UIDAI is coming up with new Authentication API ver 2.0 which is going to support registered devices. UIDAI is planning to remove the support for public devices and will support only registered devices in near future. Before understanding registered devices and the need for it, it is important to understand how public devices work.
Public devices are raw biometric capture devices that provide Aadhaar compliant biometric data to the application, which, in turn, encrypts the data before using for authentication purposes. Currently, AUA/Sub-AUA applications manage the biometric capture feedback user experience, any validation, and encryption of PID block. With public devices, providers may or may not provide an easy to use libraries to application developers. Several security measures are taken to ensure strong transaction security and end to end traceability even in public devices. These security measures fall into prevention and traceability. These include deploying signed applications, host and operator authentication by AUA, usage of multi-factor authentication, resident SMS/Email alerts on authentication, biometric locking, encryption/signing of sensitive data, and so on. In the case of public devices, although above security measures are in place, there is still a technical possibility of having the biometric data captured in between sensor device and host machine if the device or host machine of AUA is compromised.
