various government and non-government services.
UIDAI CEO Ajay Bhushan Pandey last month made a presentation in the apex court to defend the government's ambitious Aadhaar scheme.
VID: Data Protection
The deadline has been set for June for the full rollout of VIDs and it will be compulsory for all agencies undertaking authentication to accept Virtual ID from their users, including the service authentication providers across organizations.
The VID offers a much-needed extra layer of privacy protection, says Bengaluru-based Naavi Vijayashankar, a cyber dispute risk management consultant and cyber law expert and founder of Naavi Consutants.
The main advantage, he says, is the VID can be used for accurate authentication without potentially exposing or tracking the actual Aadhaar number.
"With the introduction of VID third party data collection agents Authentication User Agency (AUAs) and Know Your Customer User Agency (KUAs), will have limited access to Aadhaar holders' actual data, as only the Virtual ID generated is registered under any service and not the actual Aadhaar number."
Some security practitioners say the VID could help prevent data leaks.
Naavi explains: "VID would be more secure, because, with VID, UIDAI will stop allowing direct access to its core Central Identities Data Repository (CIDR) server system, which houses the data of the citizens collected for issue of Aadhaar that can prevent data leaks. Instead, there will be a gateway server which faces the down stream service providers which is linked in the back end with the core CIDR server, restricting access to the main server.
"After generating the Virtual ID, if users want to check the Aadhaar identity against either the OTP or biometric of the Aadhaar holder, the query will be processed by the secondary server, which in turn will query the Core CIDR server and process the request and hence multiple levels of authentication is established," Naavi says.
Security leaders say that CISOs now must ensure that they redefine their security architecture to enable Aadhaar authentication. Mali says CISOs should design a framework complementing VID in their respective systems to enable Aadhaar authentication for users.
"All CISOs should immediately modify there Infosec policy to accommodate VID as a control," Mali says.
Naavi adds: "CISOs need to change the APIs to integrate with VID requirement and ensure that this process is completed quickly before the mandatory verification kicks in at the end of June to enable Aadhaar authentication mechanims within the organization."