The Aadhaar virtual ID (VID) verification mechanism is now operational, the biometric system’s governing body UIDAI has announced. The new Aadhaar virtual ID system will allow users to provide a virtually generated code instead of the actual 12-digit identifier in an effort to safeguard privacy. Banks will have time till August 31 to deploy the tool for user verification in their systems, the Unique Identification Authority of India (UIDAI) said in its announcement. Aadhaar holders can generate the virtual ID from the official website and then produce it for authentication purposes; the virtual code can be generated multiple times.
In a statement, UIDAI said virtual ID (VID) system is operational with Authentication User Agencies (AUAs) which have migrated to VID and UID token using the software (Auth API 2.5 and e-KYC API 2.5) that supports new VID capability. The body has also classified all authentication agencies registered with it into two heads – global or local. Banks have been categorised as global AUAs, and telecom companies amongst local AUAs for the purpose of authentication and KYC entitlement.
As per the norms laid down by UIDAI, global AUAs will be allowed access to complete KYC with Aadhaar number, and the entities classified as local AUAs will have limited access to KYC details of customers. According to UIDAI release, the telecom companies and e-sign companies, which may not have implemented the VID system from tomorrow shall be charged Rs. 0.20 for every transaction performed thereafter, a sort of ‘disincentive’. However, in case they are able to fully migrate to the new platform by July 31, the entire “authentication transaction charges imposed for the above said period of July 1-31, 2018, shall be waived”.
A UIDAI official explained, that this will nudge such companies to expedite the migration process to VID. “Also, for all other the AUAs including banks but other than those mentioned above (telecom operators and E-sign service providers), it has been decided that they shall migrate to VID and UID Token…by 31st August 2018,” the UIDAI statement said.
UIDAI cautioned that in case they fail to migrate fully to the new system by August 31, it will be “free to take actions under the Aadhaar Act including imposition of financial disincentives and termination of license key”. It had previously said that all agencies that undertake authentication will start accepting VIDs from their users from June 1, 2018 but had then decided to give one extra month (till July 1) for its deployment, after the user agencies said they needed more time to switch to the new system.
UIDAI CEO Ajay Bhushan Pandey said, “It has been observed that a number of AUAs have already migrated to production environment using APIs 2.5 for VID implementation and most of the remaining AUAs have tested VID and UID Token in pre-production environment APIs 2.5. We are requesting with these agencies to fully migrate to production environment by the stipulated date”.
As many as 121 crore people have been issued Aadhaar numbers so far. Authentication ecosystem varies from agency to agency and while for certain entities the authentication is carried out in a “controlled environment” in the presence of their own regular staff, in some other cases the authentication is performed in the presence of agents who may cater to more than one entity. At times, these agents in addition to authentication activity are also involved in other business activities, the UIDAI said.
“It is imperative that on the basis of level of supervision in authentication ecosystem and the risk assessment, the VID/UID Token associated security features should be implemented in certain category of AUAs sooner without any delay,” Pandey asserted.
UIDAI which has, for now, categorised all its authentication agencies as either global or local is in the process of reviewing the classification, based on the security and risk assessment of the authentication process of the said entity. “Pending this review, AUAs which were not classified earlier are now being provisionally classified. Nonetheless, global AUAs shall develop their application in such a manner that their Aadhaar based services may continue even in case of a change in their classification in future,” UIDAI said.
The agency also plans to introduce other forms of Aadhaar data verification, Pandey said adding that the same may be provided to agencies for identity verification in lieu of the current global or local (tags). The UIDAI CEO has instructed all authentication agencies to make necessary changes in front-end application to accept Aadhaar number as well as Virtual ID, and in backend application to accept UID token and limited KYC data immediately.
Once the new Virtual ID feature is fully implemented by user agencies, it allows Aadhaar holders to quote this random 16-digit number without actually disclosing Aadhaar number for authentication or verification purposes. A user can generate as many VIDs as he or she wants, and the older ID gets automatically cancelled once a fresh one is generated. The move, besides strengthening the privacy and security of Aadhaar data, will also reduce the collection of Aadhaar numbers by various agencies.