Aadhaar (Authentication and Offline Verification) Regulations, 2021 · II — Aadhaar Authentication Framework
Regulation 8 Devices, client applications, etc. used in authentication
(1) All devices and equipment used for authentication shall be certified as required and as per the specifications issued, by the Authority from time to time for this purpose.
(2) The client applications i.e. software used by requesting entity for the purpose of authentication, shall conform to the standard APIs and specifications laid down by the Authority from time to time for this purpose. 9. Process for performance of authentication.—(1) After collecting the Aadhaar number or any other identifier provided by the requesting entity which is mapped to Aadhaar number and necessary demographic and / or biometric information and/ or OTP from the Aadhaar number holder, the client application shall immediately package and encrypt these input parameters into PID block before any transmission, as per the specifications laid down by the Authority, and shall send it to server of the requesting entity using secure protocols as may be laid down by the Authority for this purpose.
(2) After validation, the server of a requesting entity shall pass the authentication request to the CIDR, through the server of the Authentication Service Agency as per the specifications laid down by the Authority. The authentication request shall be digitally signed by the requesting entity and/or by the Authentication Service Agency, as per the mutual agreement between them. [(3) Based on the mode of authentication request, after the input parameters have been matched against the information of the Aadhaar number available in the CIDR and CIDR has verified the correctness or lack thereof, the Authority shall return a digitally signed Yes or No response, or a digitally signed e-KYC response with encrypted e-KYC data, as the case may be, along with related technical details. (3A) Where the requesting entity has entered into a Memorandum of Understanding or agreement with the Authority for the performance of authentication with update of status regarding whether an Aadhaar number previously submitted has been subsequently omitted or deactivated or re-activated, in the event of such Aadhaar number being omitted or deactivated or such a deactivated Aadhaar number being re-activated, the Authority shall send a subsequent digitally signed appropriate response, along with related technical details.]
(4) In all modes of authentication, the Aadhaar number is mandatory and is submitted along with the input parameters specified in sub-regulation (1) above such that authentication is always reduced to a 1:1 match.
(5) A requesting entity shall ensure that encryption of PID Block takes place at the time of capture on the authentication device as per the processes and specifications laid down by the Authority.
Source: Wayback Machine snapshot of UIDAI's original publication.
(1) All devices and equipment used for authentication shall be certified as required and as per the specifications issued, by the Authority from time to time for this purpose.
(2) The client applications i.e. software used by requesting entity for the purpose of authentication, shall conform to the standard APIs and specifications laid down by the Authority from time to time for this purpose. [भाग III—खण्ड 4] भारत का रािपत्र : असाधारण 27