Aadhaar Getting Additional Security LayerWill the New Steps Prove Effective? Security Experts Weigh In
To address growing concerns about Aadhaar, the Unique Identification Authority of India, which administers the ID program, is taking two key steps to add a layer of security. But some observers are already questioning whether the move will prove effective.
UIDAI is introducing a Virtual ID, a temporary, 16-digit Virtual ID number that can be used by Aadhaar holders for authentication purposes. It's also introducing a UID Token - a 72-character alphanumeric string all entities can use to help ensure the uniqueness of its customers.
Some security experts, however, question whether the two new methods can be made hack-proof. They argue, for example, that unless the virtual or token ID is dynamically generated and has restrictions on its validity period, ensuring security could prove difficult.
"The creation of virtual ID is certainly an improvement in the security of Aadhaar, quite similar to virtual credit card numbers for online transactions," says Delhi-based security practitioner, Sriram Natarajan, COO and former chief risk officer at Quattro, a BPO company.
"However, hackers can create a virtual ID too. Once they figure out the algorithm being used - if they can see a virtual number that relates to an Aadhaar number - it may be possible to generate a virtual number."
The best way to ensure security, he argues "would be if UIDAI keeps it as a dynamic virtual number for each new transaction."
UIDAI has taken this initiative to add additional security layers and beef up security for its identification system, in response to the recent reports on a breach of the Aadhaar biometric database through unauthorized access and other breach incidents (see: Aadhaar Security: How to be Fixed?). But UIDAI issued a note saying that there was no breach of Aadhaar biometric database.
UIDAI did not respond to ISMG's query on the new security initiative.
Authenticating Through VID, UID Token
The Virtual ID will be a temporary, revocable 16-digit random number, mapped with the biometrics of the user's Aadhaar number, giving limited details such as name, address and photograph, which are enough for any verification. This gives users the option of not sharing their Aadhaar number during authentication.
According to a note from Yashwant Kumar, assistant director general, UIDAI, "The last digits of the VID is the checksum using 'Verhoeff' algorithm as in the Aadhaar number, and there will be only one active and valid VID for an Aadhaar number at any given time."
Because the VID is temporary, it cannot be used by agencies for de-duplication. And it is revocable and can be replaced by a new one by the Aadhaar number holder after the minimum validity period set by UIDAI policy, he says.
UIDAI will accept VIDs starting March 1. Effective June 1, it will be compulsory for all agencies undertaking authentication to accept Virtual ID from their users.
Tokens for Better Security
UIDAI's new UID token is similar to the tokenization in the payment industry, giving unique identification symbols to retain essential information without compromising security.
Because VID is a temporary number, entities need a mechanism to uniquely identify their customers within their systems, Kumar says. To ensure these entities can establish the uniqueness of customers, UIDAI, responding to the authentication, would return a unique UID token.
Responding to UIDAI's two latest moves, Nandan Nilekani, former chairman of UIDAI, tweeted that Aadhaar is here to stay and that UIDAI has launched the new security layer in the spirit of continuous innovation.
Although some security practitioners echo the sentiment that the two steps are an enhancement in security, they caution that the moves won't be effective in fighting against hacking unless they are properly implemented. Plus, they say UIDAI could face huge operational challenges.
Dr. N. Rajendran, chief technology officer, National Payments Corporation of India, says that UIDAI is launching a similar approach to tokenization that's used in the payment card industry. 'However, to make tokenization and VID mainstream, implementing end-to-end encryption to secure data during transit or at the access point is crucial for improving security and preventing breaches," he says.
The challenge, he says, could lie in implementing the VID system and how UIDAI will build awareness around use of the same and ensure security to protect the Aadhaar data.
Some security practitioners say that it's unclear how the new security layer will work.
"While perhaps not completely hack-proof, the tokenization and VID system calls for a multifactor authentication mechanism at the organizational level and a dynamic factor biometric authentication system is required to prevent unauthorized access to the Aadhaar data," Rajendran says.
The process will increase the processing time of transactions, which could pose operational challenges, Natarajan contends.
As to whether the VID and token approach is fool proof, Natarajan says, "It should be dynamic virtual ID generation and the tokenization should be such that only UIDAI has the decrypting keys. These virtual IDs should be random and valid only for a day for a particular transaction."
Dr. Rakesh Goyal, CERT-In empanelled auditor and CEO of Sysman Computers Pvt. Ltd., contends that the VID and token system may not be completely foolproof because the VID is to be generated using current authentication mechanisms - either biometric or one-time-password. This will be generated by the user at the UIDAI portal or mAadhar (mobile app), either at home or at an Aadhar Enrolment Center.
"UIDAI needs to create intense awareness to ensure that AEC and transaction mAadhaar app transactions are safe for authentication purposes," Goyal says.
To avoid any ambiguity, UIDAI needs to provide complete details of the security architecture and encryption used during VID implementation, says K. K. Mookhey, founder and CEO at Network Intelligence.