As per the Aadhaar Act 2016, a requesting entity means an agency or a person that submits Aadhaar number and demographic information or biometric information, of an individual to the Central Identities Data Repository (CIDR) for authentication.
Authentication User Agency (AUA) is an entity engaged in providing Aadhaar Enabled Services to Aadhaar number Holder, using the authentication as facilitated by the Authentication Service Agency (ASA). An AUA may be government / public / private legal agency registered in India, that uses Aadhaar authentication services of UIDAI and sends authentication requests to enable its services / business functions.
Sub AUAs are agencies that use Aadhaar authentication to enable its services through an existing requesting entity.
A requesting entity (such as AUA, KUA) connects to the CIDR through an ASA (either by becoming ASA on its own or by contracting services of an existing ASA).
Appointment of Requesting Entities (Authentication User Agency & e-KYC User Agency)
- Agencies seeking to become requesting entities to use the authentication facility provided by the Authority shall apply for appointment as requesting entities in accordance with the procedure as may be specified by the Authority for this purpose. Only those entities that fulfill the criteria laid down in Schedule A are eligible to apply. The Authority may by order, amend Schedule A from time to time so as to modify the eligibility criteria.
- The Authority may require the applicant to furnish further information or clarifications, regarding matters relevant to the activity of such a requesting entity, as the case may be, which may otherwise be considered necessary by the Authority, to consider and dispose of the application.
- The applicant shall furnish such information and clarification to the satisfaction of the Authority, within the time as may be specified in this regard by the Authority.
- While considering the application, the information furnished by the applicant and its eligibility, the Authority may verify the information through physical verification of documents, infrastructure, and technological support which the applicant is required to have.
- After verification of the application, documents, information furnished by the applicant and its eligibility, the Authority may:
a. approve the application for requesting entity, as the case may be; and
b. enter into appropriate agreements with the entity or agency incorporating the terms and conditions for use by requesting entities of the Authority's authentication facility, including damages and disincentives for non-performance of obligations.
- The Authority may from time to time, determine the fees and charges payable by entities during their appointment, including application fees, annual subscription fees and fees for individual authentication transactions.
Key AUA Responsibilities
- Choose an appropriate authentication type based on business and deployment risk assessment; inform UIDAI regarding the same.
- Ensure compliance of authentication related operations (processes, technology, security, etc.) to UIDAI's standards and specifications as specified in the AUA Handbook
- Ensure to obtain an informed consent from the Aadhaar number holder by intimating the purpose of authentication and any information relating to his/her data sharing in accordance with Aadhaar Act 2016..
- Prepare authentication packet as per latest Authentication API specifications.
- Log and maintain details of all authentication transactions as per the provisions of the Aadhaar Act 2016.
- In case Aadhaar biometric authentication is used, Best Finger Detection (BFD) application is implemented to on-board the Aadhaar number holders for biometric authentication.
- Identifying exception-handling and back-up identity authentication mechanisms, as recommended by UIDAI through AUA Handbook.
- Deploy fraud monitoring mechanism, as per AUA's business needs, to prevent misuse of exception handling mechanism by operators and any other ecosystem members, as mandated through Chapter VI of Aadhaar Act 2016 .
- Get its operations and systems related to Aadhaar Authentication audited as per UIDAI's specifications specified in the AUA Handbook and in accordance with the provisions of the Aadhaar Act 2016.
- Ensure connectivity from authentication devices to the AUA server and between the AUA server and the ASA server.
- Procure, deploy and manage certified biometric devices in compliance with UIDAI's latest biometric device specifications.
- Ensure adequate training for the personnel managing authentication devices and bring an awareness for compliance aspects relating to Protection of Aadhaar number holder information, penalties associated with unauthorized usage, misuse of data etc, as specified in Chapter VI and Chapter VII of the Aadhaar Act 2016 and Aadhaar Authentication Regulations 2016.
- Inform UIDAI of the engagement/ disengagement of Sub AUAs.
- Ensure supported Sub AUAs comply with UIDAI's standards and specifications.
- Inform UIDAI of any misuse of Aadhaar data, authentication services, or any compromise of Aadhaar related data or systems and ensure compliance to Aadhaar Act 2016.
Mandatory Security Requirements
- Aadhaar number should be never used as a domain specific identifier.
- In the case of operator assisted devices, operators should be authenticated using mechanisms such as password, Aadhaar authentication, etc.
- Personal Identity Data (PID) block captured for Aadhaar authentication should be encrypted during capture and should never be sent in the clear over a network.
- The encrypted PID block should not be stored unless it is for buffered authentication for a short period, currently configured as 24 hours.
- Biometric and OTP data captured for the purposes of Aadhaar authentication should not be stored on any permanent storage or database.
- The meta data and the responses should be logged for audit purposes.
- Network between AUA and ASA should be secure.
Requesting Entities (AUA/KUA) Responsibilities and Data Securities
For Requesting Entities (AUA/KUA) Responsibilities and Data Securities the Aadhaar Act, 2016 and its regulations may be referred.