In addition to the disturbing news that Aadhaar-based biometric authentication for government services fails 12% of the time, the documents submitted by UIDAI CEO Ajay Bhushan Pandey to the Supreme Court of India include another revelation that seems counter-productive for the authority — that nearly one out of five attempts to authenticate Pandey’s Aadhaar details have failed.
Pandey made a presentation to the apex court on 22 and 27 March 2018, to try and demonstrate to the judges how safe the Aadhaar technological framework is. As part of his presentation, he submitted a set of supporting documents, including a record of all attempts to authenticate his own Aadhaar from 1 November 2017 till 20 March 2018.
Twenty-six authentication attempts were logged with the UIDAI during this time period, one from a telecom company, eight from two different banks, and the remaining 17 relating to UIDAI EKYC, internal monitoring, and services. Five of these attempts resulted in failure, which amounts to 19.2% of all attempts during this period.
Too caught up to read the whole story? Listen to it instead:
Only One Biometric Authentication Attempt
Interestingly, of these 26 attempts, only one was made using the biometric authentication mode (which has been trumpeted as the flagship feature of Aadhaar by Pandey). This request, from a private sector bank, resulted in failure with error code 330. According to the UIDAI’s website, the description for this error code is “Biometrics locked by Aadhaar holder.”
The irony of the UIDAI CEO locking his own biometrics – which means they cannot be used for Aadhaar authentication – will not be lost on anyone. The petitioners challenging the constitutionality of Aadhaar have raised many concerns about the biometric aspect of Aadhaar, both in terms of its violation of privacy, as well as the risk of exclusion from benefits as a result of biometric mismatch. This risk, they claim, will only increase as more and more biometric details are added to the system and authentication attempts made, since this increases the chance of false positive results during verification.
The UIDAI claims that this isn’t an issue since alternative forms of authentication or verification can be used instead, and that the biometric authentication success rate has been improving for banks (it is 95.1% for 2017 and 2018). Pandey did not attempt to use an alternative mode of authentication for whatever transaction he was attempting to do there, and no other authentication requests were made by that bank.
OTP Mode Also Fails Four Times
The other four failures all took place on the same day, in relation to authentication requests from the other private sector bank. This means that five out of eight attempts to authenticate Pandey’s Aadhaar details for banking transactions/KYC failed. This is obviously a far cry from the UIDAI figures.
These attempts were made using the OTP mode (used for 25 of the 26 attempts). All seven authentication requests from this bank were made in the space of 1 minute 51 seconds. Three attempts were successful, four unsuccessful with error code 400. The description for this error code is “OTP validation failed”.
The probable reason specified by the UIDAI for this is that an incorrect OTP value is entered. There’s a bit of irony in this as well, since during his presentation, the UIDAI CEO had blamed inability of the poor and illiterate to understand how to use PINs for the lack of debit card usage in the country.
It would also seem strange for this to be the reason for the failures since there are multiple failed attempts in such a small space of time (and some successful ones). Regardless, it is clear that even alternative forms of Aadhaar authentication are not foolproof.
This is hardly going to increase people’s confidence in the reliability of the system, and the likelihood that its usage will not lead to exclusions.
(At The Quint, we question everything. Play an active role in shaping our journalism by becoming a member today.)