Among the submissions made by Dr Ajay Bhushan Pandey, CEO of UIDAI to the Supreme Court on the 22nd day of ongoing hearings on the constitutional Validity of Aadhaar was his Aadhaar authentication history between November 1, 2017, and March 29, 2018. Here are some insights from examining the log.

The CEO of UIDAI himself has a 19% authentication failure rate

There are details of 26 authentication attempts, out of which 5 failed, which amounts to a failure rate of about 19.2%. This is higher than the failure rate claimed by Dr Pandey before the Supreme Court, even as he provided documents to the contrary. Vakasha Sachdev of The Quint has written in more detail about this.

The authentication failure rate for personal use of Aadhaar seems to be much higher

While the UIDAI work related authentications appear to be uniformly successful, Dr Pandey’s luck with authentications for using services Aadhaar is linked to appears to be worse, or at least no better than the examples brought up by the petitioners. Out of 9 authentication attempts (1 Vodafone + 7 ICICI + 1 IDFC), only 4 succeeded (1 Vodafone + 3 ICICI), which amounts to a failure rate higher than 50%.

All services for authentication require an AUA. UIDAI has several “Internal AUAs” for it’s own purposes. An AUA is just a 10 digit code that is recognized by the internal authentication system. So, in effect, the sucess rate that with “Internal AUAs” is literally similar to connecting your OTP system to your laptop and typing the OTP. Most of the variables are removed except your mobile sim connectivity. If you knock those out, his authentication success is less than 50% of attempts made.

The CEO of UIDAI has locked his own biometrics – to prevent misuse?

While the UIDAI is arguing before the Supreme Court that biometrics are perfectly safe, it turns out that the CEO of UIDAI himself has disabled the use of his own biometrics. Not a ringing endorsement, this.

OTP authentication does not appear to be easy either

Dr Pandey had explained in Court that Aadhaar is superior to Debit Cards, because of the complexity of entering a PIN for the illiterate masses. However, Dr Pandey’s own authentication history shows failures in authenticating Aadhaar using OTP for PhD holder and CEO of the UIDAI himself.

The authentication rate of 95% claimed for banks appears to be exaggerated

Dr Pandey’s log shows 7 attempts made at within a span of 1 minutes and 51 seconds at the ICICI Bank – 4 out of 7 failed, which is more than half the attempts made. One attempt made at IDFC Bank failed and was not attempted again.

How are there only 26 authentication attempts when UIDAI HQ has Aadhaar based attendance?

According to Nandan Nilekani (2013), the UIDAI headquarters attendance system is based on Aadhaar. Marking attendance is usually mandatory for all in government organizations. This raises several questions (Credit Twitter user @kingslyj):

  • Does Dr. Pandey work from home?
  • Was Nandan Nilekani lying in 2013?
  • Did UIDAI later abandon the use of Aadhaar for recording employee attendance? or
  • Or make exceptions because of authentication failures?
  • Or exceptions for specific officials?
  • Or is it that Dr. Pandey bypasses AEBAS and disables biometrics? Under what government rule?

UIDAI’s claim of not storing personal data is refuted by Dr Pandey’s authentication history log

The authentication history log clearly shows important information about Dr Pandey that we did not know before examining it. (Credit: Thread by Anand V)

  • Dr Pandey has at least one new or newly linked Vodafone number (Successful authentication with Vodafone). He also does not have any other phone numbers linked with Aadhaar after November 1, 2017.
  • Dr Pandey probably has 3 accounts with ICICI that he linked with his Aadhaar just before midnight on Republic Day. Any other accounts he may have were not linked within the last 5 months.
  • Dr Pandey has at least one IDFC account not linked with Aadhaar. They probably insisted on biometric authentication, since there do not seem to be any attempts made for OTP authentication.
  • Based on Dr Pandey’s use of Internal AUAs and the non-standard AUA “UIDAI Services”, Anand was able to make inferences and educated guesses about his patterns around management or demonstrations of the UIDAI services, namely:
    • “UIDAI services” is probably custom access he has from his office.
    • He probably gave someone or tested an authentication Demo at around 5:30 pm on the 5th of February.
    • Two authentications 5th Jan 2018 at 00:39:30 (think of it as a very late night on the 4th) and 6th Jan at 20:48:05 have the same UKC – sounds like extensive troubleshooting after Rachna Khaira’s expose in the Tribune about access to the UIDAI database being sold for Rs. 500 on WhatsApp.
    • He probably checked the authentication services on Republic Day at 7 pm – from office, likely.
    • He probably checked/tested something on 31st Jan just after 8 pm or, to extrapolate, like Anand “He definitely came home late and did not reach before 9 PM.”
    • A series of authentications in November and December on UIDAIEKYCPOC seem to indicate testing or demonstration of new KYC features – Limited KYC?

The vast majority of Dr Pandey’s Aadhaar authentications appear to be for work

Dr Pandey does not appear to link or authenticate using Aadhaar extensively in his personal life other than for the bank accounts with ICICI and mobile phone with Vodafone. He appears to avoid using the Aadhaar based attendance system as well. This is below average adoption of Aadhaar if we consider their “more than 4 crore successful authentications daily” – implying at least once a month use of Aadhaar per individual, higher if you consider the inactive Aadhaar numbers (children, dead people, wrong information, authentication failures…)

At 19% overall failure rate and much higher – closer to 50% for personal use like authenticating Aadhaar for phone or bank, and with locked biometrics, other than the work-related logins on non-public AUAs, Dr Pandey appears to be on the “exclusion” side of the Aadhaar argument rather than the “efficiency”.