About Authentication Devices

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

• 
  Collection of Personal Identity Data (PID) from Aadhaar number holders through the domain / client application hosted on such devices.
• 
  Perform basic checks on the information collected for completeness and compliance
• 
  Transmit the authentication packets and receive the authentication result

In compliance with Aadhaar Act, 2016 and its Regulations.

Authentication devices are deployed by requesting Entities (AUA/KUA). Based on the mode of operation, such devices are classified as Self-Assisted and Operator Assisted devices.

Self-Assisted devices are the devices where Aadhaar authentication transaction is carried out by the Aadhaar number holder himself/herself without any assistance.

Operator-Assisted devices are the devices where the Aadhaar authentication transaction of the Aadhaar number holder is performed with the assistance of requesting entity’s operator.

The device application should have provisions to service genuine Aadhaar number holders who may be falsely rejected during biometric authentication. Also, there should be measures to continue service delivery in case of other technological limitations such as network non-availability, device breakdown etc. There should be no denial of service to Aadhaar number holders due to technology limitations. The exception handling mechanisms should be backed up by non-repudiable features to log/audit requests handled through exception handling mechanism to prevent any fraud attempts.

For details on Security Requirements, The Aadhaar Act, 2016 and its Regulations may be referred

A large number of authentication devices, especially those initiating biometric authentication requests, are expected to be operator-assisted devices. AUAs should ensure that operators are adequately trained to carry out Aadhaar authentication transactions and also to handle queries from Aadhaar number holders appropriately.

Some key areas that should be part of operators’ training include:

• 
  Usage of biometric devices and Do’s / Don’ts for capturing good quality biometrics
• 
  Usage of BFD, process for on-boarding Aadhaar number holders and guiding them for next steps
• 
  Exception handling processes and ensuring no denial of service to Aadhaar number holders due to technology limitations
• 
  Communicating appropriately with Aadhaar number holders
• 
  Fraud monitoring & fraud reporting mechanisms
• 
  Basic troubleshooting steps and contact details of AUA’s device/application support team

• 
  PID block captured for Aadhaar authentication should be encrypted during capture and should never be sent in the clear over a network.
• 
  The encrypted PID block should not be stored unless it is for buffered authentication for a short period of time.
• 
  Biometric and OTP data captured for the purposes of Aadhaar authentication should not be stored on any permanent storage or database.
• 
  In the case of operator assisted devices, operators should be authenticated using mechanisms such as password, Aadhaar authentication, etc.