Monday, May 22, 2017

How common API for registered biometric devices is game changer?


UIDAI is coming up with new Authentication API ver 2.0 which is going to support registered devices. UIDAI is planning to remove the support for public devices and will support only registered devices in near future. Before understanding registered devices and the need for it, it is important to understand how public devices work.

Public devices are raw biometric capture devices that provide Aadhaar compliant biometric data to the application, which, in turn, encrypts the data before using for authentication purposes. Currently, AUA/Sub-AUA applications manage the biometric capture feedback user experience, any validation, and encryption of PID block. With public devices, providers may or may not provide an easy to use libraries to application developers. Several security measures are taken to ensure strong transaction security and end to end traceability even in public devices. These security measures fall into prevention and traceability. These include deploying signed applications, host and operator authentication by AUA, usage of multi-factor authentication, resident SMS/Email alerts on authentication, biometric locking, encryption/signing of sensitive data, and so on. In the case of public devices, although above security measures are in place, there is still a technical possibility of having the biometric data captured in between sensor device and host machine if the device or host machine of AUA is compromised. 
Registered devices address the solution to eliminate the use of stored biometrics. It provides three key additional features compared to public devices:

1. Device identification – every device having a unique identifier allowing traceability, analytics, and fraud management.

 2. Eliminating use of stored biometrics – biometric data is signed within the device using the provided key to ensure it is indeed captured live. Then the Device Driver of the device provider must form the encrypted PID block before returning to the host application.

 3. A standardized Device Driver provided by the device providers that are certified. This device driver (exposed via an SDK/Service) encapsulates the biometric capture, any user experience while capturing (such as preview), and signing and encryption of biometrics all within it. 

Following are the key facts regarding this approach.

  1. Biometric data gets encrypted with UIDAI certificate within the scanning device itself.
  2. The client application can plug any supporting biometric device without a new integration effort.
  3. Biometric device vendors can integrate a single common API
  4. No one can read the biometric data other than UIDAI. (as it's encrypted at the time of capture itself).

In short, the purpose of making Registered devices mandatory is to bring more security/trust to the UIDAI ecosystem.  All current AUA/ KUA's needs to upgrade their software to the latest API version. We, Finahub, are experts in Aadhaar related products and services like eSign, eKYC, Authentication etc. If you want to know how your enterprise can start using it, please give us a call  @ 0484 2388285 or email us at [email protected]