A look at India’s biometrics identification system: digital APIs for a connected world

India’s digital infrastructure transformation is enabling new services and APIs. Explore how India’s digital citizen app works and how India is securing data and authenticating users.

The consistency of government-issued identification ensures connection to government benefits and financial services, limiting fraud, waste, and abuse. The lack of a national identification system has restricted access to public sector goods and services. Indians had struggled when, obtaining a driver’s license or even enabling a mobile phone, when they didn’t have identification. That has changed. India has emerged as a global leader in digital identification and has established the largest database of biometrics in the world.

Aadhaar: a national identification system

The classic debate between open free markets and imposed central control by government is the foundational quandary of democracy. A question that comes to the forefront is: have open markets offered a road to growth and prosperity or is a central operator a crucial element of the economic balance?

Regardless of the side of this debate upon which you fall, in both scenarios, a method for building an implied architecture for trust is required. A key tenet of setting the foundation for economic growth in a free and open market is to ensure citizen identity. Social healthcare, government entitlement programs, immigration, school admissions, and electoral voting all demand an identification system to minimize abuse of economic systems.

1.1 billion enrolled and growing

The Unique Identification Authority of India (UIDAI) is the world’s largest voluntary national identification number project, intended to cover 1.34 billion residents at project completion. Aadhaar is a voluntary, unique identification document program similar to the smart card program of France. Unlike the United States Social Security Numbers (SSN) program, the Chinese ID Card program, and the Chile ID Card – RUN program, UIDAI is not mandatory, but rather a voluntary government program.

The Aadhaar programs have made impressive strides towards a vision of providing all residents of Indian an identities. As of February 2017, 1.1 billion Aadhaar cards had been issued, an initiative that began in 2009. A struggle that started with the lofty goal of issuing 100 million cards within the 1st year, now has built a national system that can process 1.5 million applications a day.

Aadhaar is industrial grade and handles 15 million transactions daily.

The race to a unified payment system

The Unique Identification Authority of India created with the objective to issue Unique Identification numbers (UID), named as “Aadhaar.” Even before the first Aadhaar card was issued, in 2010, the UIDAI launched the Aadhaar Auth API. By 2011 the National Payments Corporation of India (NPCI) launched the Aadhaar Payments Bridge and the Aadhaar Enabled Payments System which uses the Aadhaar number as a central key for the electronically channelizing of government benefits and subsidies. Through 2012 the UIDAI, eKYC, a paperless Know Your Customer (KYC) process, allowed businesses to perform the “Know Your Customer” verification process digitally using Biometric or Mobile OTP. It is within the eKYC process that the identity and address of the subscriber are verified electronically through Aadhaar Authentication. The Aadhaar eKYC was initiated to reduce the delays with attestations and other verifications resulting in faster processing and issuance of digital certificates.

In 2015 the Government of India, Controlled of Certifying Authorities launched eSign as an open API. This new API enables an Aadhaar card holder to sign a document digitally. The Ministry of Electronics and Information Technology (MeitY) also launched DigiLocker, a platform for issuance and verification of documents and certificates in a digital way, thus eliminating the use of physical documents.

For reference-accessing a document available on DigiLocker has five simple steps:

  1. Sign up: register with mobile
  2. Sync: use your Aadhaar (card) to sync
  3. Request: get documents from issuers
  4. Share: exchange documents with requesters
  5. View: get documents verified by requesters

Today, DigiLocker has 4.5 million registered used with over 6.6 million uploaded documents, and 1.6 billion issued digital documents.

Lastly, in 2016 the National Payments Corporation of India enhanced their Unified Payments Interface, an advanced public payments system. This interface may be the backbone that catapults India into a cashless society by 2020.

India’s emerging API integrations

IndiaStack is a set of APIs that allows governments, businesses, startups and developers to utilize an India’s digital infrastructure. IndiaStack provides four technology layers: (1) presence-less, (2) paperless, (3) cashless, and (4) consent. Already some interesting APIs and products have emerged to leverage the IndiaStack suite of APIs.

There are several sandbox servers available to test functionality across the Aadhaar network. The Aadhaar Bridge Developer Kit enables developers to build apps with Aadhaar integration using one seamless platform. eMudhra eServices comprises of eSign and eAuth services that enable electronic paperless signing and authentication services. This service allows residents to sign any document electronically without going through the hassle of signing a document physically or with a dongle based digital signature – no physical signature required. AuthBridge offers an array of services like employee background check, risk assessment, and talent solutions. OnGrid is a consent-based trust platform that modernizes verification and background checks in India by linking an individual’s data, documents, verification reports, testimonials and references to the residents’ 12-digit Aadhaar number, for a faster and cleaner access to true identity and background. Aadhaar API provides authentication (anyone using their Aadhaar number and biometric, OTP, and demographic data instantly), eKYC (onboard anyone quickly by retrieving their proof of address and proof of identity using Aadhaar based KYC), and eSIGN (get contracts and documents digitally signed by your customers or business associates using Aadhaar). Digio is another document signing app that allows residents to sign agreements, IDs (driving licenses, PAN card, passports), approvals and letters, and self-attestations.

The Aadhaar API

How does India manage the vast amounts of data flowing through the identification system supporting 1.1 billion residents? There are a lot of articles addressing in general terms how the Indian identification systems work. However, I was hard pressed to find out any specifics about how authentication or data security and privacy was managed.

That was until I stumbled upon the Aahdaar Authentication API Specification. This specification outlines the how software professionals and vendors can in incorporate Aadhaar authentication into their applications. This is an API that will soon reach across India.In the following two sections I’ll explain how authentication and data security is managed by the Indian identification system.

Authentication and data security

Data blocks are encrypted with using an AES-256symmetric algorithm (AES/ECB/PKCS7Padding), and the session key is encrypted with 2048-bit UIDAI public key using an asymmetric algorithm (RSA/ECB/PKCS1Padding). Sessions keys are one-time only use and are not used across transactions. (There is a rather technical exception, but for the article’s continuity, we’ll omit that description. But you’re welcome to explore it if interested.)

The encryption flow also accepts multi-factor authentication using one-time pin (OTP) and could also be used in conjunction with biometrics.

Access to the Aadhaar Authentication API is categorized into two broad workflows:(1) registered devices and (2) non-registered devices. For this discussion, we’ll focus on the most likely access point, a registered device.

The encryption flow has nine steps which I’ll summary for brevity.

  1. Request key: Aadhaar Number, demographic, and biometric details enter into the application, and the Aadhaar authentication server sends out a one-time-pin to the resident’s registered phone
  2. Generate key: the application generates a one-time session key
  3. Encode data: an authentication “data” XML block is encrypted using the one-time session key and then encoded (base 64)
  4. Encrypt data:  the session key is encrypted with the UIDAI public key
  5. Send data: the encrypted block is sent along with a keyed-hash message authentication code (HMAC) to the authentication server
  6. Construct XML: the authentication server composes the XML for API input, including a license key
  7. Decrypt data: the authentication server decrypts the data with the UIDAI private key, then the data block is decrypted using the session key.
  8. Biometric factored: the residents biometric, demographics information and optional one-time-pin is factored in during the match
  9. Response confirmation: Aadhaar authentication server responds with a yes or no as part of the digitally signed response XML.

The introduction India’s national identity system establishes the foundation for an integrated government. In my most recent paper titled An e-Government Interoperability Framework to Reduce Waste, Fraud, and Abuse, I present a practical approach for how separate entities can share information within the United States through an e-Government Interoperability Framework. Interoperability is the key to a connected government, and India has taken the first step. A connected government is a government where the residents can access services such as healthcare, school admission, voting, and government programs seamlessly across government entities. With 1.1 billion issued Aadhaar cards racing towards 1.3 billion, it’s evident that the Aadhaar program is a vision that be realized. A program for the betterment of all Indian residents. Other countries, including the United States, would be well advised to pick up a lesson or two from the largest identification and biometrics program in the world.

Previous articleBiometrics: why play in the next era of emerging technologies
Next articleRecognition, Interviews and Article Quotes with Peter B. Nichol
Peter is a technology executive with 19 years of experience, dedicated to driving innovation, digital transformation, leadership, and data in business. He helps organizations connect strategy to execution to maximize company performance. He has been recognized for Digital Innovation by CIO 100, MIT Sloan, Computerworld, and the Project Management Institute. As Managing Director at OROCA Innovations, Peter leads the CXO advisory services practice, driving digital strategies. Peter was honored as an MIT Sloan CIO Leadership Award Finalist in 2015 and is a regular contributor to CIO.com on innovation. Peter has led businesses through complex changes, including the adoption of data-first approaches for portfolio management, lean six sigma for operational excellence, departmental transformations, process improvements, maximizing team performance, designing new IT operating models, digitizing platforms, leading large-scale mission-critical technology deployments, product management, agile methodologies, and building high-performance teams. As Chief Information Officer, Peter was responsible for Connecticut’s Health Insurance Exchange’s (HIX) industry-leading digital platform transforming consumerism and retail oriented services for the health insurance industry. Peter championed the Connecticut marketplace digital implementation with a transformational cloud-based SaaS platform and mobile application recognized as a 2014 PMI Project of the Year Award finalist, CIO 100, and awards for best digital services, API, and platform. He also received a lifetime achievement award for leadership and digital transformation, honored as a 2016 Computerworld Premier 100 IT Leader. Peter is the author of Learning Intelligence: Expand Thinking. Absorb Alternative. Unlock Possibilities (2017), which Marshall Goldsmith, author of the New York Times No. 1 bestseller Triggers, calls "a must-read for any leader wanting to compete in the innovation-powered landscape of today." Peter also authored The Power of Blockchain for Healthcare: How Blockchain Will Ignite The Future of Healthcare (2017), the first book to explore the vast opportunities for blockchain to transform the patient experience. Peter has a B.S. in C.I.S from Bentley University and an MBA from Quinnipiac University, where he graduated Summa Cum Laude. He earned his PMP® in 2001 and is a certified Six Sigma Master Black Belt, Masters in Business Relationship Management (MBRM) and Certified Scrum Master. As a Commercial Rated Aviation Pilot and Master Scuba Diver, Peter understands first hand, how to anticipate change and lead boldly.