Part 2 of 3 in the Offline Aadhaar (Aadhar) KYC Series.

What is the Aadhaar XML and the Share Code?

As described in Part 1 of this series, an Aadhaar XML file is generated from the UIDAI website after the resident provides relevant information online. This file is digitally signed by the UIDAI, which means the UIDAI is attesting the fact that the file was generated from its systems and is an authentic one. The downloaded file is compressed in the format of a “.zip” file and a password (in the form of the “Share Code”) is required to open up the .zip file to reveal the .XML file it encapsulates. Once the “share code” is provided, the .zip file extracts to reveal the resident’s Aadhaar XML file.

Think of this as the ATM “card and PIN” pair that you would use at an ATM. The “.zip” file is the ATM card and the “share code” is the PIN. A resident would need to use them together to use the Aadhaar XML file.

In addition to the share code, the resident will also need to provide their registered email and phone number to verify their identity with a service provider (SP) or a business correspondent (BC), but more on that later.

A replicable Digitally Signed file v/s an Aadhaar card with biometric

Now the resident has a digital Aadhaar XML file for their identity and this file is stored on their local computer (or mobile device). This file, just as any other digital file such as a music MP3 or a word document, can be easily copied and replicated. There is no limit to the number of copied one can make of their Aadhaar XML file.

Download and Read: Digital Onboarding Solutions

Offline Aadhaar Verification v/s Online Aadhaar Authentication

Central to our discussion is the subtle difference that UIDAI brought about in the discourse around Aadhaar-based identity: that of verification versus authentication. How critical could this simple change of definition get?

Identity verification takes place when a resident provides an identification instrument to prove who they are. In the case of Offline Aadhaar verification, the resident would provide the service provider with their Offline Aadhaar .zip file along with their share code, which the service provider will use to extract the XML file. After the file is extracted, the resident has to provide the service provider with their registered email and their phone number, which the service provider will use to “validate the hash” or confirm the hashed values of these demographic information as stored in the resident’s Aadhaar XML file. Once shared with a service provider, none of the three identification parameters of the resident - (a) the share code (b) email address nor (c) mobile phone number remains a secret held only by the resident and this is key. If the system cannot ensure the secrecy of vital verification information, it exposes itself to misuse and remains vulnerable.

Let’s now contrast this with online Aadhaar authentication, which involved the resident furnishing their Aadhaar card (in original or photocopy) and then providing their biometric information to authenticate their identity against the “true copy” residing on UIDAI’s Central Identities Data Repository (CIDR). The result of this process was binary: either “authenticated” or “failed authentication”. At no point did the resident provide their “identity kit” to the service provider because it is impossible to replicate the resident’s biometrics to be stored by the service provider.

The Offline Aadhaar prohibits the sharing of any data related to the offline Aadhaar XML file, making service providers liable for action against Sections 17 and 25 of The Aadhaar (Authentication) Regulation, 2016, Sections 4 and 6 of The Aadhaar (Sharing of Information) Regulation, 2016 and Sections 29(2), 29 (3) and 37 of The Aadhaar Act, 2016. But it doesn’t guarantee any loss of data due to unintentional security breach at the service provider’s end.

Download and Read: Digital KYC Solutions

Risks

Apart from the numerous assumptions one needs to make, two key impediments to this method stand out:

1. Prerequisite of a Technologically Adept User: On both the resident and the service provider’s end, users of the offline Aadhaar verification will have to be adept at handling the technical sophistication required to understand the mechanics and operate an XML file enabled authentication system. There are plenty of open questions right from the mode of transfer of Offline Aadhaar .zip file from resident to the service provider to the method of performing hash verification of the resident’s XML file.

Service Provider’s Database – Case of the Weakest Link: Finally, there is no guarantee that a resident’s Aadhaar XML and the “Share Code” will not be compromised from a service provider’s databases. Malicious agents have broken into significantly more secure establishments and nothing prevents them from training their eyes to the lucrative possibility of siphoning off large numbers of digital identities from unsophisticated and unsecure guardians of personal identity.

Read: Analyzing the Aadhaar eKYC Bill

Most service providers have outsourced their identity verification process to business correspondents (BC), which means residents now have to share their offline Aadhaar identity kit with entities that do not have stringent protocols to secure resident’s data.

In the third and concluding blogpost of this series, we will examine the risk of data proliferation and false identities that arise out of this phenomenon and how this could potentially impact the government’s ambitious financial inclusion programs and, crucially, national security.

Read: Part 1: Data Privacy with Aadhaar XML

To know about IDfy's Digital KYC Solutions, please email [email protected]