Friday, May 19, 2017

More on eKYC - an obvious, direct verification mechanism

The earlier post raises an important question: Is there an easier way to perform eKYC without becoming a KUA? 

The answer to that question is thankfully a "YES". But before we get to that, let us ask the question,  What exactly is eKYC?

I find it is useful to view the  UIDAI database as comprising the following groups of information:

1) The Aadhaar number (a unique number for every user)
2) Personal Information of the holder - such as full name, address, gender, date of birth, etc.
3) Biometric Information of the holder - such as Finger-prints, Iris scan, Photograph, etc.
4) Ownership Information of the holder such as Email Address, Phone number, etc.

Performing an eKYC involves ascertaining the following two separate facts, subject to consent of the concerned individual:

A) Ascertaining that the Personal Information & Ownership Information being presented by the holder of an Aadhaar number matches the Personal Information & Ownership Information stored in the UIDAI database against that Aadhaar number.
This is achieved by obtaining the Personal and Ownership Information from UIDAI in an authenticated manner.

B) Ascertaining that the individual presenting the Aadhaar number is who he / she claims to be, i.e., the genuine holder of that Aadhaar number.
This can be achieved in one of two ways. The Biometric-way relies on the assumption that if the individual is able to present biometric (fingerprint / iris) information that matches the Biometric Information stored in the UIDAI database, the individual is who he/she claims to be. The OTP-way relies on the assumption that if the individual can demonstrate ownership of the listed Phone number and Email Address (2 Factor Authentication), the individual is who he/she claims to be.

In the KUA approach, usually the biometric information of the individual is captured and sent to UIDAI along with the presented Aadhaar number. In return UIDAI sends back the Personal Information stored its database against this Aadhaar number.

This KUA approach helps ascertain both A)  and B) above. A) is ascertained because information is provided by UIDAI directly from its own database and B) is ascertained because the individual's biometric is matched with that in the UIDAI database.

Consent is obtained via acceptance of "terms of service", as well as the assumption that the person willingly provided his biometrics.

Following the KUA approach imposes significant contractual obligations, including IT maintenance and audit costs. Thankfully, there also exists an easier way to ascertain A) and B), while ensuring individual consent.

This alternative method is the direct electronic-equivalent of an individual submitting his/her own self-attested paper-based identification documents - something we have been doing for decades for KYC. It requires an individual to simply submit his self-attested eAadhaar document.

The Personal Information of the individual is present in the eAadhaar document that can be freely downloaded from the UIDAI website by any individual. This eAadhaar document is digitally signed by UIDAI. The Personal Information contained in this digitally signed document is therefore authentic, and satisfies the requirement of A) above.

What remains is to be ascertained is B), i.e., that the individual concerned is the genuine owner of that particular Aadhaar number. This can be done by getting the individual to self-attest (digitally sign) the eAadhaar document being submitted. The signature process outlined by UIDAI implicitly ascertains that the person signing is the genuine owner of that Aadhaar number. Further, the receiver can do additional verification by verifying the photograph on the eAadhaar document. Consent is ensured by making it a part of the self-attestation process.

In this alternative mechanism of eKYC, the UIDAI-signed eAadhaar document (including photo) is submitted by the individual aadhaar-holder directly to the recipient. It therefore represents a clear & direct method to perform eKYC. There is no need to go through AUA / KUA approval processes, and one can get started immediately.

Needless to say, care must be taken to securely maintain all eAadhaar documents submitted by users.

No comments:

Post a Comment