Prof. Jayanth R. Varma’s Financial Markets Blog

A blog on financial markets and their regulation

Why Aadhaar transaction authentication is like signing a blank paper

Using Aadhaar (India’s biometric authentication system) to verify a person’s identity is relatively secure, but using it to authenticate a transaction is extremely problematic. Every other form of authentication is bound to a specific transaction: I sign a document, I put my thumb impression to a document, I digitally sign a document (or message as the cryptographers prefer to call it). In Aadhaar, I put my thumb (or other finger) on a finger print reading device, and not on the document that I am authenticating. How can anybody establish what I intended to authenticate, and what the service provider intended me to authenticate? Aadhaar authentication ignores the fundamental tenet of authentication that a transaction authentication must be inseparably bound to the document or transaction that it is authenticating. Therefore using Aadhaar to authenticate a transaction is like signing a blank sheet of paper on which the other party can write whatever it wants.

All this was brought home to me when I bought a new SIM card recently and was asked to authenticate myself with a finger print. The employee of the telecom company told me that there was a problem and I needed to try again. Being a little suspicious, I stretched forward and twisted my neck to peep at the computer screen in front of the employee (this screen would otherwise not have been visible to me). My suspicion was allayed on seeing an error message on the screen and I tried again only to get the same error message. After three attempts, the employee suggested that I come again the next day. Back home, I saw three emails from UIDAI (Unique Identification Authority of India) stating “Your Aadhaar number ___ was used successfully to carry out e-KYC Authentication using ‘Fingerprint’ on ___ at ___ Hrs at a device deployed by ___.” Note the word successfully.

That is when I realized that the error message that I saw on the employee’s screen was not coming from the Aadhaar system, but from the telecom company’s software. That is a huge problem. This conclusion was corroborated the next day when after one more error message, I found that the employee had left one field in the form partially filled and the error message disappeared when that was corrected.

Let us think about why this is a HUGE problem. Very few people would bother to go through the bodily contortion required to read a screen whose back is turned towards them. An unscrupulous employee could simply get me to authenticate the finger print once again though there was no error and use the second authentication to allot a second SIM card in my name. He could then give me the first SIM card and had over the second SIM to a terrorist. When that terrorist is finally caught, the SIM that he was using would be traced back to me and my life would be utterly and completely ruined.

Actually, even my precaution of trying to read the employee’s screen is completely pointless. The screen is not an inseparable part of the finger print reader. On the contrary. the fingerprint reader is attached by a flimsy cable to a computer (which is out of view) and the screen is purportedly attached to the same computer. It is very easy to attach the fingerprint reader to one computer (from which a malicious transaction is carried out) and attach the screen on the counter to another computer which displays the information that I expect to see.

Another way of looking at the same thing is that a rogue employee of the telecom company could effortlessly execute what is known in computer security as an MitM (Man in the Middle) attack on the communication between me and the Aadhaar system. In fact, I see some analogies between the problem that I am discussing and the MitM attack described by Nethanel Gelerntor, Senia Kalma, Bar Magnezi, and Hen Porcilan in their recent paper (h/t Bruce Schneier). Neither I nor the Aadhaar system has any way of detecting or foiling this MitM attack.

I think the whole model is fundamentally broken, and Aadhaar should be used only to verify identities, and not to authenticate transactions. Transaction authentication must happen with a thumb impression, a physical signature, a digital signature or something similar that is inseparably bound to a document.


10 responses to “Why Aadhaar transaction authentication is like signing a blank paper

  1. whitetiger45 July 19, 2017 at 10:12 pm

    A rather funny experience, but which could have serious repercussions. We can admit that this is one very serious loophole. We can also say that the System is concerning itself with the software part of the Aadhar and is not considering serious problems which could arise at the human hardware interaction.

  2. Saket S July 20, 2017 at 6:05 pm

    When you mentioned the word transaction ,first thing came to my mind was financial transactions (unlike SIM card example you have shared above). I was going to point that credit/card POS swiping mechanism is not better than Aadhasr/thumb print based mechanism but found that you are already sceptical about card based transactions as well 🙂

  3. Jitesh July 24, 2017 at 10:34 am

    Aadhar based authentication is only to verify a person’s identity and nothing else. It is not a substitute for signature. It seems to be a safe and hassle-free way of doing kyc. For further details:

    However, to authenticate a transaction using aadhar, one needs e-sign. This can be considered as a substitute for signature. This also seems to contain sufficient safeguards against misuse. For further details:

    • Jayanth Varma July 26, 2017 at 4:26 pm

      It is a myth that Aadhar is not used as a substitute for a signature. Transaction authentication using Aadhar is quite common though Aadhar might not have been intended to be used like this. This is the month of July and many of us are e-verifying our income tax returns using Aadhar. The other alternatives offered by the Government of India are (a) courier the form with physical signature and (b) use a digital signature. So Aadhar is accepted by the GOI itself as equivalent to a physical or digital signature.

      • Ketan Mehta July 31, 2017 at 11:35 pm

        I did not understand your last point, what is the need for authentication unless it is followed by a transaction to provide product, service or information

  4. Pingback: The fault lines of Aadhaar Mapper in digital payments #mustshare | Kractivism

  5. Aadhar Card January 2, 2018 at 3:07 pm

    Now Aadhar linking with all services is extended till 31 March 2018

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: