To address failures in fingerprint and iris authentication, the Unique Identification Authority of India (UIDAI) said that it will now introduce ‘Face Authentication’ on July 1st, 2018. CEO Ajay Bhushan Pandey said that this was being done address issues “elderly or others” faced, but the move would more likely hurt them instead.

Last week, security analyst Elliot Alderson pointed out flaws in the mAadhaar app and showed that the app stored a user’s eKYC data on the phone itself, this includes the Aadhaar Number, Name, address, photograph among others.  An individual’s photograph is classified as ‘biometric information’ under section 2(g) of the Aadhaar Act, 2016.

When the story broke, the UIDAI issued a false statement saying that the mAadhaar app does not capture, store or take any biometric inputs.

A circular from the UIDAI says that Face Identification will be only used in “Fusion Mode” and will need an additional form of authentication with a fingerprint scan, iris scan or one-time password. The agency also added that Face Identification will be provided to only certain AUAs (Authentication User Agencies ).

It also added that currently, the face photo is not enabled on the Aadhaar authentication API within the CIDR (Central Identities Data Repository) but it can be enabled. The circular also said that “since the photo is already present in the UIDAI database there is no need to capture any new reference data”.

The Face Identification will also have ‘liveness’ detection and can be used as an additional factor of authentication. Cameras on laptops and mobile phones can be used to make face capture for AUAs without the need for additional hardware.

Security and privacy issues

Face Identification poses a number of security and privacy problems from the start and could lead to fraud if implemented.

  • First, the UIDAI needs to understand that biometrics of a person will change with time. If the Aadhaar system is matching a person’s face to the photograph in the database, there are bound to be failures. Remember, the UIDAI started collecting information for its database in 2009 and people age over nine years.
  • Secondly, hackers claim that the broke Apple’s Face ID authentication within a week of the iPhone X launch. Bakv, a Vietnamese security firm, claimed that it was able to spoof Apple’s systems by building a mold and paper cutouts. Hackers could easily engineer a social hack with photographs of a target.
  • Third, ArsTechnica points out that Apple’s Face ID  captures additional facial features over time and uses them for authentication and make improvements. If the UIDAI implements this solution, this would mean that it would rely on constant surveillance on the Aadhaar holder to keep updating its database. Publically, the UIDAI has told the Supreme Court that the Aadhaar system cannot be used for surveillance. But documents from State Resident Data Hubs (SRDHs) show that they are building a 360-degree profile of residents. Note that Aadhaar Act specifically states that a 360-degree profile cannot be built using Aadhaar.
  • And finally, Facial recognition technology on existing consumer devices uses the same camera for capturing the reference image of the face and for authentication, something that will be very unlikely with the Aadhaar. Additionally, the most reliable (relatively speaking) facial recognition technology doesn’t just capture a two-dimensional image of the face but uses infrared emitters to map the shape of the face. The Aadhaar database only has two-dimensional images (very dimly lit in some cases) as a point of reference.

The UIDAI will have a conundrum if it implements Face Identification. The only way it can implement the solution effectively is by updating the database regularly by surveillance but will run contrary to its public stance on surveillance and the Aadhaar Act.