The Indian government is bullish about the Aadhaar system for a complete digital identity. The best way to see this in action is the various methods implemented for the verification of a cardholder.
There are two primary methods of verification. One is the online method which involves scanning the Aadhaar QR code on the Aadhaar card with the specified authentication devices. The process is fast, secure, and centrally regulated. It could be trusted and uses UIDAI infrastructure to process the authentication. It works fine except for minor instances where the network couldn’t be reached during an authentication.
Hence the other offline method, which involves the use of a downloadable zipped XML file from the UIDAI website. The file includes the information selected by the individual for sharing during a verification process. The file could contain information like the photo, date of birth, etc. to be shared with a service provider, apart from the mandatory name and address. It does not disclose your Aadhaar number, even in a masked form. Also, email id and password are hashed using an algorithm specified by UIDAI.
The selected fields become a part of the XML file and are digitally signed with UIDAI’s private key. In order to verify the digital signature, the public key is also included in the XML file.
In its document UIDAI says: “… the XML file generated by the Aadhaar number holder using Offline Aadhaar Data Verification Service is a digitally signed document using UIDAI digital signature. Thus, the service provider can verify the demographic contents of the file and certify it to be authentic when doing the offline verification.”
Here is the process to download the XML file:
- Step 1: Go to URL www.uidai.gov.in
- Step 2: Enter ‘Aadhaar Number’ or ‘VID’ and mentioned ‘Security Code’ in the screen, then click on ‘Send OTP’
- Step 3: Enter the OTP received by registered Mobile Number for the given Aadhaar Number
- Step 4: Enter a Share Code which will be the password for the ZIP file and click on the ‘Download’ button
- Step 5: The Zip file containing the digitally signed XML will be downloaded
The offline verification comes in handy when the process cannot happen online or when you have to share the document. The advantage is in the ability to share only the selected information that one wants to share.
Security is a concern though
Aadhaar verification through the offline method, at a very optimistic level, has been tricky to perform. UIDAI does not specify the exact process of sharing the downloaded file along with the password to any institution. Couple it with the fact that UIDAI steps off from the centralized authentication.
A file once shared with the password to use it could, in turn, be sent forward to be used again. There is no control over who could open the file. Strict data retention policies are governing the use of these documents, but a leak could see the data getting exposed as we have seen in the past with Aadhaar.
The use of such a document is a future, we would need it till we have significant people with online connectivity in our country. The process by UIDAI in itself would evolve to accommodate these concerns and will improve in the future.
How it should be used
Aadhaar XML of anyone is a piece of sensitive information that should be processed and handled with care. The file should never be saved without proper security and encryption to any server. The processing of the information should, as much as possible, be done on the client and never pushed to the server.
We have built verification processes using XML files and we always do the verification in an encrypted environment on the client device. Never on a server!