The decision on the constitutionality of Aadhaar1 by the Supreme Court remains a matter of speculation, but it has become abundantly clear that most of the use cases for Aadhaar-based biometric authentication (ABBA) have turned out to be deeply problematic. That the use of biometrics as an authentication factor is conceptually flawed has been pointed out by many (Agrawal et al. 2017). Biometrics are not secret information and are hence open to fraud. Further, the uncertainties in biometric matching, because of decision-making using a threshold score2 which may lead to false negatives (referred to as “probabilistic” by the petitioners in the Supreme Court), may cause exclusion and denial of rights in welfare schemes (Drèze et al. 2017, Abraham et al. 2018, Kotwal and Ramaswami 2018). The requirement of reliable online connectivity compounds the problem.
In fact, the State’s assurance that ‘nobody will be denied their entitlements because of biometric matching failure’ does not pass muster. It is vacuous because there is no clear specification as to when the promise will apply and how such a false-negative set can be distinguished from the spurious attempts. Biometrics may only be good for de-duplication3, and can perhaps also be used for identity verification under strict adversarial oversight. The latter use will require carefully designed protocols to deal with the false negative cases, and this can perhaps only be done at special centres where the required decision-making expertise may be available.
Poor understanding of the identity instruments, broken processes, imprecise articulation of the objectives, and most importantly, lack of clear understanding of the trust model of authentication, authorisation, and accounting (AAA) have led to confusion and large-scale social mistrust. In this post, we outline the tentative design sketch of an alternate offline protocol, with digitisation and identity verification objectives similar to ABBA, which may satisfy more correctness properties and yet be free of the problems discussed above.
Trust model for the old-fashioned identity card
Consider the traditional identity card that contains a name, a photograph, and a few other details, and is typically used for identity verification. Common examples for general use, for instance, to prove one’s identity for train travel in India, are the ration card, driving license, passport, voter ID card, PAN (permanent account number) card, cards issued by schools, colleges or government institutions, and even ‘Aadhaar card’.
In the use of identity
It would appear that the trust model of the identity card is straightforward to analyse, and it ought to be easy to define appropriate, sensible, and non-vacuous use cases based on them when the stakes are low. However, one is forced to wonder why exactly are such identity cards checked for admittance into government offices or hotels? Do they really expect that any person, either genuine or an imposter, will deliberately present an identity card where the name does not match the one declared, or the photograph does not match the face? Also, why would a corporate tech giant accept a false order against ‘cash on delivery’ (Pahwa 2018) based on an uploaded Aadhaar card that can be easily faked?
KYC (Know Your Customer) based on submission of (self) attested photocopies of such documents also have an identical trust model. It does serve an additional purpose of record-keeping and accounting. Though, the feasibility of a handful of telecom companies indexing and reliably maintaining paper copies of KYC documents of over half a billion customers is far from clear. Moreover, given the poor verifiability, it is impossible to be sure that a KYC obtained for one purpose will not be used for another, making both authorisation and accounting suspect.
Trust model for Aadhaar-based biometric authentication
The perceived trust deficit in the presenter and the verifier under certain situations was precisely the reason for which more complicated protocols like ABBA were introduced. However, even if we assume that biometric matching is perfect and there is no possibility of false presentation of biometric data, what are the implications for the trust model?
Though there is no trust assumption required for the presenter, trust on the verifier – the person manning the machine – is still implicit. Even if the verifier cannot control the remote authentication, which is based on
Moreover, if the authentication outcome is not communicated directly by the UIDAI (Unique Identification Authority of India) to the user, but is instead routed through the verifier, then it opens up another set of trust-based vulnerabilities. The issues with Aadhaar-based eKYC (electronic KYC) are similar.
Trust model for QR codes and smart cards with chips
The information in an identity card can also be embedded in a QR (quick response) code or a smart card chip to facilitate machine readability. Examples of such QR-based cards are the PDS ration cards in Tamil Nadu (Khera 2018) and West Bengal where verification is offline; and also the Aadhaar cards. Most driving licenses all over the country use smart cards with chips, as do some ‘offline’ ration cards. If the contents are not digitally signed as they do not appear to be in most of the above examples, then they can be altered fairly easily, and the trust model for these instruments is identical to that of the traditional identity cards. The only comparative advantage is machine readability, which facilitates automation and accounting.
The largest QR code can hold about 3KB (kilobytes
Offline biometric matching with biometric data stored in smart cards
And, if we do not write data in smart cards, QR code-based cards provide a simpler alternative. They are also more effective because they are portable to multiple forms and can be regenerated easily.
Trust model for offline identity verification with signed QR codes
Digitally signing the contents of a QR code with the secret key of an appropriate authority makes it
A machine-readable identity card with digitally signed, tamper-proof textual information and a photograph has superior trust properties than fingerprints or iris
A protocol for offline AAA using a digitally signed QR code
Any offline protocol that has to remove the requirement of trust on the verifier, and neither use automatic matching to avoid false
Consider the following protocol. The verifier can use a tamper-proof POS device to read the QR code, which can automatically verify the genuineness of the content using the public key of the signing authority. The verifier can then manually compare the photograph read from the QR code with the face of the person carrying the card. To make it irrefutable, the decision of identity verification, either positive or negative, can then be stored in the POS machine, along with both the time-stamped photograph read from the QR code and a live time-stamped photograph recorded using the POS machine with
The protocol ensures that the integrity of the transaction, including all of AAA, is irrefutable and can be audited. All it assumes is that the verifier cannot tamper with the POS terminal and the overall trust properties are superior to ABBA.
Exclusion is possible only if there is a genuine mistake in face-matching by the verifier. The offline audit of authentication can either be manual – either on random samples or on demand – or can be even be done automatically using face-matching software of the type that has been announced by the UIDAI.
Strict enforcement of identity verification and physical presence, such as in ABBA or in the protocol described above, prevents transferability of identity instruments. A facility to be able to transact on behalf of another person is a crucial feature in transaction protocols, especially if they have to be deployed in welfare or for financial inclusion. It is not inconceivable to build such a feature on top of the protocol described here by finding appropriate exceptions to the physical presence requirement.
There are several groups in the country which can undertake
Online AAA for other transaction use cases provides many more interesting possibilities, but that can be the topic of another discussion.
- Aadhaar or Unique Identification number (UID) is a 12-digit individual identification number issued by the Unique Identification Authority of India (UIDAI) on behalf of the Government of India. It captures the biometric identity – 10 fingerprints, iris and photograph – of every resident, and is meant to serve as a proof of identity and address anywhere in India.
- During biometric
matchinga similarity score between the presented and the stored fingerprints iscomputed. Incorrect rejection of a genuine person based on a threshold of the similarity score is called a false negative.
- De-duplication is the offline process of pairwise matching of people’s fingerprints during Aadhaar enrolment to establish uniqueness.
- Abraham, R, ES Bennett, R Bhusal, S Dubey, Q Li, A Pattanayak and NB Shah (2018), ‘State of Aadhaar Report 2017-18’, Technical report,
IDinsight, May 2018.
- Agrawal, Shweta, Subhashis Banerjee and Subodh Sharma (2017), “Privacy and Security of Aadhaar: A Computer Science Perspective”, Economic and Political Weekly, Vol. 52, Issue No. 37, 16 September 2017.
- Drèze, Jean, Nazar Khalid, Reetika Khera and Anmol Somanchi (2017), “Aadhaar and Food Security in Jharkhand: Pain without Gain?”, Economic and Political Weekly, Vol. 52, Issue No. 50, 16 December 2017. Available here.
- Kähm, O and N Damer (2012), ‘2D face liveness detection: An overview’, in 2012 BIOSIG – Proceedings of the International Conference of Biometrics Special Interest Group (BIOSIG), September 2012.
- Khera, R (2018), ‘Smarter than Aadhaar: Govt’s insistence on
disruptiveoption is bewildering’, Business Standard, 14 March 2018.
- Kotwal, A and B Ramaswami (2018), ‘Aadhaar that doesn’t exclude’, Ideas for India, 11 April 2018.
- Pahwa, N (2018), ‘By Revealing His Aadhaar Number, the TRAI Chairman Has Opened a Can of Worms’, The Wire, 30 July 2018.
- PTI (2017), ‘UIDAI suspends Airtel, Airtel Payments Bank’s e-KYC licence over Aadhaar misuse’, Economic Times, 16 December 2017.
- PTI (2018), ‘UIDAI brings updated QR code for offline Aadhaar verification’, Times of India, 18 April 2018.
- Sabt, Mohamed, Mohammed Achemlal and Abdelmadjid Bouabdallah (2015), “Trusted Execution Environment: What It Is, and What It Is Not”, 2015 IEEE Trustcom/BigDataSE/ISPA, 1: 57–64, Aug 2015. Available here.