Finger, Iris & Now Face: Your Qs on Aadhaar’s New Rule Answered

UIDAI is rolling out face recognition on for authenticating users. What does it mean and should we be worried? Sushovan Sircar Our faces will now be a second layer of authentication for Aadhaar eKYCs. | (Photo: Erum Gour/The Quint) India UIDAI is rolling out face recognition on for authenticating users. What does it mean and should we be worried?

The UIDAI will roll out facial recognition on 15 September to authenticate users. This technology, to be used in combination with existing biometric authentications, is being implemented in a phased manner, starting with telecom service providers.

The rollout comes amidst regular reports of Aadhaar leaks, hacks and fraud; and at a time when the Supreme Court is expected to deliver its judgment on the Constitutional validity of the Aadhaar project itself.

Why does UIDAI want to click my face?

UIDAI has decided to enable face authentication to act as an additional way of verifying a user. This will happen alongside the existing fingerprint/iris-based authentication. Simply put, UIDAI already has our photographs in its central identities repository. By taking a photograph during eKYC, it can match the photograph with the existing one it has in its database in order to authenticate the user. This will start with telecom companies that provide SIM cards to users.

But I’ve already given away my fingerprints and iris...?

True, but UIDAI has said it wants to enable face authentication to act as a second layer of confirming one’s identity in the event that one’s fingerprints don’t match. There have been many cases where a user’s fingerprint has worn off and led to Aadhaar authentication failures. A UIDAI circular mentions that face recognition “shall be allowed ONLY in fusion mode along with one more authentication factor.” It has to be combined with either the iris, fingerprint or OTP in order to authenticate a user.

Will this apply to all Aadhaar authentications ?

No, not yet. UIDAI is going for a phased rollout. This means they are starting this new system with telecom service providers. Other entities that use Aadhaar-based authentication and eKYC will be implementing it later. The primary reason for this truncated introduction is because not all Authentication User Agencies (AUA) are ready with the devices needed for face recognition.

Along with fingerprint and iris, face recognition is also categorised as biometric information.

Apple face ID got broken into. Can UIDAI assure me better security?

BKAV, a Vietnamese security firm, claimed to have broken Apple’s Face ID authentication within a week of its launch of the iPhone X on 3 November 2017. This assumed greater significance given that Apple employed far more sophisticated technology and captured 3D images of faces using infrared emitters.

UIDAI, in comparison, will be taking 2D images. This will be far easier to spoof or manipulate.

What about my consent for face mapping?

Great Question. UIDAI assumes our consent in this case. The mandatory nature of face recognition is cause for concern. UIDAI does away with choice for users and makes them more vulnerable by making this mandatory.

A rather baffling aspect of mandating face recognition for telecom services is that the method was meant as a failsafe if the traditional method of fingerprint scanning fails.

If the first form of authentication – ie: fingerprint – successfully goes through, why is one required to also authenticate oneself through face recognition?

Should I be worried about potential surveillance ?

Even though UIDAI appeared before the Supreme Court and submitted that Aadhaar cannot be used for surveillance, evidence suggests otherwise. 360-degree databases of citizens through Know Your Resident (KYR+) data in State Resident Data Hubs have repeatedly been flagged for potential surveillance concerns.

Moreover, by mandating face recognition each time a user has to authenticate herself, the UIDAI will have access to regularly updated images in its database.

Confirming shots taken on each attempt at facial authentication poses a definite concern for surveillance possibilities.

Images also qualify as biometric information, and the Aadhaar Act states that biometric data cannot be used for anything else apart for authentication. However, given that telcos are required to store the images at the back end, they could be misused if compromised.

Is face recognition a better alternative to fingerprint and iris scan ?

This is yet another area of concern. The pictures present on Aadhaar cards are not of good enough quality for an accurate functioning of face recognition. For many, the pictures in the UIDAI database are several years old and may not match with current facial features.

Children are more likely to encounter authentication failures if their faces have developed since getting clicked by UIDAI. There is a chance their photographs may be outdated. Add to this the fact that many pictures have been taken in poorly lit conditions that are not conducive to identification, and this is an authentication method with just as much chance of authentication failure as a fingerprint.