What an Indian ID System Tells Us About the Future of Biometrics for Authentication


By John Connolly

It is a colossal and unique undertaking, a project that has required the processing of terabytes of personal data, thousands of hours registering users, and over a billion dollars. The result is Aadhaar – the largest biometric database in the world, containing the fingerprints, iris scans, photographs and personal details of over 1.19 billion Indian residents. This information is processed and takes the form of a twelve digit unique identity number assigned to every person who has enrolled. Introduced by the Indian Government in 2009 and administered by the Unique Identification Authority of India (UIDAI) the Aadhaar project aspires to improve governance and tackle fraud in a country that has struggled with its population size for decades. It now represents the largest ever experiment in biometric identity the world has ever seen.

If the creation of Aadhaar seems ambitious, the Indian government’s next steps for the programme make it seem almost trivial, as they aim to ingrain Aadhaar into every aspect of Indian life. Aadhaar authentication is already compulsory to access some government welfare schemes and subsidies and will soon be required to open a bank account, to buy a SIM card, for rail travel and more. In short, biometric authentication will be required to function at every level of Indian society.

The process for Aadhaar verification is simple and designed to limit potential breaches. When an Aadhaar user registers at a bank, they provide their personal details, their Aadhaar number and their biometric information. This is then sent to UIDAI who respond to verification requests with a simple ‘yes’ or ‘no’. Ideally this means that a user’s personal information is not held by any third party and UIDAI only hold the information necessary to validate an individual’s identity.

On the surface, the Aadhaar project seems both sensible and secure. The arguments for using biometrics to authenticate identity are well known and for the most part common sense. By virtue of being unique to every individual, they are much more difficult to impersonate than your average password and are infinitely more convenient. They are also mostly non-transferable and quick to authenticate. But when an actual reality emerges of a single database run by a government body holding the sensitive information of 1.19 billion users, it is hard not to be concerned by the privacy and security implications this may cause.

 

Is Aadhaar Secure?

 

When a database holds a huge amount of sensitive information, it is essential that it is as secure as possible. But recently reported breaches have cast doubt on the security of a system that is now used by over 97% of the Indian population. In January 2018, a reporter from the Indian newspaper The Tribune was reportedly able to buy access to the Aadhaar database portal for as little as Rs 500 (5.44 GBP). The reporter could then allegedly access a user’s name, address, postal code, phone number and email. The breach was apparently made possible when former Aadhaar employees, realising that their role was due to be terminated, saw an opportunity to make a quick buck by selling access to the system.

More recently, an investigation by Australian technology news outlet ZDNet alleged that a vulnerability within the state owned utility company Indane meant security researchers were able to download the private information of Aadhaar users. As well as their name and their 12 digit number, it also included services they had connected to, such as bank accounts and other private details.

The Indian government has voraciously disputed that the Aadhaar database has been breached and has dismissed the ZDNet claims as “baseless and irresponsible”. The official site of Aadhaar still argues that the “Aadhaar database has never been breached during the last 7 years of its existence” and makes the somewhat tenuous claim that “Aadhaar data is fully safe and secure at UIDA”.

Although the two reported breaches appear to be limited in scope and do not include biometric information such as iris images or fingerprints, it a generally accepted truth among security professionals that no system is fully secure and any database connected to the internet has the potential to be hacked. To borrow a much used phrase: it’s not if but when. Following this logic, what does this mean for biometric authentication?

 

Thumbs Down

 

To stop fraud, biometric systems have to be secure at every level – from scanning equipment all the way to final storage. Encoding and encryption techniques are used by Aadhaar and improve security by preventing biometric patterns being reverse engineered. But these techniques are far from perfect and other vulnerabilities do exist, such as accessing device storage to steal biometric templates, creating wearable replicas of user’s biometrics, replacing user templates on the database, or sniffing network traffic to reveal user details. Meanwhile, as Aadhaar becomes more widespread, it also becomes a more lucrative target for attackers which is why the Indian government has been so keen to defend the security of its project. An attacker or fraudster could potentially empty bank accounts, claim benefits from the state and even enrol in university if they have compromised someone’s biometric details.

In many ways though this does not differ from any other identity system. All authentication systems struggle with fraud and impersonation, therefore it seems unfair to point out that there will be flaws in a biometric system. But one of the key differentiators between biometrics and other authentication methods is that biometrics cannot be changed. Without surgery or an accident, a user’s thumbprint will always remain the same, as will their iris scan or facial picture. This means that the security of biometric data has to be treated as an essential priority. After all, if your biometric details are stolen, you can’t ask for a new finger.

What happens after your finger print is stolen is less clear. There is no option to reboot biometric information and no way to stop the proliferation of sensitive information online. It is likely that Aadhaar users who have their data stolen will be plagued for years by identity fraud, mistaken authentication and difficult to navigate bureaucracies because of an identification system they never asked for and were promised was secure. The UIDAI has so far made no alternative authentication methods for compromised users and has no ideas about how to proceed after information has been stolen. In a project that affects how millions lead their lives, this is a startling oversight.

More worryingly, steps that could be taken to address security issues raise privacy concerns instead. In February, Delhi police opened an investigation into three organisations accused by the UIDAI of attempting unauthorised authentication and impersonation – a crime that can result in a three year jail sentence. The UIDAI discovered the irregularities by noting a number of identical consecutive transactions which would have not been possible without storing biometric data.  While it seems sensible for the UIDAI to monitor certain aspects of the authentication process, the investigation has highlighted that the public body is already able to see where and when users authenticate – a remarkable amount of information for a government to hold on its citizens. Further steps to tackle fraud such as geolocation authentication or user behaviour analytics also place a huge surveillance apparatus in the hands of a body which so far has faced little regulatory scrutiny.   

 

Just a 12 Digit Lie Detector?

 

Although it is easy to be critical of Aadhaar, it is worth remembering how impressive a project it is and the good work it may do for the most vulnerable. Identity is frequently a barrier to accessing government services and alleviating poverty, and similar schemes are being undertaken by the World Bank and the GSMA. In a country where 25% of children didn’t have any identity in 2012, it is a noble aim to register as citizens as possible.

Time will be the truest judge of how successful Aadhaar has been. It may be that as biometric technology improves and the system manages to iron out early mistakes, that concerns over Aadhaar’s security and privacy will seem overly cautious and misplaced. But UIDAI does itself no favours by building a system that relies on the assumption that their database can ever be fully secure.

Most importantly, Aadhaar provides no clear answers to the immutability issue of biometric authentication. Though this may only affect a small number of users at present, if there is ever a large scale data leak of Aadhaar users’ biometric information then it is hard to see how the system could possibly continue to act as a reasonable verifier of identity. Biometric identification will always have its use cases, but the main lesson of Aadhaar appears to be that it is not yet ready for mass-authentication.