Aadhaar Developer Track
Chandra Mohan’s Notes
Next Generation Service Delivery
Enabled by Aadhaar.
By Nasscom (National Association of Software and Services Companies)
Finance Inclusion platform - A+
Software (Client) –
L1, Accenture and
India Post prints and delivers it.
State Govts, Banks and LIC etc
Testing and certification of these enrolling agents -> Sify
Device testing and certification:
STQC - Standardization Testing and Quality Certification http://www.stqc.nic.in/
Portals driven by dynamic content.
Can be drilled down State Wise and then District wise, sub district wise and so on
Login to view their own view.
Precision Infomatic (M) Pvt. Ltd.
Plug & Play UI enrollment kit
Finger Print (FINGERPRINT) Scanner -> 4 Left, 4 Right, 2 Thumbs
IRIS Scanner -> Both eyes, first left and then right
MindTree developed client/website.
Photograph – Logitech Webcam
Operator FINGERPRINT before submission.
4 tries for FINGERPRINT and IRIS and then takes the best one of the 4 if none are acceptable. Avoid 10 or 15 scans per person.
Printer, scanner, UPS (atleast 30 mins) are other mandatory requirements.
On submission, we get a PDF with the temporary ID. Actual UID gets sent by post to the user.
RF based Finger scan - > Inner skin scan. 1 yr the labor hands fingerprint gets diluted. RF based can eliminate this problem.
Criminal detection system -> FBI
FS + IRIS -> check on internal memory and db, If not found, search using GPRS connection to other DBs configured.
Bluetooth based FINGERPRINT scanning results sending.
APIs, Standards and Biometrics
No vendor lock-in
open standards as much as possible
open source technologies
strong end to end security
- Common - FINGERPRINT, Iris, voice,
- Others like behavioral patterns - > Gait, signature
Principle of biometric:
Iris: unique pattern -> 1024 digit number
Minutiae extracted from each fingerprint.
10 Fingerprints and 2 irises.
3 diff biometric service providers
⇒ First Multi-ABIS system in world
⇒ Continuously monitor accuracy
⇒ Competition among vendors to improve accuracy and throughput.
Aadhaar Biometric Capture Device API:
If devices comply with specifics it should work with any backend software.
Benefits of Approach:
Price has come down to 1/3rd because of these standards.
Under 1 Lakh now for complete kit.
Aadhaar Auth Device Spec
Aadhaar Auth API
No Vendor Lock In:
Lots of eGovernment sites are in local language.
Resident/People can read/understand/make sense of the local language.
Data entry in local language is challenge. Hence transliteration used.
Enrollment client automatically detects the biometric devices. Not just the drivers.
Front end client software
2 options thought:
- one client which used by all enrollment agents.
- each agent can develop their own client but sends the data to the server in the proper standard.
First option was selected –
- for quality – for e.g. finger print not proper is decided consistently.
- for analytics
- User cross verification consistent feel
UID – why 12 digit?
Central system. Portable Identification number - works across the country. Looking at the number some information about person can be found.
SSN can be predicted by good algorithms knowing person’s place of birth and DOB. Studied US, China, Denmark etc.
Hence no Number scheme
11 digits for the random number. Last digit is Checksum. Can be locally checked if the 12-digit number provided is a possible Aadhaar number.
Checksum used is Verhoeff algorithm. Available in Aadhaar site. Public algorithm.
Aadhaar is a number thru which u can contact service provider for authentication.
combination of number + demographic + biometric verification.
Name, gender, DOB, Address are part of the demographic data.
Couple of optional fields – Mobile number, email
PIN and OTP (One-time PIN): Not sure what these are for or how they are used.
Based on application needs – you can send the fields for verification.
Just the name and UID can be sent to get a yes or no.
for more secure verification, one or more fingers can be sent.. etc…
Authentication doesn’t specify which finger was sent. UID matches the finger against all 10 fingers.
2 fingers sent, 1st finger matched against 10 fingers, the other finger then matches against 9 other fingers and returns yes or no.
IT’S a SINGLE call though.
1 : billions on the db.
Enrollment – matches against billion of records though. That’s why you get the number after a month.
Response is always YES or NO.
Strategy – No date coming out of the system.
Device sensor and ergonomics of the device, how miniature is captured from that data etc. affect the YES or NO output. Hence ISO standards specified for the devices.
Biometric scan, data is packaged in XML format with data encoded/encrypted.
Transaction flow allows the data to be “HOP”ed.
CIDR – UID Data centers
UIDAI will be the regulatory authority managing a Central ID Repository (CIDR)
Partial matches, Partial matches with tolerance, case sensitiveness can be controlled. Fuzzy match.
Reference code for each authentication check is kept for auditing purposes.
Other countries – addresses are matched or setup?
Near or Landmarks are important in India. This information is structured properly in UID.
1. Address not matching exactly. Spellings, abbreviations, etc. Can be with name too.
a. Fuzzy Comparison is now available.
2. How do you make sure the agents do not store the information and misuse it later?
a. Yes or No only.
Complete specification in available in the CD.
Authentication XML (ver 1.5)
Fingerprint can be embedded as minutia ISO format.
Encrypt as per the UID Standard. (By device for biometric)
Authentication API Design
1. Stateless API
a. Xml over HTTP(S) – stateless.
a. Different data can be sent and can request for partial match/fuzzy/full etc.
3. Transaction security and Audit
4. Accommodates business model.
Data is decrypt-able only by CIDR (UID Data Center Server).
AUA can see the packet headers – if biometric is present or not.
Enrollment – batch process.
Authentication – easy to do each transaction. Complexity is in building the transactions around it.
Auditable – did it come from UID? Man in the middle attack.
Response is digitally signed.
Necessary information for AUA to verify that its come from the UID.
Biometric devices need not be calibrated.
Session key + Token – Information has to be entered again if the token expires.
public key specifications –
License key required for AUA. Developers don’t require unique key for registering.
Matching score is generated internally. If it’s above a threshold value, then the answer is generated. ???
For children of less than 5 yrs., parents info is mandatory as part of enrollment. For others it’s not mandatory. For e.g., wife of, daughter of, son of etc. can be added.
Brute force of checking the phone number – there is system in place to check abuse. But there is no limit on number of checks that can be made from an AUA.
No record is deleted ever. Updated for death possible.
As gallery size increases, servers can be added to scale.
No authorization. Assurance level atleast? NO
SESSION 2 on APPS for UID
Form Factor evolution
LCD, eReader screen
Intel Compute Continuum Vision
Intel App-Up center/developer program
Mobile -> Key role in Aadhaar ecosystem.
1. Service transparency and record tracking
2. Proof of service entitlement
3. Authentication for consumer services.
a. Journalism, Healthcare,
Finance Inclusion Platform
NREGA – Employment
Atleast 100 days employment
Reduce immigration from rural places to cities.
Apps that can be built on Aadhaar:
Rural area reach
Access to online – offline facilities.
Vocational employment portals
Loyalty program for small businesses
Informal credit – kirana shops
Travel time for rural. Loose daily wage.
Information about patient can be shared to doctors they choose. Control to the consumer.
Background check - employment
Cost of awareness of UID
Accident – with the biometric information, would be able to get the information about the person.