In the wake of a report of an alleged breach of the Aadhaar database published in a newspaper last week, the Unique Identification Authority of India (UIDAI) has rolled out a new two-tier security process that will come into effect from June 1.
Aimed at eliminating the need to share and store Aadhaar numbers, the UIDAI has introduced the concept of a virtual ID, which an Aadhaar holder can use in lieu of his/her Aadhaar number at the time of authentication, besides sharing of ‘limited KYC’ with certain agencies.
“While it is important to ensure that Aadhaar number holders can use their identity information to avail many products and services, the collection and storage of Aadhaar numbers by various agencies has heightened privacy concerns,” a Ministry of Electronics and IT circular said.
The move follows a report in The Tribune that allegedly exposed a data breach in Aadhaar records.
A Virtual ID (VID) will be a temporary 16-digit random number mapped with the Aadhaar number. There can only be one active and valid VID for an Aadhaar number at any given time and it will not be possible to derive the Aadhaar number from VID, the circular said.
The VID authentication will be similar to using Aadhaar numbers. However, since a VID is temporary, agencies will not be able to use it for de-duplication.
Only a Aadhaar holder can generate a VID
Only the Aadhaar holder will be able to generate a VID and no other entity, including authentication user agencies (AUAs), can do it on their behalf. “While VID allows Aadhaar number holders to avoid sharing Aadhaar number, storage of Aadhaar number within various databases also needs to be further regulated,” the circular said.
To address the issue, the UIDAI has brought in the concept of limited KYC. It has categorised its AUAs into Global AUAs and Local AUAs wherein the latter will get access to only need-based or limited KYC details. AUAs, which by law are required to use Aadhaar number in their KYCs, will be categorised as Global AUAs and have access to Full e-KYC and the ability to store Aadhaar numbers within their system.
“Once storage of Aadhaar number is restricted and since VID is temporary, agencies need a mechanism to uniquely identify their customers within their system,” the circular said. For this, a 72 character alphanumeric ‘UID Token’ will be generated for “system use”.
“UID token allows an agency to ensure uniqueness of its beneficiaries, customers etc. without having to store Aadhaar number in their databases,” the notification stated.