Thursday, October 20, 2016

How Aadhaar Esign and Ekyc made Reliance Jio the fastest growing company?

How Aadhaar Esign and Ekyc made Jio the fastest growing company?

Reliance Jio is growing exponentially. As of date, it has already reached 1.5 core customers in a month's time. No company in India has grown this fast. Per day they are signing up 5 Lakhs plus customers. There are several reasons for this growth, but the most important is the way they made use of the aadhaar platform. The two most important things that made this possible are below.
  • Aadhaar ESign for Digial Signature from customers
  • Aadhaar Ekyc for Kyc of customers

They have used it effectively which  enable them to onboard customers in less than 3 minutes time. Customers are walking out of the showroom with a working mobile connection which was not possible earlier.  Following are the advantages aadhaar brought to Jio and its customers.

All happening inside a mobile app

The sales represetative is using just a mobile app for the entire customer onboarding. So its fully paperless. The sales agent frst signs in using Aadaar authentication, later asks customer waiting for sim for his Aadhaar number. Then does an Ekyc and finally a Aadhar ESign to complete the process, The docucments automaticaally gets synced with server.

Zero Paper work

If the customer has a Aadhaar number there is zero paper work needed. No more filling up of forms and pasting photographs. Even the bill , incase you are buying a Wifi device is coming via email. 

Customers can walk in empty handed

No more photograph, signature, copys of Identity proofs, address proffs required. Customer just need to take that 12 digit aadhaar number with him (Not even the original or photostat of aadhaar card is needed) . The entire process gets completed using Aadhaar Ekyc and ESign via biometric.

Fully regulatory compliance

The Aadhaar Ekyc and Aadhaar ESign and fully complaint with regulators like RBI, SEBI, IRDA etc.  So any enterprise can make use of it to simplify their process.

Safe sharing of Ekyc data for customers

Earlier there were frauds happening when people takes mobile connections using the copys of identiity and address proof documents of other people , with out them getting to know about this. To counter this there were secondary verifications done by other agencies to issue a mobile connection. (over phone or direct visit @ address location). This caused , time taken to activate a sim card becoming days. But when coming to Ekyc and ESign, as its not using photocopys its tough for sales people to take duplicate connection in your name.

Video of Reliance Jio Sim Activation 

Every enterprise wishes to have such ease of customer onboarding process. If you want this on your enterprise please contact us. We are experts in Aadhaar related products and services like ESign, Ekyc, Authentication etc. Call us @ 0484 2388285 or email us at

Tuesday, August 30, 2016

How an Enterprise can start using Aadhaar ESign?

In this blog we are going to explain possible options enterprise have to start using ESign and the pros and cons of each way.

Aadhaar eSign is a Govt. of India approved digital signing service that uses Aadhaar data of the Aadhaar holder to sign digital documents without using any other software. Financial organisations like banks, stock brokers, insurance companies etc. stands the make significant gains by implementing eSign solutions. With eSign these organisation will now be able make full utilisation of  their web and mobile infrastructure for providing services to their customers.

The possible options are as below.

  • Becoming ASP (Application Service Provider) with one of the ESP
  • Subscribe for a SaaS service of Aadhaar ESign

Becoming ASP (Application Service Provider) with one of the ESP

Becoming an ASP (Application Serice Provider) with one of the ESP's is best option to enter the ecoSystem. For this the enterprise need to have an ESign Server which should communicate with the ESP. This server needs to be audited by Security auditors approved by the ESP. There will be multiple levels of integration and the organisations needs to go through the process by either developing the ESing Server their own or purchasing from any of the vendors like us Finahub,

Pros / Cons
  • Purchasing Pre Audited ESign server from vendors will save time and money in onBoarding cost
  • Your data resides on your server only, and you have full control over the access of it.
  • Cost per sign will be cheaper.
  • Ideal for Big volume customers like Banks, NBFC's, Micro Finance companies etc

Subscribe for a SaaS service of Aadhaar ESign

The second option is to go for an ESign SaaS service providers. Here the advantage is that you can start using it very fast. Just integrate the API of the vendors who are already ASP like us Finahub, and you are ready to go live. But if you have big volumes of ESign transactions , it will be costly. Ideal for FinTech Startups who want to make everything work online.

Pros / Cons
  •     Easy to start using
  •     Costly if you have big volume
  •    Data resides with third party vendor

If you have any questions on Aadhaar ESign feel free to reach us. We are experts in Aadhaar related products and services lile ESign, Ekyc, Authentication etc. Call us @ 0484 2388285 or email us at

Tuesday, June 21, 2016

Now Aadhaar holder have option to block his Aadhaar card

Did you know that individual aadhaar holder has the option to block his Aadhaar card?  As Aadhaar card is a voluntary card ,it also enable Aadhaar holders to block or unblock their Aadhaar card data including personal and biometric data. The option was introduced a while back following opposition from activists who stated that it did not give persons the choice to de-register once they enrolled. Individual also have the option to update information in Aadhaar card via Aadhaar update portal or Akshaya centres.

A Constitution Bench led by Chief Justice H L Dattu had sought to know from Attorney General Mukul Rohatgi about the nature of Aadhaar cards prepared under the aegis of the Unique Identification Authority of India (UIDAI). “The making of the card is voluntary. Using the card is voluntary and not only this, a card holder can block it too. If a person wants to block the information about him contained in the biometric database, he can do it voluntarily and nobody will be able to unblock it. Such information will be locked till he wants,” the report quotes Rohatgi as saying.

The UIDAI, established by the UPA-2 in 2009, issues Aadhaar cards to the citizens, who want to use the government welfare schemes. Under the programme, every resident in India is provided with a 12-digit unique identification number for which biometric information is collected.

The blocking and unblocking can be done by the individual itself using URL . The feature respects the privacy of the individual and gives him full control over his personal information and his choice on when to use it or not. We team Finahub are experts in Aadhaar Ekyc, Authentication and Aadhar E-Sign implementations. Feel free to contact us in case of any questions.

Ph: 0484 2388285, +91 9562162111

Saturday, May 21, 2016

How to secure your AngularJS application?

Securing your AngularJS application is always a concern for developers. Being a JavaScript framework, most of the things are done on the client side and thus people viewing the Source of the page usually get to know the business logic flow, security tokens, keys etc unless you took care of it.

We Finahub have recently developed an Aadhaar ESign application which had went through several round of security audits. We have used AngularJS as the front end framework, we have done many things to make sure our application is secure in every aspect. So we thought of sharing our experience with other fellow developers. Following are the security risks that may affect an Angular app and the solutions to each of them.

1. Cross Site Request Forgery


When a web server is designed to receive a request from a client without any mechanism for verifying whether it was intentionally sent by the authenticated user or not, then it might be possible for an attacker to trick a client into making an unintentional request to the web server which will be treated as an authentic intended request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.


Angular framework has a built in XSRF feature which can be used to prevent this.

 The Angular $http service will do these things automatically:

  • Look for a cookie named XSRF-TOKEN on the current domain.
  • If that cookie is found, it reads the value and adds it to the request as the X-XSRF-TOKEN header.

Thus the client-side implementation is handled for you, automatically! But this does leave the server side pieces in your hands. You will need to do the following parts:

  • During login: create the CSRF token (with a random, un-guessable string), and associate it with the user session. You will need to send it on the login response as the XSRF-TOKEN cookie.
  • Assert that all incoming requests to your API have the X-XSRF-TOKEN header, and that the value of the header is the token that is associated with the user’s session.

This small backend work will protect your application from CSRF attacks.

2. Improper Input Validation


If you are using the validation framework of AngularJS , you might surely have this problem. The java-script validations can be easily turned off and people can submit unwanted content to input fields This weakness leads to almost all of the major vulnerabilities in web applications, such as cross site scripting, SQL injection, interpreter injection, locale/Unicode attacks, file system attacks, and buffer overflows.


The only fool prooof way to fix this is by do all input validations in server side too. Client side validation of Angular is helpfull for users , but for attackers who may alter the javascript, we need to make sure nothing get through the server side validation.

3. Business flow Vulnerability


In Angular framework application we normally control the process flow or business flow by showing or hiding sections of page. Its very convenient for users to experience this as its very fast and require no page reload. But for attackers , they can easily alter the Javascript to show or hide sections of html page. They may also be able to skip various steps in a business flow and perform the final step directly. This is a serious security risk.


Server side business flow check is a must to prevent this. The application must have checks in place ensuring that the users complete each step in the process in the correct order and prevent attackers from circumventing any steps/processes in the workflow. Test for workflow vulnerabilities involves attempts to execute the steps in the process in an inappropriate order.

4. Vulnerable JavaScript Library


Some older AngularJs JavaScript librarys are said to have reported vulnerabilities. Eg: Version 1.2.29


Make sure you are using the latest version of AngularJs library

We hope this blog was really helpful for making your Angular application secure. Feel free to get in touch with us via

Thursday, May 5, 2016

Digital signature an introduction

We are starting a series about digital signature and how organisations can  take advantage of using it. This is our first article on this topic.

Digital signature is a mathematical scheme for ensuring the authenticity of a digital message or document. If a document is digitally signed, it ensures that it is signed by a specific person.The person who signed cannot deny the authenticity of the document. Usually , organizations keep their documents as papers which are signed by people with ink, or they save them digitally by scanning these papers.
In our country(India) Digital signature has legal validity so that it can be employed in many areas where signed documents are to be saved. Digital signature can be effectively employed in customer on boarding especially companies in the financial sector. Please note that digital signatures are not valid in every scenario. To know more about where the digital signature can and cannot be used, please refer our blog post.

Tuesday, May 3, 2016

World Bank wants to take Aadaar Global

The real success of Aadhaar got the attention of world bank. Aadhar is being used for various subsidy programmes and is saving a lot of money to the government.
Seeing and understanding the real benefits of  a unique id is making the world bank advise other countries to come up with similar strategies. We feel this as a recognition to Govt of India for this well-crafted idea and precise execution.

Key highlights of Aadhaar ecosystem is as below.
  • More than one billion people have their Aadhaar now
  • Cost of issuing one Aadhar ID was less than $1
  • Supports token-less authentication , anytime , anywhere
  • Saves approx y $1 billion (Rs 6500 crores) a year by reducing corruption and leakage for the Indian government
  • Every Enterprise, both govt  and private can make use of Aadhaar ecosystem.

Tuesday, March 29, 2016

Where digital signatures (including Aadhaar eSign) can and cannot be used?

In India, the Information Technology ACT 2000, gives digital signatures the legal validity as a signature at par with physical signatures. Digital signatures enable digitization of processes making them more efficient and convenient for all parties involved. Until recently digital signatures have been used by a very limited set of people for a very limited set of activities. This is because digital signatures have been seen as a complicated piece of technology that required the use of specialized software tools and process for it work. This has kept the technology from getting mass adoption even though it has immense potential.

All this is going to change with the advent of Aadhaar based eSign technology that enables any Aadhaar holder to do a digital signature without having to install any software or purchase any signature/certificate from a certifying agency. A digital signature can be placed on a document by just an Aadhaar authentication using biometric authentication methods or by OTP.  

This is a great opportunity for businesses in India to digitize their process and take advantage of the operational efficiency and cost effectiveness offered by using fully digital processes. Businesses will have to look at the processes that are ideally suited for the use of digital signatures without causing a legal fallout. This brings us to our question, are there cases in which digital signatures cannot be used?