The Aadhaar authentication has been carried out with biometrics like fingerprints and iris scans, apart from OTP based authentication, and now, it's getting a new way of using biometrics - face authentication. In a circular dated January 15, the Unique Identification Authority of India (UIDAI) sent out information about the implementation of face authentication, and UIDAI CEO Dr. Ajay Bhushan Pandey also tweeted about it. The reasoning for this is explained as making the Aadhaar more accessible for people who can't, for any reason, use fingerprints or iris authentication. "Some residents face difficulty in successfully using biometric authentication using one of the modalities," the circular reads. "While residents can use either fingerprint or iris authentication when both devices are available, many AUAs [Authentication User Agencies] have not yet deployed both types of devices for their use."
In many places, the Aadhaar authentication is being carried out with fingerprint readers, which has caused problems in a number of cases, for example with the elderly and manual labourers finding their fingerprints not properly readable. To get around this, the UIDAI says it can use the photo captured at the time of enrolment for identity verification. "While Aadhaar Authentication API had the technical provision for sending photo of the face, this option is currently not enabled within CIDR [Central Identities Database Repository]," the circular states. "Since face photo is already available in UIDAI database, there is no need to capture any new reference data at UIDAI CIDR." This means that the data already captured serves the purpose, and the checks are also going to pose no problem, the UIDAI circular states, because "Camera is now pervasively available on laptops and mobiles making the face capture easily feasible for AUAs without needing any additional hardware." According to the circular, Face Authentication as an additional modality to be used in fusion mode will be available by July 1.
"Face authentication with liveness detection can be used as an additional factor to increase security," it adds. In other words, face recognition is not being considered secure enough by itself - "Face Authentication shall be allowed ONLY in fusion mode, along with one more authentication factor. This means Face Authentication must be combined with either fingerprint, or iris, or OTP to be able to successfully authenticate an Aadhaar number holder."
The circular doesn't talk about whether the UIDAI is developing the photo authentication technology in-house or sourcing it from anywhere. It states: "UIDAI will provide Software Development Kits (SDKs) / Registered Device (RD) services in various operating systems which will have the ability to capture face image, check liveness, and create digital signed and encrypted authentication input as required."
The UIDAI will start sharing these kids, and holding workshops and training sessions, starting with the sharing of "necessary details" from March 1 - and as mentioned above, the actual deployment is supposed to start by July 1.
Some experts are already expressing concerns with the decision to use face recognition, saying it has been circumvented through fairly simple tricks including just using a photograph of the person.
"Although adding an extra layer of security for Aadhar card holders seems to be a good initiative, adding facial recognition might not do much good as not only it isn’t too difficult to replicate as compared to other biometrics," says Ankush Johar, Director, Infosec Ventures, a company that provides infrastructure security solutions for commercial and government clients. “But also the major problem lies in the source of the images used as the authentication mechanism. The photographs captured nearly half a decade back with an extremely low resolution camera stands hardly any chance given that hackers were able to bypass even the 3D face model recognition developed by one of the biggest tech pioneers."
A tender by the Madhya Pradesh government shows that Aadhaar photos were taken using webcams of "2-megapixels or better", or tablets of "5-megapixels or better". These low resolution images, which would also be very outdated by now, make for a poor choice, adds Johar.