Aadhaar Developer Track - My notes


Aadhaar Developer Track
Chandra Mohan’s Notes

Next Generation Service Delivery
Enabled by Aadhaar.

By Nasscom (National Association of Software and Services Companies)

-> Credentials
-> Biometric

Finance Inclusion platform - A+

Software (Client) –
Backend -
L1, Accenture and

Logistics :
India Post prints and delivers it.

Registrars :
State Govts, Banks and LIC etc
Enrolling Agents:
Testing and certification of these enrolling agents -> Sify
For Operator

Device testing and certification:
STQC - Standardization Testing and Quality Certification http://www.stqc.nic.in/

Portals driven by dynamic content.
Can be drilled down State Wise and then District wise, sub district wise and so on

Partner portal:
Login to view their own view.
Developer Portal:

Precision Infomatic (M) Pvt. Ltd.
Biometric Devices
Plug & Play UI enrollment kit
Metal box
Number lock
Finger Print (FINGERPRINT) Scanner -> 4 Left, 4 Right, 2 Thumbs
IRIS Scanner -> Both eyes, first left and then right

MindTree developed client/website.

Photograph – Logitech Webcam
IRIS Scanner
Operator FINGERPRINT before submission.

4 tries for FINGERPRINT and IRIS and then takes the best one of the 4 if none are acceptable. Avoid 10 or 15 scans per person.

Printer, scanner, UPS (atleast 30 mins) are other mandatory requirements.

On submission, we get a PDF with the temporary ID. Actual UID gets sent by post to the user.

Other devices:
RF based Finger scan - > Inner skin scan. 1 yr the labor hands fingerprint gets diluted. RF based can eliminate this problem.

Criminal detection system -> FBI
FS + IRIS -> check on internal memory and db, If not found, search using GPRS connection to other DBs configured.
Bluetooth based FINGERPRINT scanning results sending.

APIs, Standards and Biometrics

No vendor lock-in
open standards as much as possible
open source technologies
performance metrics
strong end to end security

Data Standards
- Common - FINGERPRINT, Iris, voice,
- Others like behavioral patterns - > Gait, signature

Principle of biometric:
1. Immutability
2. Uniqueness

Iris: unique pattern -> 1024 digit number

Minutiae extracted from each fingerprint.
10 Fingerprints and 2 irises.

3 diff biometric service providers
⇒ First Multi-ABIS system in world
⇒ Continuously monitor accuracy
⇒ Competition among vendors to improve accuracy and throughput.

Aadhaar Biometric Capture Device API:
If devices comply with specifics it should work with any backend software.
Benefits of Approach:
Price has come down to 1/3rd because of these standards.
Under 1 Lakh now for complete kit.

Aadhaar Auth Device Spec
Aadhaar Auth API

No Vendor Lock In:
Multilanguage support.
Lots of eGovernment sites are in local language.
Resident/People can read/understand/make sense of the local language.
Data entry in local language is challenge. Hence transliteration used.

Aadhaar Authentication:
Enrollment client automatically detects the biometric devices. Not just the drivers.
Front end client software
2 options thought:
- one client which used by all enrollment agents.
- each agent can develop their own client but sends the data to the server in the proper standard.
First option was selected –
- for quality – for e.g. finger print not proper is decided consistently.
- for analytics
- User cross verification consistent feel

UID – why 12 digit?
Central system. Portable Identification number - works across the country. Looking at the number some information about person can be found.

SSN can be predicted by good algorithms knowing person’s place of birth and DOB. Studied US, China, Denmark etc.
Hence no Number scheme

11 digits for the random number. Last digit is Checksum. Can be locally checked if the 12-digit number provided is a possible Aadhaar number.

Checksum used is Verhoeff algorithm. Available in Aadhaar site. Public algorithm.

Aadhaar is a number thru which u can contact service provider for authentication.
combination of number + demographic + biometric verification.

Name, gender, DOB, Address are part of the demographic data.
Couple of optional fields – Mobile number, email
PIN and OTP (One-time PIN): Not sure what these are for or how they are used.

Based on application needs – you can send the fields for verification.
Just the name and UID can be sent to get a yes or no.
for more secure verification, one or more fingers can be sent.. etc…
Authentication doesn’t specify which finger was sent. UID matches the finger against all 10 fingers.
2 fingers sent, 1st finger matched against 10 fingers, the other finger then matches against 9 other fingers and returns yes or no.
IT’S a SINGLE call though.

1 : billions on the db.
NOT available.
Enrollment – matches against billion of records though. That’s why you get the number after a month.

Response is always YES or NO.
Strategy – No date coming out of the system.

Device sensor and ergonomics of the device, how miniature is captured from that data etc. affect the YES or NO output. Hence ISO standards specified for the devices.

Authentication Flow:
Biometric scan, data is packaged in XML format with data encoded/encrypted.
Transaction flow allows the data to be “HOP”ed.
CIDR – UID Data centers
UIDAI will be the regulatory authority managing a Central ID Repository (CIDR)

Sample App:
Java, C

Partial matches, Partial matches with tolerance, case sensitiveness can be controlled. Fuzzy match.

Reference code for each authentication check is kept for auditing purposes.

Other countries – addresses are matched or setup?
Near or Landmarks are important in India. This information is structured properly in UID.
1. Address not matching exactly. Spellings, abbreviations, etc. Can be with name too.
a. Fuzzy Comparison is now available.
2. How do you make sure the agents do not store the information and misuse it later?
a. Yes or No only.

Complete specification in available in the CD.
XML Structure
Authentication XML (ver 1.5)
Fingerprint can be embedded as minutia ISO format.
Encrypt as per the UID Standard. (By device for biometric)
Authentication API Design
1. Stateless API
a. Xml over HTTP(S) – stateless.
2. Modalities
a. Different data can be sent and can request for partial match/fuzzy/full etc.
3. Transaction security and Audit
4. Accommodates business model.

Data is decrypt-able only by CIDR (UID Data Center Server).
AUA can see the packet headers – if biometric is present or not.

Enrollment – batch process.
Authentication – easy to do each transaction. Complexity is in building the transactions around it.

Response Security
Auditable – did it come from UID? Man in the middle attack.
Response is digitally signed.
Necessary information for AUA to verify that its come from the UID.

Biometric devices need not be calibrated.
Session key + Token – Information has to be entered again if the token expires.

public key specifications –
License key required for AUA. Developers don’t require unique key for registering.

Matching score is generated internally. If it’s above a threshold value, then the answer is generated. ???

For children of less than 5 yrs., parents info is mandatory as part of enrollment. For others it’s not mandatory. For e.g., wife of, daughter of, son of etc. can be added.

Brute force of checking the phone number – there is system in place to check abuse. But there is no limit on number of checks that can be made from an AUA.

No record is deleted ever. Updated for death possible.

Horizontal scaling
As gallery size increases, servers can be added to scale.

No authorization. Assurance level atleast? NO

Form Factor evolution
LCD, eReader screen
Intel Compute Continuum Vision
Intel App-Up center/developer program

Mobile -> Key role in Aadhaar ecosystem.
1. Service transparency and record tracking
2. Proof of service entitlement
3. Authentication for consumer services.
a. Journalism, Healthcare,

Transaction models.

Finance Inclusion Platform

NREGA – Employment
1/3 women
Atleast 100 days employment
Reduce immigration from rural places to cities.

Apps that can be built on Aadhaar:
Financial inclusion
Rural area reach
Micro finances
Micro insurance
Access to online – offline facilities.
Vocational employment portals
Referral mechanism
Loyalty program for small businesses
Informal credit – kirana shops
Travel time for rural. Loose daily wage.
Information about patient can be shared to doctors they choose. Control to the consumer.
Background check - employment
Cost of awareness of UID

Identification System
Accident – with the biometric information, would be able to get the information about the person.

Ideas -
Background Check