UIDAI introduces virtual Aadhaar IDs to tighten security, but it may have come too late

Citizens can now do Aadhaar authentication with virtual IDs instead of the 12-digit biometric number. Security experts think this should have happened right at the outset.

In its latest measure to curb Aadhaar data breaches, the Unique Identification Authority of India (UIDAI) has announced a virtual ID feature and limited KYC verification for users. Aadhaar holders can now generate a 16-digit virtual ID (a random combination of numbers) by themselves on the UIDAI website.

Virtual IDs can be generated multiple times and used at all service agencies that require Aadhaar authentication. Every time a new ID is generated, the older ones get auto cancelled. UIDAI has stated that this two-step safety layer will shield the 12-digit biometric Aadhaar ID, and prevent it from being stored with third-party agencies.

All agencies that require Aadhaar authentication have to implement support for virtual IDs by June 1. Any failure to comply will result in “financial disincentives” and a possible removal from Aadhaar access, the UIDAI notified in a circular. UIDAI will release APIs and started accepting virtual IDs from March 1.

It believes that virtual IDs will prevent leaks and help secure the personal information of 119 crore citizens who have already been enrolled in the Aadhaar ecosystem. This development comes just a day after an RBI-organised thinktank expressed serious concerns around Aadhaar making it clear that it was a hotbed for cyber criminals.

"Aadhaar faces a number of challenges over the short and long-term. In an era when cyber threats are frequent, the major challenge for UIDAI is to protect the data under its control since the biometrics is now an important national asset which has huge ramifications for various government programmes and the banking system,” the RBI had stated.

It also comes shortly after The Tribune exposed an Aadhaar data breach that hinted at commercial misuse of the database. UIDAI though denied any such privacy breach. 

Too little, too late?

While on the surface, a virtual ID and a two-step safety system sounds positive, it might have come a little too late considering hundreds of millions of Indians have already shared their 12-digit IDs with banks, telecom operators, gas suppliers, mobile wallets, and scores of other agencies that made Aadhaar-linking compulsory.

Talking to YourStory, Ankush Johar, Director of Infosec Ventures (an infrastructure security solutions provider for government and commercial businesses), says

The question is, why now? Virtual IDs should have been the way to go from Day One. Only about two to three percent of the 1.2 billion would be bothered to go to the UIDAI website and generate virtual IDs for every service. It is too late in the day to have woken up.

On the agencies’ side too, implementation of the virtual ID system may not be as easy as it sounds. Large businesses and services will do it soon “because they do not want to be on the wrong side of the UIDAI”, but for smaller entities, compliance might pose a problem.

"On the technical side, it is a simple thing to do and would not incur much costs. But if it is an architecture-level change, it might be difficult for small operators. For instance, if a rural bank has done eKYC verification for thousands of customers on remote tablets, it might be a logistical issue for them to call them back and get it redone," Johar further explains.

There is a timeframe to abide by as well. Between March 1 and June 1, all services that required Aadhaar authentication have to be ready with virtual ID acceptance systems. Only time will tell how this pans out!