How to implement Aadhaar Data Vault without using HSM based tokenization?

In accordance with the UIDAI circular 11020/205/2017, any organisation that stores Aadhaar number in their database should implement Aadhaar Data Vault and replace the Aadhaar numbers using the reference tokens created by the Aadhaar Data Vault. The Aadhaar number and the XML returned by UIDAI as part of Aadhaar authentication/eKYC call will have to be stored in the encrypted format and the access to the Aadhaar Data Vault will have to be strictly controlled. The encryption keys should be stored in a Hardware Security Module.   This is the crux of the reference id circular published by UIDAI, for more details please follow the link given above.

Now the question is how do you implement Aadhaar Data Vault in an organisation that is storing Aadhaar numbers without using HSM based tokenization solution which can be very costly?

Aadhaar Verification Through Face Recognition

As a move intended to offer major relief to older people whose fingerprints and irises are unclear, aadhaar will now allow face recognition along with biometrics. The decision comes after the Unique Identification Authority of India's attempt to address privacy concerns by offering the option of creating virtual IDs that cover the actual unique identification number of a user during an UID-authenticated transaction. 

How to fetch your Aadhaar Authentication details?

As Aadhaar contains critical information, account holders are worried about the safety of their data as any misuse of details can prove a danger for the lifetime. Hence, it is vital to check the authentication of any website before submitting the Aadhaar details. The online tool, called 'Aadhaar Authentication History', enables Aadhaar holders to view their authentication details and access their Aadhaar Authentication History (Notifications) data. Using this tool, a user can access a variety of information such as Auth Type (Method of Aadhaar Authentication), Transaction ID ( Unique Aadhaar transaction ID at the time of request) and Error Code (Aadhaar authentication failure code), Authentication Response ("Y" - Success. "N" - Failure), Time and Date of Authentication, and Response Code.     

Now its easy to retrieve your lost Aadhaar ID

Have you applied for Aadhaar but have not received it yet? Or have you misplaced your Aadhaar card? Now you can actually request the UIDAI to send the information to your registered mobile number.  UIDAI has provided a tool that enables Aadhaar holders/applicants to retrieve the UID (Unique Identity Number). An Aadhaar applicant who has submitted his or her Aadhaar application or an Aadhaar cardholder can use the UIDAI portal to retrieve the UID on their registered mobile number. The only thing you should have is the registered mobile number which is active or email id that provided while the time of enrolment of Aadhaar card.

All you need to know about Aadhaar Data Vault

Recently there have been numerous instances of Aadhaar data being exposed online by various agencies. Over 130 millions aadhaar data and bank account details leaked from the government website. According to aadhaar regulations sharing, circulating or publishing of aadhaar number is restricted. To enhance the security of Aadhaar numbers, UIDAI has introduced the “Aadhaar Data Vault". Aadhaar Data Vault is a centralized storage for all the Aadhaar numbers collected by the AUAs/KUAs/Sub-AUAs/ or any other agency for specific purposes. It is a secure system accessible only on a need to know basis. The Aadhaar data vault consists of reference key, which is a unique token to represent the Aadhaar number in the entire internal ecosystem of the agency. Mapping of reference key and Aadhaar number is to be maintained in the Aadhaar Data Vault. The primary objectives of aadhaar data vault are reducing the footprinting of aadhaar number, preventing 360 profiling of residents, ceasing the usage of aadhaar number as the domain-specific identifier. The course of action for implementation of aadhaar data vault is given below.

As an AUA/KUA, which Aadhaar regulations can get you into trouble?

Recently UIDAI introduced a list of aadhaar regulations and agreement that a KUA/AUA should not violate. Violating these regulations and agreements will make a fine of 1 lakh per day. If you violate the first warning then after the 15 days of the first contravention it will increase to 2 lakh and then to 3 lakh per day.

The major regulations that company registered as AUA/KUA should take care of is as follows. A requesting entity should obtain the permission of the aadhaar holder for the authentication by means of physical or preferably in electronic form and should maintain logs or records. A requesting entity should capture the biometric information of the Aadhaar number holder and necessarily encrypt and secure the biometric data at the time of capture. All devices and equipment used for authentication should be certified and the client applications software used by requesting entity for the purpose of authentication should conform to the standard APIs and specifications laid down by the Authority from time to time for this purpose.

So here we give the detailed list of regulations and agreements. Click here

For more information contact us.

We, Finahub, are experts in Aadhaar related products and services like eSign, eKYC, Authentication etc. If you want to know how your enterprise can start using it, please give us a call  @ 0484 2388285 or email us at info@finahub.com

Updated UIDAI regulations for appointment of Sub-AUA by AUA

Recently UIDAI made a notification that all AUAs should take permission before the appointment of an entity as Sub-AUA. AUAs which have already appointed SUB-AUA are also required to submit their request for appointment of an entity as SUB-AUA. An application form should be filled by both AUA and SUB-AUA. All the details should be verified and declared by AUA and SUB-AUA. AUA and Sub AUA would be liable for non-compliance with the Aadhaar Act, 2016 and for penalties as per the schedule of disincentives of AUA agreement.

AUA and SUB-AUA should affirm, declare and undertake the following conditions,