Digitally Verifying Identity with Aadhaar: Everything Businesses Need to Know

Aadhaar (12 digit unique ID) integration has caught the fancy of many companies and startups in India, that are looking at policy reforms and achieving higher efficiency in their business processes by getting the correct identity established of users or individuals (referred as Aadhaar-holders) on their platforms. This post covers all aspects of such an integration.

Use Cases

The use cases for such integration in web and mobile apps by companies can be: 

(i) establishment of true identity and address instantly

 (ii) weeding out fake or duplicate records, and/or just keeping the data on your platform clean, standardized and free from junk 

(iii) reducing typing effort of users, and avoiding typo errors via a simple fetch of 15 ID and address fields and a face photo from a trusted third party Government source (UIDAI)

 (iv) avoiding collection and storage of paper ID and address documents, and the friction that comes with it 

(v) adherence to compliance and KYC requirements defined by regulators 

(vi) avoiding misuse or fraud in usage of goods and services offered through your platform 

(vii) linking transactions and user behavior to analyse patterns such as those related to purchase, even if users come back with a different email ID or mobile number (viii) deeper information visibility on app users

If you are considering Aadhaar integration in your apps, you will relate to one or more use cases listed above.

Quick brief on Aadhaar

Aadhaar is a 12-digit ID issued to 112 Crore (1.12 billion) Indian residents so far. This number is expected to increase to cover 100% Indian residents, as Aadhaar becomes critical for easy access to various Government, public and private sector services. Ever child born in India will be issued an Aadhaar, and the biometrics will be captured as the child becomes 5 year old, and then again when he/she becomes 15 years old. Aadhaar is a number, and NOT a card, and is intended to be used for digital authentication and KYC. Information pertaining to an Aadhaar number can be updated (eg. names, addresses, mobile numbers, etc.), but the number remains unique and lifelong. An individual will never get a second number due to biometric de-duplication done before Aadhaar issuance.

The future

Imagine the current ways and form factors in which Aadhaar is used physically. You must have seen at at airports, railway stations, hotels, visitor entry points: (i) A-4 paper printout after self-service download from eAadhaar portal (ii) Half A-4 sized Aadhaar letter sent by post by UIDAI (iii) Tear-away portion at the bottom of Aadhaar letter (iv) Laminated card using the tear-away portion (v) Printed plastic cards.

This however is traditional ID establishment, which is no different than showing a Voter ID, a PAN card or a DL.

All these ways of ID establishment will become digital to enhance the authenticity of the processes, and this provides immense business opportunities for entrepreneurs. We have already seen use of Aadhaar to open bank accounts digitally, to get mobile SIM connections digitally, to check-in at airports in a paperless manner (recently piloted at Bangalore and Hyderabad airport), last-mile disbursal of payments using Aadhaar-enabled micro-ATM’s, distribution of rations at fair price shops under PDS. These are fine examples of process digitization that brings more authenticity, and at the same time creating ease and comfort for Aadhaar-holder as well as service provider. In future, our bet is that the form factors listed above (paper, card, etc.) will go away, and people will just store their Aadhaar numbers in their mobile, and will have it readily available for all transactions. This implies, Aadhaar will truly become mainstream, and every Indian will establish his/her identity digitally somewhere, someplace, every 3 days. This is based on Aadhaar’s planned server capacity to be increased from 100 million daily transactions to 400 million daily transactions.

Aadhaar platform API’s

The Aadhaar API’s are all it takes to integrate. There are two of them:

(i) Aadhaar authentication – Available in three modalities: (a) Biometric (b) Demographic (c) OTP.

Input: Aadhaar number + one or more demographic, biometric fields or OTP (one-time password).

Output: “Yes” if the information matches in the Aadhaar database against the Aadhaar number. “No” along with error code if the information does not match.

(ii) Aadhaar KYC – Available in two modalities: (a) Biometric (b) OTP.

Input: Aadhaar number + biometric field (fingerprint or iris) or OTP (one-time password).

Output: Fetch of 15 demographic fields (Name, Gender, Date of Birth, Mobile, Email, Pincode, State, District, Village/Town/City and other free text address fields) and a face photo from Aadhaar.

Please note that OTP modality works with OTP sent on mobile number registered in the Aadhaar database. If Aadhaar-holder does not have this, he/she can visit an Aadhaar center and get it updated. Aadhaar based certified biometric devices (fingerprint, iris) are available to be purchased from the market. It is important that you only use certified biometric devices. A simple google search should get you the list of Aadhaar certified devices. STQC is UIDAI’s partner for device certification.

Compliance to consent, data-security and privacy norms

Aadhaar platform is designed to comply to the highest norms related to consent, data security and privacy. As example of the design is that just by knowing someone’s Aadhaar number, you can’t get any more information about the Aadhaar-holder. Similarly, if you know the Aadhaar number, and one or more of demographic attributes such as name, you can’t get the rest of the information about the Aadhaar-holder. This is the reason why Aadhaar-based KYC (or eKYC API) does NOT offer a demographic modality, and you definitely need the biometric or OTP consent, which is an explicit form of consent.

Your provider of the Aadhaar platform (such as OnGrid) will require you to comply to consent, data-security and privacy norms as laid down by UIDAI and Governement of India, and it is essential and mandatory that your apps and processes comply to the same. Here are the top things that you should have on your compliance list.

(i) Consent – You should take consent of the Aadhaar-holder. The Aadhaar-holder should be educated about your platform and process (via your platform only), and should know that his/her Aadhaar number and personal information will be used for Aadhaar authentication or KYC, and the purpose of Aadhaar authentication or KYC, as applicable. You should ask your provider of Aadhaar API on how you can comply to this. If your platform is being by other organizations (B2B nature of app), the organizations should be made aware and responsible for consent.

(ii) Biometrics – Aadhaar does not return biometric as part of its authentication or KYC response. You should NOT store biometrics, as it can be used for a fraudulent biometric verification, which can cause identity theft. The Unique ID authority of India (UIDAI) has built checks and balances to identify such a fraudulent transaction made using stored biometrics.

(iii) Data storage and security – Contrary to common misconception, data output as a result of an Aadhaar authentication or KYC transaction CAN be stored. Otherwise, how would a service provider (such as bank or telecom operator or a Government department) offer it’s services? However, it is important to store the data in a secure manner, and use it ONLY for the purpose of providing the service for which you have taken the consent or authorization of the Aadhaar-holder. Indulging in practices such as selling the data or sharing the data (i.e. giving access to someone else) without consent of the Aadhaar-holder is a strict NO.

Ready to get started?

You can start integrating with OnGrid right away. Aadhaar authentication and Aadhaar eKYC service are offered by OnGrid via it’s web platform, mobile platform and API’s. If you are only using the API’s for integration in your apps, and are not interested in other services that OnGrid offers, you need NOT store the data on the OnGrid platform. If you need a downstream service from OnGrid, you can choose to store the data on the OnGrid platform, and make sure you take consent of the Aadhaar-holder. In such a case, OnGrid can support you with the consent guidelines.

For API integration only, follow these steps:

Write to partner@ongrid.in with your use-case and requirements, i.e. whether you need to use Aadhaar authentication or Aadhaar eKYC or both. Sometimes it makes sense to have eKYC as your defauly workflow, and seamless switch-over to Aadhaar authentication in case biometric devices are not available in the environment, or the Aadhaar-holder does have a mobile number registered in Aadhaar.
Sign a declaration sent by OnGrid, and get staging access to the API’s (documentation link: https://ongrid.api-docs.io/)
Sign the service agreement with OnGrid after completion of integration completion and testing. OnGrid technology and program will be help you with the technical nuances, optimal workflows that you should have, and on consent and data security.
Make payments (pricing listed here: https://www.ongrid.in/#/pricing)
Switch to production
About OnGrid

OnGrid is an Aadhaar-enabled trust platform that offers verification services and background checks, both digital and physical. OnGrid links documents, verification reports, employment and education records with Aadhaar to make future transactions paperless and presence-less for Aadhaar-holders (with their consent), thereby reducing harassment of repeated documentary evidence and background checks for Aadhaar holders, and creating value for organizations using the OnGrid platform.

Feedback

Was this document helpful? Do you have any feedback, or have any queries related to Aadhaar technology, operating framework or legal compliance? Please feel free to leave a comment for the author, or write to partner@ongrid.in