wordpress blog stats
Connect with us

Hi, what are you looking for?

UIDAI adds Face Authentication and fresh set of issues with it

To address failures in fingerprint and iris authentication, the Unique Identification Authority of India (UIDAI) said that it will now introduce ‘Face Authentication’ on July 1st, 2018. CEO Ajay Bhushan Pandey said that this was being done address issues “elderly or others” faced, but the move would more likely hurt them instead.

Last week, security analyst Elliot Alderson pointed out flaws in the mAadhaar app and showed that the app stored a user’s eKYC data on the phone itself, this includes the Aadhaar Number, Name, address, photograph among others.  An individual’s photograph is classified as ‘biometric information’ under section 2(g) of the Aadhaar Act, 2016.

When the story broke, the UIDAI issued a false statement saying that the mAadhaar app does not capture, store or take any biometric inputs.

A circular from the UIDAI says that Face Identification will be only used in “Fusion Mode” and will need an additional form of authentication with a fingerprint scan, iris scan or one-time password. The agency also added that Face Identification will be provided to only certain AUAs (Authentication User Agencies ).

It also added that currently, the face photo is not enabled on the Aadhaar authentication API within the CIDR (Central Identities Data Repository) but it can be enabled. The circular also said that “since the photo is already present in the UIDAI database there is no need to capture any new reference data”.

The Face Identification will also have ‘liveness’ detection and can be used as an additional factor of authentication. Cameras on laptops and mobile phones can be used to make face capture for AUAs without the need for additional hardware.

Security and privacy issues

Face Identification poses a number of security and privacy problems from the start and could lead to fraud if implemented.

  • First, the UIDAI needs to understand that biometrics of a person will change with time. If the Aadhaar system is matching a person’s face to the photograph in the database, there are bound to be failures. Remember, the UIDAI started collecting information for its database in 2009 and people age over nine years.
  • Secondly, hackers claim that the broke Apple’s Face ID authentication within a week of the iPhone X launch. Bakv, a Vietnamese security firm, claimed that it was able to spoof Apple’s systems by building a mold and paper cutouts. Hackers could easily engineer a social hack with photographs of a target.
  • Third, ArsTechnica points out that Apple’s Face ID  captures additional facial features over time and uses them for authentication and make improvements. If the UIDAI implements this solution, this would mean that it would rely on constant surveillance on the Aadhaar holder to keep updating its database. Publically, the UIDAI has told the Supreme Court that the Aadhaar system cannot be used for surveillance. But documents from State Resident Data Hubs (SRDHs) show that they are building a 360-degree profile of residents. Note that Aadhaar Act specifically states that a 360-degree profile cannot be built using Aadhaar.
  • And finally, Facial recognition technology on existing consumer devices uses the same camera for capturing the reference image of the face and for authentication, something that will be very unlikely with the Aadhaar. Additionally, the most reliable (relatively speaking) facial recognition technology doesn’t just capture a two-dimensional image of the face but uses infrared emitters to map the shape of the face. The Aadhaar database only has two-dimensional images (very dimly lit in some cases) as a point of reference.

The UIDAI will have a conundrum if it implements Face Identification. The only way it can implement the solution effectively is by updating the database regularly by surveillance but will run contrary to its public stance on surveillance and the Aadhaar Act.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ